Exes_41120f31b68a138be54ca024aa89556c_exe_json.json

1.  
2. [*] MalFamily: "Skeeyah"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_41120f31b68a138be54ca024aa89556c.exe"
7. [*] File Size: 2057672
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "342eecde391817bdddf00059f818a5e336ac26c3eda88672c95f314c5f6a58e8"
10. [*] MD5: "41120f31b68a138be54ca024aa89556c"
11. [*] SHA1: "a120aad4cd31ef9ec4c289b6499d9b7c8d0e542e"
12. [*] SHA512: "f48eb3cfc06051139012f1efe9013307355ed6c9b81d9a3e81709647263782e43b77433322b4cdaec575bcfe45c007c143a0aff49a1864f706657d400b56c00b"
13. [*] CRC32: "522A06F8"
14. [*] SSDEEP: "49152:pke+N1DZcdhrN5ilW5QuYeTx4/TJblzAhTQ0afFs4E:GeKDZcdr5MxuYeTm/81Y8"
15.  
16. [*] Process Execution: [
17. "Exes_41120f31b68a138be54ca024aa89556c.exe",
18. "virto.CMD",
19. "chkvrtb.exe",
20. "npprot.exe",
21. "sc.exe",
22. "NPLStat.exe",
23. "Virtob_UnHooker.exe",
24. "Dmem.exe",
25. "zzz.exe",
26. "zzz.exe",
27. "services.exe",
28. "npprot.exe",
29. "sdclt.exe",
30. "GoogleUpdate.exe"
31. ]
32.  
33. [*] Signatures Detected: [
34. {
35. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
36. "Details": [
37. {
38. "IP": "172.217.0.35:443"
39. }
40. ]
41. },
42. {
43. "Description": "Creates RWX memory",
44. "Details": []
45. },
46. {
47. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
48. "Details": [
49. {
50. "ioc": "http://crl.globalsign.net/root-r2.crl0"
51. }
52. ]
53. },
54. {
55. "Description": "Reads data out of its own binary image",
56. "Details": [
57. {
58. "self_read": "process: Exes_41120f31b68a138be54ca024aa89556c.exe, pid: 1608, offset: 0x00000000, length: 0x000be66e"
59. },
60. {
61. "self_read": "process: Exes_41120f31b68a138be54ca024aa89556c.exe, pid: 1608, offset: 0x000bb004, length: 0x0013b5a8"
62. },
63. {
64. "self_read": "process: zzz.exe, pid: 2148, offset: 0x0000003c, length: 0x00000004"
65. },
66. {
67. "self_read": "process: zzz.exe, pid: 2148, offset: 0x000000f8, length: 0x00000004"
68. },
69. {
70. "self_read": "process: zzz.exe, pid: 2896, offset: 0x0000003c, length: 0x00000004"
71. },
72. {
73. "self_read": "process: zzz.exe, pid: 2896, offset: 0x000000f8, length: 0x00000004"
74. }
75. ]
76. },
77. {
78. "Description": "A process created a hidden window",
79. "Details": [
80. {
81. "Process": "zzz.exe -> \\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe"
82. },
83. {
84. "Process": "zzz.exe -> \\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe"
85. }
86. ]
87. },
88. {
89. "Description": "Drops a binary and executes it",
90. "Details": [
91. {
92. "binary": "C:\\Users\\user\\npprot.exe"
93. },
94. {
95. "binary": "C:\\zv\\virto2\\chkvrtb.exe"
96. },
97. {
98. "binary": "C:\\zv\\virto2\\Virtob_UnHooker.exe"
99. },
100. {
101. "binary": "C:\\zv\\virto2\\NPLStat.exe"
102. },
103. {
104. "binary": "C:\\zv\\virto2\\zzz.exe"
105. },
106. {
107. "binary": "C:\\zv\\virto2\\virto.CMD"
108. },
109. {
110. "binary": "C:\\zv\\virto2\\Dmem.exe"
111. }
112. ]
113. },
114. {
115. "Description": "Performs some HTTP requests",
116. "Details": [
117. {
118. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
119. },
120. {
121. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
122. },
123. {
124. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
125. },
126. {
127. "url": "http://www.msftncsi.com/ncsi.txt"
128. }
129. ]
130. },
131. {
132. "Description": "Creates an autorun.inf file",
133. "Details": []
134. },
135. {
136. "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
137. "Details": [
138. {
139. "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 9828678 times"
140. }
141. ]
142. },
143. {
144. "Description": "Installs itself for autorun at Windows startup",
145. "Details": [
146. {
147. "service name": "NPVProt"
148. },
149. {
150. "service path": "C:\\Users\\user\\npprot.exe"
151. },
152. {
153. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Asynchronous"
154. },
155. {
156. "data": "1"
157. },
158. {
159. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\ShutDown"
160. },
161. {
162. "data": "AtShutDown"
163. },
164. {
165. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon"
166. },
167. {
168. "data": "unknown"
169. },
170. {
171. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Startup"
172. },
173. {
174. "data": "AtStartup"
175. },
176. {
177. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logoff"
178. },
179. {
180. "data": "AtWinLogoff"
181. },
182. {
183. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Impersonate"
184. },
185. {
186. "data": "0"
187. },
188. {
189. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\DLLName"
190. },
191. {
192. "data": "NPlogon.dll"
193. },
194. {
195. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logon"
196. },
197. {
198. "data": "AtWinLogon"
199. }
200. ]
201. },
202. {
203. "Description": "Attempts to identify installed AV products by installation directory",
204. "Details": [
205. {
206. "file": "C:\\ProgramData\\Symantec\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
207. },
208. {
209. "file": "C:\\Program Files (x86)\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
210. },
211. {
212. "file": "C:\\Program Files (x86)\\Norton AntiVirus\\Quarantine"
213. },
214. {
215. "file": "C:\\ProgramData\\Symantec\\Norton AntiVirus\\Quarantine"
216. },
217. {
218. "file": "C:\\ProgramData\\Symantec\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
219. },
220. {
221. "file": "C:\\Program Files (x86)\\Norton Internet Security\\Norton AntiVirus\\Quarantine"
222. }
223. ]
224. },
225. {
226. "Description": "File has been identified by 25 Antiviruses on VirusTotal as malicious",
227. "Details": [
228. {
229. "CAT-QuickHeal": "TrojanSpy.Skeeyah"
230. },
231. {
232. "Cylance": "Unsafe"
233. },
234. {
235. "Alibaba": "TrojanSpy:Win32/Agent.e7bc34b5"
236. },
237. {
238. "NANO-Antivirus": "Trojan.Win32.Agent.elgrqy"
239. },
240. {
241. "Symantec": "Trojan.Gen"
242. },
243. {
244. "Avast": "Win32:Malware-gen"
245. },
246. {
247. "Tencent": "Win32.Trojan-spy.Agent.Oyog"
248. },
249. {
250. "Sophos": "Mal/Generic-S"
251. },
252. {
253. "Comodo": "Malware@#2vtdu87oixepi"
254. },
255. {
256. "DrWeb": "Trojan.MulDrop6.56400"
257. },
258. {
259. "Invincea": "heuristic"
260. },
261. {
262. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.tc"
263. },
264. {
265. "Paloalto": "generic.ml"
266. },
267. {
268. "Webroot": "W32.Trojan.Gen"
269. },
270. {
271. "Microsoft": "TrojanSpy:Win32/Skeeyah.A!rfn"
272. },
273. {
274. "AegisLab": "Trojan.Win32.Agent.4!c"
275. },
276. {
277. "McAfee": "Artemis!41120F31B68A"
278. },
279. {
280. "TACHYON": "Trojan-Spy/W32.Agent.2057672"
281. },
282. {
283. "VBA32": "TrojanSpy.Agent"
284. },
285. {
286. "Rising": "Spyware.Agent!8.C6 (CLOUD)"
287. },
288. {
289. "Ikarus": "Trojan-Spy.Win32.Agent"
290. },
291. {
292. "Fortinet": "W32/Malicious_Behavior.VEX"
293. },
294. {
295. "AVG": "Win32:Malware-gen"
296. },
297. {
298. "Panda": "Trj/CI.A"
299. },
300. {
301. "MaxSecure": "Trojan.Malware.1728101.susgen"
302. }
303. ]
304. },
305. {
306. "Description": "Creates a copy of itself",
307. "Details": [
308. {
309. "copy": "C:\\zv\\Mem\\Exes_41120f31b68a138be54ca024aa89556c.exe.Mem"
310. },
311. {
312. "copy": "C:\\zv\\Mem\\EXES_41120F31B68A138BE54CA024AA89556C.EXE.MEM"
313. }
314. ]
315. },
316. {
317. "Description": "Attempts to modify or disable Security Center warnings",
318. "Details": []
319. }
320. ]
321.  
322. [*] Started Service: [
323. "NPVProt"
324. ]
325.  
326. [*] Executed Commands: [
327. "\"C:\\zv\\virto2\\virto.CMD\"",
328. "C:\\zv\\virto2\\virto.CMD ",
329. "c:\\zv\\Virto2\\chkvrtb.exe",
330. "C:\\Users\\user\\npprot.exe /INSTALL",
331. "SC start NPVProt",
332. "C:\\zv\\virto2\\InstZvFort.exe //H",
333. "C:\\zv\\virto2\\SetNPLogon.exe ",
334. "C:\\zv\\virto2\\NPLStat.exe ",
335. "C:\\zv\\virto2\\Virtob_UnHooker.exe ",
336. "c:\\zv\\Virto2\\DMEM.EXE /SCAN",
337. "c:\\zv\\Virto2\\zzz.exe /FOLEXE C:\\ZV\\MEM",
338. "c:\\zv\\Virto2\\zzz.exe /SCANPC",
339. "c:\\zv\\cmd.bat",
340. "C:\\Users\\user\\npprot.exe",
341. "C:\\Windows\\System32\\sdclt.exe /CONFIGNOTIFICATION",
342. "\"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\" /svc",
343. "\\xc3\\x9a`\\xc3\\x85t\\xc3\\x9a\\xc3\\xb8$w?\\xc2\\xab\\x12u\\x1c\\xc3\\xbd\\x18\\gtfile77\\Checkgtf.exe",
344. "c:\\zv\\Virto2\\ScrnSht.exe"
345. ]
346.  
347. [*] Mutexes: [
348. "Local\\ZoneAttributeCacheCounterMutex",
349. "Local\\ZonesCacheCounterMutex",
350. "Local\\ZonesLockedCacheCounterMutex",
351. "CicLoadWinStaWinSta0",
352. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
353. "Global\\Op1mutx9",
354. "Global\\Ap1mutx7",
355. "Global\\_kuku_joker_v4.00",
356. "Global\\_kkiuynbvnbrev406",
357. "Global\\RORR",
358. "Global\\SLDT",
359. "Global\\ydnm",
360. "Global\\IRRD",
361. "Global\\XAOP",
362. "Global\\ZAOP",
363. "Global\\xttk",
364. "Global\\owoq",
365. "Global\\zlka",
366. "Global\\ALCMTrayMutex",
367. "Global\\uku_joker_v3.06",
368. "Global\\KUKU300a",
369. "Global\\KUKU301a",
370. "Global\\ATIPTAAB",
371. "Global\\rLlP",
372. "Global\\L0aR",
373. "Global\\La0S",
374. "Global\\osqw",
375. "Global\\L30N",
376. "Global\\R30S",
377. "Global\\#!Pandora_LS!#",
378. "Global\\L34f",
379. "Global\\l31F",
380. "Global\\a13f_",
381. "Global\\eyvb",
382. "Global\\itr0",
383. "Global\\xqnl",
384. "Global\\vqyd",
385. "Global\\l2r0",
386. "Global\\ltr0",
387. "Global\\l0r2",
388. "Global\\bmvu",
389. "Global\\l0r8",
390. "Global\\l0r3",
391. "Global\\nzcn",
392. "Global\\wcoc",
393. "Global\\l0s2",
394. "Global\\l0s3",
395. "Global\\LEAX",
396. "Global\\ChineseHacker-2",
397. "Global\\ogkf",
398. "Global\\l0r5",
399. "Global\\REAF",
400. "Global\\oddy",
401. "Global\\qfdze",
402. "Global\\coyz",
403. "Global\\flpn",
404. "Global\\L34N",
405. "Global\\l0s6",
406. "Global\\m10n",
407. "Global\\onln",
408. "Global\\likl",
409. "Global\\PEINFECT",
410. "Global\\uxJLpe1m",
411. "Global\\kuku_joker_v3.04",
412. "Global\\ahio",
413. "Global\\CNNIC#v1",
414. "Global\\PNP#DMUTEX#1#DL5",
415. "Global\\__CORE_DL5__",
416. "Global\\__DL5_INF__",
417. "Global\\PNP#NETMUTEX#1#DL5",
418. "Global\\Angry Angel v3.0",
419. "Global\\cBot-usb01",
420. "Global\\__DL5EX__",
421. "Global\\__DL_CORE_MUTEX__",
422. "Global\\ACPI#PNP0D0D#1#Amd_DL5",
423. "Global\\dltd",
424. "Global\\gplp",
425. "Global\\mxqb",
426. "Global\\amoq",
427. "Global\\vkbs",
428. "Global\\kkru",
429. "Global\\l0s7",
430. "Global\\nqef",
431. "Global\\kefr",
432. "Global\\trvr",
433. "Global\\hvfat",
434. "Global\\lucp",
435. "Global\\rfuy",
436. "Global\\woemnm593jfe",
437. "Global\\kswt",
438. "Global\\l0r0",
439. "Global\\l0r1",
440. "Global\\l0r4",
441. "Global\\l0r6",
442. "Global\\l0r7",
443. "Global\\l0r9",
444. "Global\\l0s0",
445. "Global\\l0s1",
446. "Global\\l0s4",
447. "Global\\l0s5",
448. "Global\\l0s8",
449. "Global\\l0s9",
450. "Global\\GhiYhjmskLowqQ",
451. "Global\\svjv",
452. "Global\\ljhn",
453. "Global\\orlg",
454. "Global\\epno",
455. "Global\\doun",
456. "Global\\fakb",
457. "Global\\ntda",
458. "Global\\rlem",
459. "Global\\ssfz",
460. "Global\\vnjx",
461. "Global\\ehso",
462. "Global\\iyxx",
463. "Global\\xeur",
464. "Global\\hgic",
465. "Global\\mkzo",
466. "Global\\oysq",
467. "Global\\vfvm",
468. "Global\\euhq",
469. "Global\\irni",
470. "Global\\lyuw",
471. "Global\\vouy",
472. "Global\\mefc",
473. "Global\\wteny",
474. "Global\\cgxz",
475. "Global\\chbr",
476. "Global\\pnqd",
477. "Global\\dmtu",
478. "Global\\itvh",
479. "Global\\zlqe",
480. "Global\\tlql",
481. "Global\\bsyu",
482. "Global\\ujwe",
483. "Global\\mnra",
484. "Global\\afbi",
485. "Global\\cmka",
486. "Global\\qsjw",
487. "Global\\xill",
488. "Global\\crwr",
489. "Global\\emlxd",
490. "Global\\flyj",
491. "Global\\qqxo",
492. "Global\\rhbd",
493. "Global\\akyg",
494. "Global\\sleh",
495. "Global\\m11n",
496. "Global\\rwqag",
497. "Global\\hxzg",
498. "Global\\icwme",
499. "Global\\vpee",
500. "Global\\iowme",
501. "Global\\jpea",
502. "Global\\ludb",
503. "Global\\gaelicum",
504. "Global\\bkfn",
505. "Global\\duyk",
506. "Global\\qxqs",
507. "Global\\cufi",
508. "Global\\vqgs",
509. "Global\\zfvy",
510. "Global\\nyxs",
511. "Global\\tixj",
512. "Global\\wexb",
513. "Global\\vpnn",
514. "Global\\bwsd",
515. "Global\\ghij",
516. "Global\\djuk",
517. "Global\\LtkC3",
518. "Global\\ir4cnxm3oi333",
519. "Global\\joet",
520. "Global\\jaet",
521. "Global\\hbek",
522. "Global\\vhex",
523. "Global\\weal",
524. "Global\\fclp",
525. "Global\\tweb",
526. "Global\\_kelly_",
527. "Global\\bjkg",
528. "Global\\pizt",
529. "Global\\pujh",
530. "Global\\feiz",
531. "Global\\jfec",
532. "Global\\rudt",
533. "Global\\zqoc",
534. "Global\\citf",
535. "Global\\rvtg",
536. "Global\\rgab",
537. "Global\\fjhg",
538. "Global\\lncs",
539. "Global\\rbzm",
540. "Global\\tepn",
541. "Global\\ybhy",
542. "Global\\aoof",
543. "Global\\ibyn",
544. "Global\\KyUffThOkYwRRtgPP",
545. "Global\\A_D70",
546. "Global\\dwvbhjaoxdkv",
547. "Global\\xvwrr",
548. "Global\\AleB0",
549. "Global\\AnrP2",
550. "Global\\IrpF2",
551. "Global\\M_x10",
552. "Global\\daytt",
553. "Global\\JdcBc",
554. "Global\\M_x11",
555. "Global\\uclsq",
556. "Global\\M_D61",
557. "Global\\M_D62",
558. "Global\\JdcBd",
559. "Global\\nadxb",
560. "Global\\ArpC0",
561. "Global\\yoyxh",
562. "Global\\qfwte",
563. "Global\\xhppq",
564. "Global\\znrzy",
565. "Global\\rflpt",
566. "Global\\przjl",
567. "Global\\ugipb",
568. "Global\\vydcp",
569. "Global\\dtbfh",
570. "Global\\qgfdo",
571. "Global\\shkqj",
572. "Global\\uqema",
573. "Global\\egxbk",
574. "Global\\gnkzg",
575. "Global\\domcv",
576. "Global\\rmzku",
577. "Global\\sorpr",
578. "Global\\vdsty",
579. "Global\\yzclj",
580. "Global\\zsoxr",
581. "Global\\deavw",
582. "Global\\whfbb",
583. "Global\\wmwjh",
584. "Global\\zugwl",
585. "Global\\qvsvf",
586. "Global\\udagn",
587. "Global\\zvuhr",
588. "Global\\julct",
589. "Global\\wljao",
590. "Global\\yzsvu",
591. "Global\\mekhz",
592. "Global\\geqgn",
593. "Global\\bjmuo",
594. "Global\\jkrsf",
595. "Global\\mareh",
596. "Global\\saykv",
597. "Global\\gdfiv",
598. "Global\\ntdxs",
599. "Global\\ogedr",
600. "Global\\JdcBa",
601. "Global\\mddcc",
602. "Global\\tzqsq",
603. "Global\\m15n",
604. "Global\\srylm",
605. "Global\\psoik",
606. "Global\\ywxab",
607. "Global\\ocgpa",
608. "Global\\wdvpm",
609. "Global\\jztal",
610. "Global\\aihjf",
611. "Global\\jheix",
612. "Global\\uhrdb",
613. "Global\\ocvoz",
614. "Global\\srldg",
615. "Global\\cydfe",
616. "Global\\yvtwq",
617. "Global\\haeazjkmewvo",
618. "Global\\mznsg",
619. "Global\\zjtsy",
620. "Global\\gkmry",
621. "Global\\melor",
622. "Global\\eyiby",
623. "Global\\hylxw",
624. "Global\\fnnrf",
625. "Global\\wreyg",
626. "Global\\ajeck",
627. "Global\\fouic",
628. "Global\\glrnn",
629. "Global\\ltaae",
630. "Global\\rivga",
631. "Global\\auxbw",
632. "Global\\bliym",
633. "Global\\sqksh",
634. "Global\\fcjqq",
635. "Global\\tiiyb",
636. "Global\\xrzpo",
637. "Global\\xvdsr",
638. "Global\\ckowm",
639. "Global\\hcinv",
640. "Global\\kdekb",
641. "Global\\uznrk",
642. "Global\\gtedz",
643. "Global\\jomlz",
644. "Global\\pevpw",
645. "Global\\trjnq",
646. "Global\\kiqfw",
647. "Global\\huufe",
648. "Global\\kxosd",
649. "Global\\myobf",
650. "Global\\qamfp",
651. "Global\\dhxkv",
652. "Global\\uzrpn",
653. "Global\\ggbaq",
654. "Global\\ekuet",
655. "Global\\eljsz",
656. "Global\\esgoh",
657. "Global\\rsxea",
658. "Global\\fknth",
659. "Global\\wpxnz",
660. "Global\\hkeqd",
661. "Global\\rwofw",
662. "Global\\laubt",
663. "Global\\saikh",
664. "Global\\vqttc",
665. "Global\\vrxuq",
666. "Global\\qyfnc",
667. "Global\\hwbkx",
668. "Global\\ppcne",
669. "Global\\zllyi",
670. "Global\\lilnw",
671. "Global\\LtkC1",
672. "Global\\LtkC2",
673. "Global\\nkaci",
674. "Global\\rutzh",
675. "Global\\ssvfm",
676. "Global\\uqnwg",
677. "Global\\bfezo",
678. "Global\\guacz",
679. "Global\\ktvsz",
680. "Global\\nivoz",
681. "Global\\wjlcb",
682. "Global\\wybzj",
683. "Global\\xsjzd",
684. "Global\\mhujb",
685. "Global\\ainya",
686. "Global\\cimem",
687. "Global\\hzrgl",
688. "Global\\yrwzk",
689. "Global\\ozqxc",
690. "Global\\nnobl",
691. "Global\\iiunx",
692. "Global\\fzjsu",
693. "Global\\fwwtv",
694. "Global\\ffiev",
695. "Global\\darfo",
696. "Global\\bbrne",
697. "Global\\ryzgi",
698. "Global\\isphc",
699. "Global\\fewgb",
700. "Global\\ekmos",
701. "Global\\exijm",
702. "Global\\fxlgw",
703. "Global\\mmple",
704. "Global\\oyysc",
705. "Global\\wypfe",
706. "Global\\xnhkv",
707. "Global\\zycyq",
708. "Global\\egcsu",
709. "Global\\hzaqf",
710. "Global\\m13n",
711. "Global\\m14n",
712. "Global\\m16n",
713. "Global\\m12n",
714. "Global\\m17n",
715. "Global\\m18n",
716. "Global\\m19n",
717. "Global\\blnej",
718. "Global\\fitra",
719. "Global\\qouxs",
720. "Global\\fvgqc",
721. "Global\\argfn",
722. "Global\\dhvum",
723. "Global\\ewwwl",
724. "Global\\flckl",
725. "Global\\gnnna",
726. "Global\\hclyg",
727. "Global\\kqaxi",
728. "Global\\mqpfy",
729. "Global\\nebxd",
730. "Global\\oudjo",
731. "Global\\qsvho",
732. "Global\\rvyea",
733. "Global\\rwetb",
734. "Global\\tplbj",
735. "Global\\vrdnu",
736. "Global\\xkkqo",
737. "Global\\xzemv",
738. "Global\\yzjdq",
739. "Global\\elhgf",
740. "Global\\mnapu",
741. "Global\\dtzye",
742. "Global\\epqqv",
743. "Global\\mfzbe",
744. "Global\\owugg",
745. "Global\\ptzwb",
746. "Global\\pvlhq",
747. "Global\\rddoz",
748. "Global\\stoka",
749. "Global\\trlqm",
750. "Global\\wpkjg",
751. "Global\\xivay",
752. "Global\\yakku",
753. "Global\\ybhld",
754. "Global\\yhurj",
755. "Global\\ykpix",
756. "Global\\zbvpf",
757. "Global\\pupyk",
758. "Global\\uxypj",
759. "Global\\zyzeu",
760. "Global\\ikcfm",
761. "Global\\xrilk",
762. "Global\\fajfr",
763. "Global\\qoxrk",
764. "Global\\seduk",
765. "Global\\rdehh",
766. "Global\\vnsbn",
767. "Global\\jioym",
768. "Global\\xxqoa",
769. "Global\\snonj",
770. "Global\\lsguk",
771. "Global\\flaat",
772. "Global\\dgfvu",
773. "Global\\xgqur",
774. "Global\\weoua",
775. "Global\\ghkrc",
776. "MUTEXFS",
777. "Global\\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}",
778. "Global\\G{6885AE8E-C070-458d-9711-37B9BEAB65F6}",
779. "Global\\G{66CC0160-ABB3-4066-AE47-1CA6AD5065C8}",
780. "Global\\G{0A175FBE-AEEC-4fea-855A-2AA549A88846}"
781. ]
782.  
783. [*] Modified Files: [
784. "C:\\zv\\virto2\\virsgx00.db",
785. "C:\\zv\\virto2\\virto.CMD",
786. "C:\\zv\\virto2\\NPProt.exe",
787. "C:\\zv\\virto2\\Virtob_UnHooker.exe",
788. "C:\\zv\\virto2\\AIIR.DLL",
789. "C:\\zv\\virto2\\KRNLOBJ.DB",
790. "C:\\zv\\virto2\\exe_only.reg",
791. "C:\\zv\\virto2\\all_ext.reg",
792. "C:\\zv\\virto2\\PCLEAN.DLL",
793. "C:\\zv\\virto2\\chkvrtb.exe",
794. "C:\\zv\\virto2\\CLEAN.DLL",
795. "C:\\zv\\virto2\\zzz.exe",
796. "C:\\zv\\virto2\\ECLEAN.DLL",
797. "C:\\zv\\virto2\\OLLY.DLL",
798. "C:\\zv\\virto2\\DISASM.DLL",
799. "C:\\zv\\virto2\\Dmem.exe",
800. "C:\\zv\\virto2\\gzip.exe",
801. "C:\\zv\\virto2\\NPLStat.exe",
802. "C:\\Windows\\System32\\KRNLOBJ.DB",
803. "C:\\Users\\user\\npprot.exe",
804. "C:\\ProgramData\\Net Protector\\chkvrtb.ini",
805. "C:\\zv\\unhook.log",
806. "C:\\zv\\ProcName.log",
807. "C:\\zv\\Mem\\zzz.exe.Mem",
808. "C:\\zv\\Mem\\PROCDISP.EXE.Mem",
809. "C:\\zv\\Mem\\Execscan.exe.Mem",
810. "C:\\zv\\Mem\\spoolsv.exe.Mem",
811. "C:\\zv\\Mem\\Notepad.exe.Mem",
812. "C:\\zv\\Mem\\Dmem.exe.Mem",
813. "C:\\zv\\Mem\\NPLStat.exe.Mem",
814. "C:\\zv\\Mem\\sc.exe.Mem",
815. "C:\\zv\\Mem\\virto.CMD.Mem",
816. "C:\\zv\\Mem\\Exes_41120f31b68a138be54ca024aa89556c.exe.Mem",
817. "C:\\zv\\Mem\\mscorsvw.exe.Mem",
818. "C:\\zv\\Mem\\armsvc.exe.Mem",
819. "C:\\zv\\FASTSCAN\\DisAsm.Dll",
820. "C:\\zv\\FASTSCAN\\olly.Dll",
821. "C:\\zv\\FASTSCAN\\Eclean.Dll",
822. "C:\\zv\\srel0202.ini",
823. "C:\\zv\\Mem\\mem.log",
824. "C:\\zv\\pcl.ini",
825. "C:\\zv\\Mem\\ARMSVC.EXE.MEM",
826. "C:\\zv\\Mem\\DMEM.EXE.MEM",
827. "C:\\zv\\Mem\\EXES_41120F31B68A138BE54CA024AA89556C.EXE.MEM",
828. "C:\\zv\\Mem\\MSCORSVW.EXE.MEM",
829. "C:\\zv\\Mem\\NOTEPAD.EXE.MEM",
830. "C:\\zv\\Mem\\NPLSTAT.EXE.MEM",
831. "C:\\zv\\Mem\\SC.EXE.MEM",
832. "C:\\zv\\Mem\\VIRTO.CMD.MEM",
833. "C:\\zv\\Mem\\ZZZ.EXE.MEM",
834. "C:\\Windows\\sysnative\\LogFiles\\Scm\\2ce1541b-c7b1-4ba0-8974-722d18a3c54d",
835. "C:\\zv\\Eventsrv.log",
836. "C:\\zv\\fs1.log",
837. "C:\\zv\\bugcache.TXT",
838. "C:\\zv\\virto2\\scriptx.db",
839. "C:\\zv\\virto2\\scriptA.db",
840. "C:\\zv\\virto2\\Report\\17-06-2019_16-54-38_ScanFolder.log",
841. "C:\\ProgramData\\Net Protector\\NPAVSCN.DAT",
842. "C:\\zv\\REMDRV.LOG",
843. "C:\\ProgramData\\Net Protector\\scnInfo.ini",
844. "C:\\zv\\virto2\\Report\\17-06-2019_16-54-50_ScanPC.log",
845. "C:\\Windows\\assembly\\GAC_32\\MSBuild\\3.5.0.0__B03F5F7F11D50A3A\\MSBuild.exe",
846. "C:\\Windows\\assembly\\GAC_64\\MSBuild\\3.5.0.0__B03F5F7F11D50A3A\\MSBuild.exe",
847. "C:\\Windows\\assembly\\GAC_MSIL\\COMSVCCONFIG\\3.0.0.0__B03F5F7F11D50A3A\\COMSVCCONFIG.EXE",
848. "C:\\Windows\\assembly\\GAC_MSIL\\dfsvc\\2.0.0.0__B03F5F7F11D50A3A\\dfsvc.exe",
849. "C:\\Windows\\assembly\\GAC_MSIL\\Narrator\\6.1.0.0__31BF3856AD364E35\\Narrator.exe",
850. "C:\\Windows\\assembly\\GAC_MSIL\\PRESENTATIONFONTCACHE\\3.0.0.0__31BF3856AD364E35\\PRESENTATIONFONTCACHE.EXE",
851. "C:\\Windows\\assembly\\GAC_MSIL\\SMSVCHOST\\3.0.0.0__B03F5F7F11D50A3A\\SMSVCHOST.EXE",
852. "C:\\Windows\\assembly\\GAC_MSIL\\WSATCONFIG\\3.0.0.0__B03F5F7F11D50A3A\\WSATCONFIG.EXE",
853. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\COMSVCCONFIG\\5F1A06C0108B2C81CDE1DC491D74043D\\COMSVCCONFIG.NI.EXE",
854. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\dfsvc\\2C3E7FDA8DE40E45E7F5E004094DC7C9\\DFSVC.NI.EXE",
855. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\MSBuild\\AF28543D9B3E7D9F110448ECCE53CD72\\MSBUILD.NI.EXE",
856. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\Narrator\\0BAE62C3FC6C327ED24989263988173D\\NARRATOR.NI.EXE",
857. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\PRESENTATIONFONTCAC#\\B3ADE8D5C0D4BB5D4940BCAFD3453642\\PRESENTATIONFONTCACHE.NI.EXE",
858. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\SMSVCHOST\\1BC1EE3C3AA45D28DCF4657BCEB2FCB4\\SMSVCHOST.NI.EXE",
859. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_32\\WSATCONFIG\\96A8BDAFBA9F9D3E33CD974BFAA67E58\\WSATCONFIG.NI.EXE",
860. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\COMSVCCONFIG\\D632B7434F821829827657E23AC98589\\COMSVCCONFIG.NI.EXE",
861. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\dfsvc\\9BC0D921859B039D6E9F642148333949\\DFSVC.NI.EXE",
862. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\MSBuild\\1A154709CDFE214029EA88C51AB2B579\\MSBUILD.NI.EXE",
863. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\Narrator\\4CC02FAD33053737088D4C18267CA0A0\\NARRATOR.NI.EXE",
864. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\PRESENTATIONFONTCAC#\\0246845F487E5F33D3564EFF578665A3\\PRESENTATIONFONTCACHE.NI.EXE",
865. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\SMSVCHOST\\04D794428D635F6A82AC57DD3D6F3628\\SMSVCHOST.NI.EXE",
866. "C:\\Windows\\assembly\\NATIVEIMAGES_V2.0.50727_64\\WSATCONFIG\\36CA2928B2191011831AB673861C6AC6\\WSATCONFIG.NI.EXE",
867. "C:\\Windows\\bfsvc.exe",
868. "C:\\Windows\\BITLOCKERDISCOVERYVOLUMECONTENTS\\BITLOCKERTOGO.EXE",
869. "C:\\Windows\\Boot\\PCAT\\memtest.exe",
870. "C:\\Windows\\explorer.exe",
871. "C:\\Windows\\FVEUPDATE.EXE",
872. "C:\\Windows\\HelpPane.exe",
873. "C:\\Windows\\hh.exe",
874. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACROBROKER.EXE",
875. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\AcroRd32.exe",
876. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACRORD32INFO.EXE",
877. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ACROTEXTEXTRACTOR.EXE",
878. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\adelrcp.exe",
879. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\ADOBECOLLABSYNC.EXE",
880. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\eula.exe",
881. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\LOGTRANSPORT2.EXE",
882. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\RDRSERVICESUPDATER.EXE",
883. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\READER_SL.EXE",
884. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\WOW_HELPER.EXE",
885. "C:\\Windows\\INSTALLER\\$PATCHCACHE$\\Managed\\68AB67CA7DA73301B744CAF070E41400\\15.7.20033\\_4BITMAPIBROKER.EXE",
886. "C:\\Windows\\INSTALLER\\{16CD92A4-0152-4CB7-8FD6-9788D3363616}\\PYTHON_ICON.EXE",
887. "C:\\Windows\\INSTALLER\\{90150000-001F-0409-0000-0000000FF1CE}\\misc.exe",
888. "C:\\Windows\\INSTALLER\\{90150000-001F-040C-0000-0000000FF1CE}\\misc.exe",
889. "C:\\Windows\\INSTALLER\\{90150000-001F-0C0A-0000-0000000FF1CE}\\misc.exe",
890. "C:\\Windows\\INSTALLER\\{90150000-006E-0409-0000-0000000FF1CE}\\misc.exe",
891. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\accicons.exe",
892. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\dbcicons.exe",
893. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\GRV_ICONS.EXE",
894. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\inficon.exe",
895. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\joticon.exe",
896. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\lyncicon.exe",
897. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\misc.exe",
898. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\msouc.exe",
899. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\OSMADMINICON.EXE",
900. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\OSMCLIENTICON.EXE",
901. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\outicon.exe",
902. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\pptico.exe",
903. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\pubs.exe",
904. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\sscicons.exe",
905. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\wordicon.exe",
906. "C:\\Windows\\INSTALLER\\{91150000-0011-0000-0000-0000000FF1CE}\\xlicons.exe",
907. "C:\\Windows\\INSTALLER\\{E9E68605-DE3F-4B4C-871B-FEB06DC5D167}\\ARPPRODUCTICON.EXE",
908. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\NETFXSBS10.EXE",
909. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\APPLAUNCH.EXE",
910. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_COMPILER.EXE",
911. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGBROWSERS.EXE",
912. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGIIS.EXE",
913. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_REGSQL.EXE",
914. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ASPNET_WP.EXE",
915. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\CasPol.exe",
916. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\csc.exe",
917. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\cvtres.exe",
918. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\dfsvc.exe",
919. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\dw20.exe",
920. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\IEExec.exe",
921. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ilasm.exe",
922. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\INSTALLUTIL.EXE",
923. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\jsc.exe",
924. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\MSBuild.exe",
925. "C:\\zv\\huristic.log",
926. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\mscorsvw.exe",
927. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\ngen.exe",
928. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\RegAsm.exe",
929. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\RegSvcs.exe",
930. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\V2.0.50727\\vbc.exe",
931. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\COMSVCCONFIG.EXE",
932. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\infocard.exe",
933. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SERVICEMODELREG.EXE",
934. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMCONFIGINSTALLER.EXE",
935. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMSVCHOST.EXE",
936. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\WSATCONFIG.EXE",
937. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.0\\WPF\\XAMLVIEWER\\XAMLVIEWER_V0300.EXE",
938. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINPROCESS.EXE",
939. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINPROCESS32.EXE",
940. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\ADDINUTIL.EXE",
941. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\csc.exe",
942. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\DATASVCUTIL.EXE",
943. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\EdmGen.exe",
944. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\MSBuild.exe",
945. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\vbc.exe",
946. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK\\v3.5\\WFSERVICESREG.EXE",
947. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\APPLAUNCH.EXE",
948. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_COMPILER.EXE",
949. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGBROWSERS.EXE",
950. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGIIS.EXE",
951. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_REGSQL.EXE",
952. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_STATE.EXE",
953. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ASPNET_WP.EXE",
954. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\CasPol.exe",
955. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\csc.exe",
956. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\cvtres.exe",
957. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\dfsvc.exe",
958. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\dw20.exe",
959. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\IEExec.exe",
960. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ilasm.exe",
961. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\INSTALLUTIL.EXE",
962. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\jsc.exe",
963. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\Ldr64.exe",
964. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\MSBuild.exe",
965. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\mscorsvw.exe",
966. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\ngen.exe",
967. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\RegAsm.exe",
968. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\RegSvcs.exe",
969. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\V2.0.50727\\vbc.exe",
970. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\COMSVCCONFIG.EXE",
971. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\infocard.exe",
972. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SERVICEMODELREG.EXE",
973. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMCONFIGINSTALLER.EXE",
974. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\SMSVCHOST.EXE",
975. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WINDOWS COMMUNICATION FOUNDATION\\WSATCONFIG.EXE",
976. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WPF\\PRESENTATIONFONTCACHE.EXE",
977. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.0\\WPF\\XAMLVIEWER\\XAMLVIEWER_V0300.EXE",
978. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINPROCESS.EXE",
979. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINPROCESS32.EXE",
980. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\ADDINUTIL.EXE",
981. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\csc.exe",
982. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\DATASVCUTIL.EXE",
983. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\EdmGen.exe",
984. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\MSBuild.exe",
985. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\vbc.exe",
986. "C:\\Windows\\MICROSOFT.NET\\FRAMEWORK64\\v3.5\\WFSERVICESREG.EXE",
987. "C:\\Windows\\notepad.exe",
988. "C:\\Windows\\py.exe",
989. "C:\\Windows\\pyw.exe",
990. "C:\\Windows\\regedit.exe",
991. "C:\\Windows\\SERVICING\\GC64\\tzupd.exe",
992. "C:\\Windows\\SERVICING\\TRUSTEDINSTALLER.EXE",
993. "C:\\Windows\\Speech\\Common\\sapisvr.exe",
994. "C:\\Windows\\splwow64.exe",
995. "C:\\Windows\\System32\\ADAPTERTROUBLESHOOTER.EXE",
996. "C:\\Windows\\System32\\ARP.EXE",
997. "C:\\Windows\\System32\\at.exe",
998. "C:\\Windows\\System32\\AtBroker.exe",
999. "C:\\Windows\\System32\\attrib.exe",
1000. "C:\\Windows\\System32\\auditpol.exe",
1001. "C:\\Windows\\System32\\autochk.exe",
1002. "C:\\Windows\\System32\\autoconv.exe",
1003. "C:\\Windows\\System32\\autofmt.exe",
1004. "C:\\Windows\\System32\\BITSADMIN.EXE",
1005. "C:\\Windows\\System32\\bootcfg.exe",
1006. "C:\\Windows\\System32\\BTHUDTASK.EXE",
1007. "C:\\Windows\\System32\\Bubbles.scr",
1008. "C:\\Windows\\System32\\cacls.exe",
1009. "C:\\Windows\\System32\\calc.exe",
1010. "C:\\Windows\\System32\\CERTENROLLCTRL.EXE",
1011. "C:\\Windows\\System32\\certreq.exe",
1012. "C:\\Windows\\System32\\certutil.exe",
1013. "C:\\Windows\\System32\\charmap.exe",
1014. "C:\\Windows\\System32\\chkdsk.exe",
1015. "C:\\Windows\\System32\\chkntfs.exe",
1016. "C:\\Windows\\System32\\choice.exe",
1017. "C:\\Windows\\System32\\cipher.exe",
1018. "C:\\Windows\\System32\\cleanmgr.exe",
1019. "C:\\Windows\\System32\\cliconfg.exe",
1020. "C:\\Windows\\System32\\clip.exe",
1021. "C:\\Windows\\System32\\cmd.exe",
1022. "C:\\Windows\\System32\\cmdkey.exe",
1023. "C:\\Windows\\System32\\cmdl32.exe",
1024. "C:\\Windows\\System32\\cmmon32.exe",
1025. "C:\\Windows\\System32\\cmstp.exe",
1026. "C:\\Windows\\System32\\colorcpl.exe",
1027. "C:\\Windows\\System32\\com\\comrepl.exe",
1028. "C:\\Windows\\System32\\com\\MigRegDB.exe",
1029. "C:\\Windows\\System32\\comp.exe",
1030. "C:\\Windows\\System32\\compact.exe",
1031. "C:\\Windows\\System32\\COMPUTERDEFAULTS.EXE",
1032. "C:\\Windows\\System32\\control.exe",
1033. "C:\\Windows\\System32\\convert.exe",
1034. "C:\\Windows\\System32\\credwiz.exe",
1035. "C:\\Windows\\System32\\cscript.exe",
1036. "C:\\Windows\\System32\\ctfmon.exe",
1037. "C:\\Windows\\System32\\cttune.exe",
1038. "C:\\Windows\\System32\\CTTUNESVR.EXE",
1039. "C:\\Windows\\System32\\dccw.exe",
1040. "C:\\Windows\\System32\\dcomcnfg.exe",
1041. "C:\\Windows\\System32\\ddodiag.exe",
1042. "C:\\Windows\\System32\\DEVICEPAIRINGWIZARD.EXE",
1043. "C:\\Windows\\System32\\DEVICEPROPERTIES.EXE",
1044. "C:\\Windows\\System32\\dfrgui.exe",
1045. "C:\\Windows\\System32\\dialer.exe",
1046. "C:\\Windows\\System32\\diantz.exe",
1047. "C:\\Windows\\System32\\diskpart.exe",
1048. "C:\\Windows\\System32\\diskperf.exe",
1049. "C:\\Windows\\System32\\diskraid.exe",
1050. "C:\\Windows\\System32\\Dism\\DismHost.exe",
1051. "C:\\Windows\\System32\\Dism.exe",
1052. "C:\\Windows\\System32\\DISPLAYSWITCH.EXE",
1053. "C:\\Windows\\System32\\dllhost.exe",
1054. "C:\\Windows\\System32\\dllhst3g.exe",
1055. "C:\\Windows\\System32\\DNSCACHEUGC.EXE",
1056. "C:\\Windows\\System32\\doskey.exe",
1057. "C:\\Windows\\System32\\dpapimig.exe",
1058. "C:\\Windows\\System32\\DPISCALING.EXE",
1059. "C:\\Windows\\System32\\dplaysvr.exe",
1060. "C:\\Windows\\System32\\dpnsvr.exe",
1061. "C:\\Windows\\System32\\DRIVERQUERY.EXE",
1062. "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BRMFCMF.INF_AMD64_NEUTRAL_67B5984F8E8FF717\\BrmfRsmg.exe",
1063. "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BRMFCWIA.INF_AMD64_NEUTRAL_817B8835AED3D6B7\\BrmfRsmg.exe",
1064. "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\BTH.INF_AMD64_NEUTRAL_E54666F6A3E5AF91\\fsquirt.exe",
1065. "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\\ditrace.exe",
1066. "C:\\Windows\\System32\\DRIVERSTORE\\FILEREPOSITORY\\DIVACX64.INF_AMD64_NEUTRAL_FA0F82F024789743\\xlog.exe",
1067. "\\??\\PIPE\\wkssvc",
1068. "\\??\\pipe\\GoogleCrashServices\\S-1-5-18"
1069. ]
1070.  
1071. [*] Deleted Files: [
1072. "C:\\zv\\Virto2Info.log",
1073. "C:\\zv\\ChkVirto.log",
1074. "C:\\ProgramData\\Net Protector\\scncndn.ini",
1075. "C:\\zv\\ProcName.log",
1076. "C:\\zv\\vb_npav.ini",
1077. "C:\\zv\\eventsrv.log",
1078. "C:\\zv\\fastscan.log",
1079. "C:\\zv\\memscan.log",
1080. "C:\\zv\\fs2.log",
1081. "C:\\zv\\huristic.log",
1082. "C:\\ProgramData\\Net Protector\\scrche.dat",
1083. "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}\\74.0.3729.169_73.0.3683.86_chrome_updater.exe",
1084. "C:\\Program Files (x86)\\Google\\Update\\Install\\{A01675F1-1F84-4945-B8A9-4E1FDEB013B2}"
1085. ]
1086.  
1087. [*] Modified Registry Keys: [
1088. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
1089. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
1090. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options",
1091. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\curextsel",
1092. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\userextlist",
1093. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\options\\memscan",
1094. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon",
1095. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Asynchronous",
1096. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\DLLName",
1097. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Impersonate",
1098. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logoff",
1099. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Logon",
1100. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\ShutDown",
1101. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\NPLogon\\Startup",
1102. "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\BITS\\Start",
1103. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Security Center\\UacDisableNotify",
1104. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan",
1105. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\ScrDbDate",
1106. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS",
1107. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\VirusDBDate",
1108. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Message Labs\\Net Protector\\Config",
1109. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Message Labs\\Net Protector\\Config\\Avstat",
1110. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO",
1111. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\Scnper",
1112. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\CrashInfo",
1113. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\Step",
1114. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan",
1115. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan\\Date",
1116. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\LastScan\\Count",
1117. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\STATUS\\FlCnt",
1118. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Message Labs\\Net Protector\\Config\\NTDRIVEREXTS",
1119. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic",
1120. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\65D2E23834BB46617DFBFC4CBA750E45#69632",
1121. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\8DCC69147FD015F14E2E996FCEAEF94F#87888",
1122. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\915978E96127EBEB87A5CD3CF356A763#65536",
1123. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\FBE8E04888D349424DA6655F053F61F7#83792",
1124. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\Huristic\\EB3D179DB297502BDC131B51F1FDE466#202752",
1125. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}",
1126. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}\\PersistedPingString",
1127. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\PersistedPings\\{6D2B9BDF-D0B3-4319-B42F-2DF594E0BCF7}\\PersistedPingTime",
1128. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\pv",
1129. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\pv",
1130. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState",
1131. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\CurrentState\\StateValue",
1132. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000_CLASSES\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
1133. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\proxy\\source",
1134. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\RollCallDayStartSec",
1135. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\DayOfLastRollCall",
1136. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\ping_freshness",
1137. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\(Default)",
1138. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\hint",
1139. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\cohort\\name",
1140. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\LastCheckSuccess",
1141. "HKEY_USERS\\S-1-5-21-0000000000-0000000000-0000000000-1000\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
1142. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ActivePingDayStartSec",
1143. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\RollCallDayStartSec",
1144. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastActivity",
1145. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\DayOfLastRollCall",
1146. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\ping_freshness",
1147. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\(Default)",
1148. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\hint",
1149. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\cohort\\name",
1150. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\LastCheckSuccess",
1151. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\LastChecked",
1152. "HKEY_LOCAL_MACHINE\\Software\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState",
1153. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\CurrentState\\StateValue"
1154. ]
1155.  
1156. [*] Deleted Registry Keys: [
1157. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1158. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
1159. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1160. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
1161. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\CrashInfo",
1162. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\INFO\\Step",
1163. "HKEY_CURRENT_USER\\Software\\VB and VBA Program Settings\\SPYWAREPROTECTION\\FastScan\\MemScnStarted",
1164. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\uid",
1165. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\old-uid",
1166. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\tttoken",
1167. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableCount",
1168. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}\\UpdateAvailableSince",
1169. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\dr",
1170. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\tttoken",
1171. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableCount",
1172. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Google\\Update\\ClientState\\{8A69D345-D564-463C-AFF1-A69D9E530F96}\\UpdateAvailableSince"
1173. ]
1174.  
1175. [*] DNS Communications: []
1176.  
1177. [*] Domains: []
1178.  
1179. [*] Network Communication - ICMP: []
1180.  
1181. [*] Network Communication - HTTP: [
1182. {
1183. "count": 1,
1184. "body": "",
1185. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
1186. "user-agent": "Microsoft-CryptoAPI/6.1",
1187. "method": "GET",
1188. "host": "ocsp.digicert.com",
1189. "version": "1.1",
1190. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
1191. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
1192. "port": 80
1193. },
1194. {
1195. "count": 1,
1196. "body": "",
1197. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
1198. "user-agent": "Microsoft-CryptoAPI/6.1",
1199. "method": "GET",
1200. "host": "ocsp.digicert.com",
1201. "version": "1.1",
1202. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
1203. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nCache-Control: max-age = 135176\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 05:30:18 GMT\r\nIf-None-Match: \"5cecc76a-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
1204. "port": 80
1205. },
1206. {
1207. "count": 1,
1208. "body": "",
1209. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
1210. "user-agent": "Microsoft-CryptoAPI/6.1",
1211. "method": "GET",
1212. "host": "ocsp.digicert.com",
1213. "version": "1.1",
1214. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
1215. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
1216. "port": 80
1217. },
1218. {
1219. "count": 1,
1220. "body": "",
1221. "uri": "http://www.msftncsi.com/ncsi.txt",
1222. "user-agent": "Microsoft NCSI",
1223. "method": "GET",
1224. "host": "www.msftncsi.com",
1225. "version": "1.1",
1226. "path": "/ncsi.txt",
1227. "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
1228. "port": 80
1229. }
1230. ]
1231.  
1232. [*] Network Communication - SMTP: []
1233.  
1234. [*] Network Communication - Hosts: []
1235.  
1236. [*] Network Communication - IRC: []
1237.  
1238. [*] Static Analysis: {
1239. "pe": {
1240. "peid_signatures": null,
1241. "imports": [
1242. {
1243. "imports": [
1244. {
1245. "name": "MultiByteToWideChar",
1246. "address": "0x48c034"
1247. },
1248. {
1249. "name": "LCMapStringA",
1250. "address": "0x48c038"
1251. },
1252. {
1253. "name": "LCMapStringW",
1254. "address": "0x48c03c"
1255. },
1256. {
1257. "name": "VirtualAlloc",
1258. "address": "0x48c040"
1259. },
1260. {
1261. "name": "IsBadWritePtr",
1262. "address": "0x48c044"
1263. },
1264. {
1265. "name": "SetUnhandledExceptionFilter",
1266. "address": "0x48c048"
1267. },
1268. {
1269. "name": "IsBadCodePtr",
1270. "address": "0x48c04c"
1271. },
1272. {
1273. "name": "SetStdHandle",
1274. "address": "0x48c050"
1275. },
1276. {
1277. "name": "FlushFileBuffers",
1278. "address": "0x48c054"
1279. },
1280. {
1281. "name": "CreateProcessA",
1282. "address": "0x48c058"
1283. },
1284. {
1285. "name": "CompareStringA",
1286. "address": "0x48c05c"
1287. },
1288. {
1289. "name": "CompareStringW",
1290. "address": "0x48c060"
1291. },
1292. {
1293. "name": "SetEnvironmentVariableA",
1294. "address": "0x48c064"
1295. },
1296. {
1297. "name": "GetStringTypeA",
1298. "address": "0x48c068"
1299. },
1300. {
1301. "name": "GetStringTypeW",
1302. "address": "0x48c06c"
1303. },
1304. {
1305. "name": "GetCurrentDirectoryW",
1306. "address": "0x48c070"
1307. },
1308. {
1309. "name": "GetCurrentDirectoryA",
1310. "address": "0x48c074"
1311. },
1312. {
1313. "name": "DeleteFileA",
1314. "address": "0x48c078"
1315. },
1316. {
1317. "name": "WaitForSingleObject",
1318. "address": "0x48c07c"
1319. },
1320. {
1321. "name": "GetCPInfo",
1322. "address": "0x48c080"
1323. },
1324. {
1325. "name": "VirtualFree",
1326. "address": "0x48c084"
1327. },
1328. {
1329. "name": "HeapCreate",
1330. "address": "0x48c088"
1331. },
1332. {
1333. "name": "HeapDestroy",
1334. "address": "0x48c08c"
1335. },
1336. {
1337. "name": "GetEnvironmentVariableA",
1338. "address": "0x48c090"
1339. },
1340. {
1341. "name": "GetFileType",
1342. "address": "0x48c094"
1343. },
1344. {
1345. "name": "GetStdHandle",
1346. "address": "0x48c098"
1347. },
1348. {
1349. "name": "SetHandleCount",
1350. "address": "0x48c09c"
1351. },
1352. {
1353. "name": "GetEnvironmentStringsW",
1354. "address": "0x48c0a0"
1355. },
1356. {
1357. "name": "GetEnvironmentStrings",
1358. "address": "0x48c0a4"
1359. },
1360. {
1361. "name": "FreeEnvironmentStringsW",
1362. "address": "0x48c0a8"
1363. },
1364. {
1365. "name": "FreeEnvironmentStringsA",
1366. "address": "0x48c0ac"
1367. },
1368. {
1369. "name": "UnhandledExceptionFilter",
1370. "address": "0x48c0b0"
1371. },
1372. {
1373. "name": "HeapFree",
1374. "address": "0x48c0b4"
1375. },
1376. {
1377. "name": "HeapSize",
1378. "address": "0x48c0b8"
1379. },
1380. {
1381. "name": "HeapAlloc",
1382. "address": "0x48c0bc"
1383. },
1384. {
1385. "name": "HeapReAlloc",
1386. "address": "0x48c0c0"
1387. },
1388. {
1389. "name": "GetVersion",
1390. "address": "0x48c0c4"
1391. },
1392. {
1393. "name": "GetCommandLineA",
1394. "address": "0x48c0c8"
1395. },
1396. {
1397. "name": "GetStartupInfoA",
1398. "address": "0x48c0cc"
1399. },
1400. {
1401. "name": "GetModuleHandleA",
1402. "address": "0x48c0d0"
1403. },
1404. {
1405. "name": "GetCurrentProcess",
1406. "address": "0x48c0d4"
1407. },
1408. {
1409. "name": "TerminateProcess",
1410. "address": "0x48c0d8"
1411. },
1412. {
1413. "name": "ExitProcess",
1414. "address": "0x48c0dc"
1415. },
1416. {
1417. "name": "GetTickCount",
1418. "address": "0x48c0e0"
1419. },
1420. {
1421. "name": "GetSystemTime",
1422. "address": "0x48c0e4"
1423. },
1424. {
1425. "name": "GetOEMCP",
1426. "address": "0x48c0e8"
1427. },
1428. {
1429. "name": "Sleep",
1430. "address": "0x48c0ec"
1431. },
1432. {
1433. "name": "CloseHandle",
1434. "address": "0x48c0f0"
1435. },
1436. {
1437. "name": "SetEndOfFile",
1438. "address": "0x48c0f4"
1439. },
1440. {
1441. "name": "SetFilePointer",
1442. "address": "0x48c0f8"
1443. },
1444. {
1445. "name": "CompareFileTime",
1446. "address": "0x48c0fc"
1447. },
1448. {
1449. "name": "FileTimeToLocalFileTime",
1450. "address": "0x48c100"
1451. },
1452. {
1453. "name": "FileTimeToDosDateTime",
1454. "address": "0x48c104"
1455. },
1456. {
1457. "name": "SystemTimeToFileTime",
1458. "address": "0x48c108"
1459. },
1460. {
1461. "name": "GetLocalTime",
1462. "address": "0x48c10c"
1463. },
1464. {
1465. "name": "LocalFileTimeToFileTime",
1466. "address": "0x48c110"
1467. },
1468. {
1469. "name": "DosDateTimeToFileTime",
1470. "address": "0x48c114"
1471. },
1472. {
1473. "name": "SetFileTime",
1474. "address": "0x48c118"
1475. },
1476. {
1477. "name": "GetACP",
1478. "address": "0x48c11c"
1479. },
1480. {
1481. "name": "ReadFile",
1482. "address": "0x48c120"
1483. },
1484. {
1485. "name": "GetFileSize",
1486. "address": "0x48c124"
1487. },
1488. {
1489. "name": "GetLastError",
1490. "address": "0x48c128"
1491. },
1492. {
1493. "name": "LocalFree",
1494. "address": "0x48c12c"
1495. },
1496. {
1497. "name": "GetFullPathNameW",
1498. "address": "0x48c130"
1499. },
1500. {
1501. "name": "GetFullPathNameA",
1502. "address": "0x48c134"
1503. },
1504. {
1505. "name": "GetTempPathW",
1506. "address": "0x48c138"
1507. },
1508. {
1509. "name": "GetModuleFileNameW",
1510. "address": "0x48c13c"
1511. },
1512. {
1513. "name": "MoveFileW",
1514. "address": "0x48c140"
1515. },
1516. {
1517. "name": "CopyFileW",
1518. "address": "0x48c144"
1519. },
1520. {
1521. "name": "DeleteFileW",
1522. "address": "0x48c148"
1523. },
1524. {
1525. "name": "GetFileAttributesW",
1526. "address": "0x48c14c"
1527. },
1528. {
1529. "name": "CreateDirectoryW",
1530. "address": "0x48c150"
1531. },
1532. {
1533. "name": "SetCurrentDirectoryW",
1534. "address": "0x48c154"
1535. },
1536. {
1537. "name": "SetCurrentDirectoryA",
1538. "address": "0x48c158"
1539. },
1540. {
1541. "name": "SetFileAttributesW",
1542. "address": "0x48c15c"
1543. },
1544. {
1545. "name": "GetFileTime",
1546. "address": "0x48c160"
1547. },
1548. {
1549. "name": "RemoveDirectoryW",
1550. "address": "0x48c164"
1551. },
1552. {
1553. "name": "GetTimeZoneInformation",
1554. "address": "0x48c168"
1555. },
1556. {
1557. "name": "MoveFileA",
1558. "address": "0x48c16c"
1559. },
1560. {
1561. "name": "WriteFile",
1562. "address": "0x48c170"
1563. },
1564. {
1565. "name": "CopyFileA",
1566. "address": "0x48c174"
1567. },
1568. {
1569. "name": "GetFileAttributesA",
1570. "address": "0x48c178"
1571. },
1572. {
1573. "name": "FormatMessageA",
1574. "address": "0x48c17c"
1575. },
1576. {
1577. "name": "GetTempPathA",
1578. "address": "0x48c180"
1579. },
1580. {
1581. "name": "GetModuleFileNameA",
1582. "address": "0x48c184"
1583. },
1584. {
1585. "name": "CreateDirectoryA",
1586. "address": "0x48c188"
1587. },
1588. {
1589. "name": "SetFileAttributesA",
1590. "address": "0x48c18c"
1591. },
1592. {
1593. "name": "CreateFileA",
1594. "address": "0x48c190"
1595. },
1596. {
1597. "name": "GetComputerNameA",
1598. "address": "0x48c194"
1599. },
1600. {
1601. "name": "IsBadReadPtr",
1602. "address": "0x48c198"
1603. },
1604. {
1605. "name": "CreateFileW",
1606. "address": "0x48c19c"
1607. },
1608. {
1609. "name": "GetVersionExA",
1610. "address": "0x48c1a0"
1611. },
1612. {
1613. "name": "WideCharToMultiByte",
1614. "address": "0x48c1a4"
1615. },
1616. {
1617. "name": "GetProcAddress",
1618. "address": "0x48c1a8"
1619. },
1620. {
1621. "name": "LoadLibraryA",
1622. "address": "0x48c1ac"
1623. },
1624. {
1625. "name": "LocalAlloc",
1626. "address": "0x48c1b0"
1627. },
1628. {
1629. "name": "FreeLibrary",
1630. "address": "0x48c1b4"
1631. },
1632. {
1633. "name": "RtlUnwind",
1634. "address": "0x48c1b8"
1635. },
1636. {
1637. "name": "GetExitCodeProcess",
1638. "address": "0x48c1bc"
1639. }
1640. ],
1641. "dll": "KERNEL32.dll"
1642. },
1643. {
1644. "imports": [
1645. {
1646. "name": "RegisterClassExW",
1647. "address": "0x48c1d8"
1648. },
1649. {
1650. "name": "LoadCursorA",
1651. "address": "0x48c1dc"
1652. },
1653. {
1654. "name": "DialogBoxParamW",
1655. "address": "0x48c1e0"
1656. },
1657. {
1658. "name": "CreateWindowExW",
1659. "address": "0x48c1e4"
1660. },
1661. {
1662. "name": "LoadStringW",
1663. "address": "0x48c1e8"
1664. },
1665. {
1666. "name": "OffsetRect",
1667. "address": "0x48c1ec"
1668. },
1669. {
1670. "name": "CopyRect",
1671. "address": "0x48c1f0"
1672. },
1673. {
1674. "name": "GetWindowRect",
1675. "address": "0x48c1f4"
1676. },
1677. {
1678. "name": "GetDesktopWindow",
1679. "address": "0x48c1f8"
1680. },
1681. {
1682. "name": "MessageBoxW",
1683. "address": "0x48c1fc"
1684. },
1685. {
1686. "name": "PostQuitMessage",
1687. "address": "0x48c200"
1688. },
1689. {
1690. "name": "EndDialog",
1691. "address": "0x48c204"
1692. },
1693. {
1694. "name": "GetMessageA",
1695. "address": "0x48c208"
1696. },
1697. {
1698. "name": "TranslateMessage",
1699. "address": "0x48c20c"
1700. },
1701. {
1702. "name": "DispatchMessageA",
1703. "address": "0x48c210"
1704. },
1705. {
1706. "name": "MessageBoxA",
1707. "address": "0x48c214"
1708. },
1709. {
1710. "name": "GetDlgItem",
1711. "address": "0x48c218"
1712. },
1713. {
1714. "name": "SendMessageA",
1715. "address": "0x48c21c"
1716. },
1717. {
1718. "name": "SetWindowPos",
1719. "address": "0x48c220"
1720. },
1721. {
1722. "name": "PostMessageA",
1723. "address": "0x48c224"
1724. },
1725. {
1726. "name": "SetTimer",
1727. "address": "0x48c228"
1728. },
1729. {
1730. "name": "GetDlgItemTextA",
1731. "address": "0x48c22c"
1732. },
1733. {
1734. "name": "LoadStringA",
1735. "address": "0x48c230"
1736. },
1737. {
1738. "name": "DefWindowProcA",
1739. "address": "0x48c234"
1740. },
1741. {
1742. "name": "DestroyWindow",
1743. "address": "0x48c238"
1744. },
1745. {
1746. "name": "BeginPaint",
1747. "address": "0x48c23c"
1748. },
1749. {
1750. "name": "EndPaint",
1751. "address": "0x48c240"
1752. },
1753. {
1754. "name": "GetDlgItemTextW",
1755. "address": "0x48c244"
1756. },
1757. {
1758. "name": "SetWindowTextW",
1759. "address": "0x48c248"
1760. },
1761. {
1762. "name": "MoveWindow",
1763. "address": "0x48c24c"
1764. },
1765. {
1766. "name": "SetDlgItemTextW",
1767. "address": "0x48c250"
1768. },
1769. {
1770. "name": "EnableWindow",
1771. "address": "0x48c254"
1772. },
1773. {
1774. "name": "SetDlgItemTextA",
1775. "address": "0x48c258"
1776. }
1777. ],
1778. "dll": "USER32.dll"
1779. },
1780. {
1781. "imports": [
1782. {
1783. "name": "SHGetPathFromIDListW",
1784. "address": "0x48c1c4"
1785. },
1786. {
1787. "name": "SHBrowseForFolderW",
1788. "address": "0x48c1c8"
1789. },
1790. {
1791. "name": "ShellExecuteExW",
1792. "address": "0x48c1cc"
1793. },
1794. {
1795. "name": "SHGetMalloc",
1796. "address": "0x48c1d0"
1797. }
1798. ],
1799. "dll": "SHELL32.dll"
1800. },
1801. {
1802. "imports": [
1803. {
1804. "name": "CertNameToStrA",
1805. "address": "0x48c020"
1806. },
1807. {
1808. "name": "CertFreeCertificateContext",
1809. "address": "0x48c024"
1810. },
1811. {
1812. "name": "CryptDecodeObject",
1813. "address": "0x48c028"
1814. },
1815. {
1816. "name": "CertCloseStore",
1817. "address": "0x48c02c"
1818. }
1819. ],
1820. "dll": "CRYPT32.dll"
1821. },
1822. {
1823. "imports": [
1824. {
1825. "name": "WSAStartup",
1826. "address": "0x48c260"
1827. },
1828. {
1829. "name": "setsockopt",
1830. "address": "0x48c264"
1831. },
1832. {
1833. "name": "WSAGetLastError",
1834. "address": "0x48c268"
1835. },
1836. {
1837. "name": "socket",
1838. "address": "0x48c26c"
1839. },
1840. {
1841. "name": "inet_addr",
1842. "address": "0x48c270"
1843. },
1844. {
1845. "name": "htons",
1846. "address": "0x48c274"
1847. },
1848. {
1849. "name": "gethostbyname",
1850. "address": "0x48c278"
1851. },
1852. {
1853. "name": "connect",
1854. "address": "0x48c27c"
1855. },
1856. {
1857. "name": "ioctlsocket",
1858. "address": "0x48c280"
1859. },
1860. {
1861. "name": "select",
1862. "address": "0x48c284"
1863. },
1864. {
1865. "name": "bind",
1866. "address": "0x48c288"
1867. },
1868. {
1869. "name": "closesocket",
1870. "address": "0x48c28c"
1871. },
1872. {
1873. "name": "recv",
1874. "address": "0x48c290"
1875. },
1876. {
1877. "name": "send",
1878. "address": "0x48c294"
1879. },
1880. {
1881. "name": "shutdown",
1882. "address": "0x48c298"
1883. }
1884. ],
1885. "dll": "WS2_32.dll"
1886. },
1887. {
1888. "imports": [
1889. {
1890. "name": "RegOpenKeyExA",
1891. "address": "0x48c000"
1892. },
1893. {
1894. "name": "CryptAcquireContextA",
1895. "address": "0x48c004"
1896. },
1897. {
1898. "name": "CryptReleaseContext",
1899. "address": "0x48c008"
1900. },
1901. {
1902. "name": "CryptGenRandom",
1903. "address": "0x48c00c"
1904. },
1905. {
1906. "name": "RegQueryValueExA",
1907. "address": "0x48c010"
1908. },
1909. {
1910. "name": "RegCloseKey",
1911. "address": "0x48c014"
1912. },
1913. {
1914. "name": "GetUserNameA",
1915. "address": "0x48c018"
1916. }
1917. ],
1918. "dll": "ADVAPI32.dll"
1919. }
1920. ],
1921. "digital_signers": null,
1922. "exported_dll_name": null,
1923. "actual_checksum": "0x00204fd4",
1924. "overlay": {
1925. "size": "0x0013b5c8",
1926. "offset": "0x000bb000"
1927. },
1928. "imagebase": "0x00400000",
1929. "reported_checksum": "0x00000000",
1930. "icon_hash": null,
1931. "entrypoint": "0x0046ffb4",
1932. "timestamp": "2009-10-31 12:28:29",
1933. "osversion": "4.0",
1934. "sections": [
1935. {
1936. "name": ".text",
1937. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1938. "virtual_address": "0x00001000",
1939. "size_of_data": "0x0008b000",
1940. "entropy": "6.55",
1941. "raw_address": "0x00001000",
1942. "virtual_size": "0x0008a4f2",
1943. "characteristics_raw": "0x60000020"
1944. },
1945. {
1946. "name": ".rdata",
1947. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1948. "virtual_address": "0x0008c000",
1949. "size_of_data": "0x00012000",
1950. "entropy": "4.44",
1951. "raw_address": "0x0008c000",
1952. "virtual_size": "0x00011796",
1953. "characteristics_raw": "0x40000040"
1954. },
1955. {
1956. "name": ".data",
1957. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1958. "virtual_address": "0x0009e000",
1959. "size_of_data": "0x0001c000",
1960. "entropy": "6.08",
1961. "raw_address": "0x0009e000",
1962. "virtual_size": "0x00020878",
1963. "characteristics_raw": "0xc0000040"
1964. },
1965. {
1966. "name": ".rsrc",
1967. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1968. "virtual_address": "0x000bf000",
1969. "size_of_data": "0x00001000",
1970. "entropy": "2.23",
1971. "raw_address": "0x000ba000",
1972. "virtual_size": "0x000008d0",
1973. "characteristics_raw": "0x40000040"
1974. }
1975. ],
1976. "resources": [],
1977. "dirents": [
1978. {
1979. "virtual_address": "0x00000000",
1980. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1981. "size": "0x00000000"
1982. },
1983. {
1984. "virtual_address": "0x0009c9e0",
1985. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1986. "size": "0x0000008c"
1987. },
1988. {
1989. "virtual_address": "0x000bf000",
1990. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1991. "size": "0x000008d0"
1992. },
1993. {
1994. "virtual_address": "0x00000000",
1995. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1996. "size": "0x00000000"
1997. },
1998. {
1999. "virtual_address": "0x00000000",
2000. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2001. "size": "0x00000000"
2002. },
2003. {
2004. "virtual_address": "0x00000000",
2005. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2006. "size": "0x00000000"
2007. },
2008. {
2009. "virtual_address": "0x00000000",
2010. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2011. "size": "0x00000000"
2012. },
2013. {
2014. "virtual_address": "0x00000000",
2015. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2016. "size": "0x00000000"
2017. },
2018. {
2019. "virtual_address": "0x00000000",
2020. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2021. "size": "0x00000000"
2022. },
2023. {
2024. "virtual_address": "0x00000000",
2025. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2026. "size": "0x00000000"
2027. },
2028. {
2029. "virtual_address": "0x00000000",
2030. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2031. "size": "0x00000000"
2032. },
2033. {
2034. "virtual_address": "0x00000000",
2035. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2036. "size": "0x00000000"
2037. },
2038. {
2039. "virtual_address": "0x0008c000",
2040. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2041. "size": "0x000002a0"
2042. },
2043. {
2044. "virtual_address": "0x00000000",
2045. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2046. "size": "0x00000000"
2047. },
2048. {
2049. "virtual_address": "0x00000000",
2050. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2051. "size": "0x00000000"
2052. },
2053. {
2054. "virtual_address": "0x00000000",
2055. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2056. "size": "0x00000000"
2057. }
2058. ],
2059. "exports": [],
2060. "guest_signers": {},
2061. "imphash": "61a42ebe2c6271565f77bdad50265621",
2062. "icon_fuzzy": null,
2063. "icon": null,
2064. "pdbpath": null,
2065. "imported_dll_count": 6,
2066. "versioninfo": []
2067. }
2068. }
2069.  
2070. [*] Resolved APIs: [
2071. "kernel32.dll.IsProcessorFeaturePresent",
2072. "cryptsp.dll.CryptAcquireContextA",
2073. "cryptsp.dll.CryptGenRandom",
2074. "cryptsp.dll.CryptReleaseContext",
2075. "uxtheme.dll.ThemeInitApiHook",
2076. "user32.dll.IsProcessDPIAware",
2077. "ole32.dll.OleInitialize",
2078. "cryptbase.dll.SystemFunction036",
2079. "ole32.dll.CreateBindCtx",
2080. "ole32.dll.CoTaskMemAlloc",
2081. "propsys.dll.PSCreateMemoryPropertyStore",
2082. "propsys.dll.PSPropertyBag_WriteDWORD",
2083. "ole32.dll.CoGetApartmentType",
2084. "ole32.dll.CoRegisterInitializeSpy",
2085. "ole32.dll.CoTaskMemFree",
2086. "comctl32.dll.#236",
2087. "oleaut32.dll.#6",
2088. "ole32.dll.CoGetMalloc",
2089. "propsys.dll.PSPropertyBag_ReadDWORD",
2090. "comctl32.dll.#320",
2091. "ole32.dll.StringFromGUID2",
2092. "comctl32.dll.#324",
2093. "comctl32.dll.#323",
2094. "advapi32.dll.RegEnumKeyW",
2095. "oleaut32.dll.#2",
2096. "propsys.dll.PSPropertyBag_ReadBSTR",
2097. "propsys.dll.PSPropertyBag_ReadStrAlloc",
2098. "shell32.dll.#102",
2099. "advapi32.dll.OpenThreadToken",
2100. "ole32.dll.CoInitializeEx",
2101. "ole32.dll.CoCreateInstance",
2102. "advapi32.dll.InitializeSecurityDescriptor",
2103. "advapi32.dll.SetEntriesInAclW",
2104. "ntmarta.dll.GetMartaExtensionInterface",
2105. "advapi32.dll.SetSecurityDescriptorDacl",
2106. "advapi32.dll.IsTextUnicode",
2107. "comctl32.dll.#328",
2108. "comctl32.dll.#334",
2109. "comctl32.dll.#332",
2110. "comctl32.dll.#338",
2111. "ole32.dll.CoUninitialize",
2112. "sechost.dll.ConvertSidToStringSidW",
2113. "profapi.dll.#104",
2114. "propsys.dll.#430",
2115. "advapi32.dll.RegOpenKeyExW",
2116. "advapi32.dll.RegGetValueW",
2117. "advapi32.dll.RegCloseKey",
2118. "ole32.dll.CoTaskMemRealloc",
2119. "propsys.dll.InitPropVariantFromStringAsVector",
2120. "propsys.dll.PSCoerceToCanonicalValue",
2121. "propsys.dll.PropVariantToStringAlloc",
2122. "ole32.dll.PropVariantClear",
2123. "ole32.dll.CoAllowSetForegroundWindow",
2124. "kernel32.dll.InitializeSRWLock",
2125. "kernel32.dll.AcquireSRWLockExclusive",
2126. "kernel32.dll.AcquireSRWLockShared",
2127. "kernel32.dll.ReleaseSRWLockExclusive",
2128. "kernel32.dll.ReleaseSRWLockShared",
2129. "shell32.dll.SHGetFolderPathW",
2130. "advapi32.dll.SaferGetPolicyInformation",
2131. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
2132. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
2133. "comctl32.dll.#386",
2134. "sfc.dll.SfcIsFileProtected",
2135. "setupapi.dll.PnpIsFilePnpDriver",
2136. "kernel32.dll.RegOpenKeyExW",
2137. "kernel32.dll.RegCloseKey",
2138. "devrtl.dll.DevRtlGetThreadLogToken",
2139. "apphelp.dll.AllowPermLayer",
2140. "kernel32.dll.BaseIsAppcompatInfrastructureDisabled",
2141. "apphelp.dll.SdbInitDatabase",
2142. "apphelp.dll.SdbGetMatchingExe",
2143. "apphelp.dll.SdbReleaseDatabase",
2144. "mpr.dll.WNetGetConnectionW",
2145. "ole32.dll.CoCreateGuid",
2146. "rpcrt4.dll.RpcStringBindingComposeW",
2147. "rpcrt4.dll.RpcBindingFromStringBindingW",
2148. "rpcrt4.dll.RpcStringFreeW",
2149. "rpcrt4.dll.RpcBindingSetAuthInfoExW",
2150. "rpcrt4.dll.NdrClientCall2",
2151. "ntdll.dll.RtlDllShutdownInProgress",
2152. "comctl32.dll.#329",
2153. "ole32.dll.OleUninitialize",
2154. "ole32.dll.CoRevokeInitializeSpy",
2155. "comctl32.dll.#388",
2156. "oleaut32.dll.#500",
2157. "comctl32.dll.InitCommonControlsEx",
2158. "dwmapi.dll.DwmIsCompositionEnabled",
2159. "comctl32.dll.RegisterClassNameW",
2160. "kernel32.dll.SortGetHandle",
2161. "kernel32.dll.SortCloseHandle",
2162. "uxtheme.dll.EnableThemeDialogTexture",
2163. "uxtheme.dll.OpenThemeData",
2164. "uxtheme.dll.GetThemeBool",
2165. "gdi32.dll.GetLayout",
2166. "gdi32.dll.GdiRealizationInfo",
2167. "gdi32.dll.FontIsLinked",
2168. "advapi32.dll.RegQueryInfoKeyW",
2169. "gdi32.dll.GetTextFaceAliasW",
2170. "advapi32.dll.RegEnumValueW",
2171. "advapi32.dll.RegQueryValueExW",
2172. "gdi32.dll.GetFontAssocStatus",
2173. "advapi32.dll.RegQueryValueExA",
2174. "advapi32.dll.RegEnumKeyExW",
2175. "gdi32.dll.GdiIsMetaPrintDC",
2176. "uxtheme.dll.BufferedPaintInit",
2177. "uxtheme.dll.BufferedPaintRenderAnimation",
2178. "uxtheme.dll.BeginBufferedAnimation",
2179. "uxtheme.dll.IsThemeBackgroundPartiallyTransparent",
2180. "uxtheme.dll.DrawThemeParentBackground",
2181. "uxtheme.dll.GetThemePartSize",
2182. "uxtheme.dll.DrawThemeBackground",
2183. "uxtheme.dll.GetThemeBackgroundContentRect",
2184. "uxtheme.dll.DrawThemeText",
2185. "gdi32.dll.GetTextExtentExPointWPri",
2186. "uxtheme.dll.EndBufferedAnimation",
2187. "uxtheme.dll.GetThemeTextExtent",
2188. "uxtheme.dll.GetThemeTransitionDuration",
2189. "kernel32.dll.LoadLibraryA",
2190. "kernel32.dll.LoadLibraryW",
2191. "kernel32.dll.CreateFileW",
2192. "kernel32.dll.GetFileAttributesW",
2193. "kernel32.dll.FindFirstFileW",
2194. "kernel32.dll.FindNextFileW",
2195. "kernel32.dll.MoveFileW",
2196. "ntdll.dll.NtQueryInformationProcess",
2197. "ntdll.dll.NtCreateFile",
2198. "ntdll.dll.NtCreateProcess",
2199. "ntdll.dll.NtCreateUserProcess",
2200. "ntdll.dll.NtCreateProcessEx",
2201. "ntdll.dll.NtOpenFile",
2202. "ntdll.dll.NtDeviceIoControlFile",
2203. "ntdll.dll.NtQueryDirectoryFile",
2204. "ntdll.dll.LdrLoadDll",
2205. "ntdll.dll.NtResumeThread",
2206. "netapi32.dll.NetpwPathCanonicalize",
2207. "dnsapi.dll.DnsQuery_A",
2208. "ws2_32.dll.closesocket",
2209. "ws2_32.dll.send",
2210. "ws2_32.dll.recv",
2211. "ws2_32.dll.sendto",
2212. "ws2_32.dll.recvfrom",
2213. "ntdll.dll.NtQueryInformationThread",
2214. "uxtheme.dll.IsThemePartDefined",
2215. "uxtheme.dll.GetThemeFont",
2216. "uxtheme.dll.GetThemeColor",
2217. "imm32.dll.ImmIsIME",
2218. "uxtheme.dll.CloseThemeData",
2219. "uxtheme.dll.GetThemeMargins",
2220. "uxtheme.dll.GetThemeTextMetrics",
2221. "comctl32.dll.HIMAGELIST_QueryInterface",
2222. "comctl32.dll.DrawShadowText",
2223. "comctl32.dll.DrawSizeBox",
2224. "comctl32.dll.DrawScrollBar",
2225. "comctl32.dll.SizeBoxHwnd",
2226. "comctl32.dll.ScrollBar_MouseMove",
2227. "comctl32.dll.ScrollBar_Menu",
2228. "comctl32.dll.HandleScrollCmd",
2229. "comctl32.dll.DetachScrollBars",
2230. "comctl32.dll.AttachScrollBars",
2231. "comctl32.dll.CCSetScrollInfo",
2232. "comctl32.dll.CCGetScrollInfo",
2233. "comctl32.dll.CCEnableScrollBar",
2234. "comctl32.dll.QuerySystemGestureStatus",
2235. "uxtheme.dll.#49",
2236. "uxtheme.dll.GetThemeInt",
2237. "uxtheme.dll.#47",
2238. "kernel32.dll.FlsAlloc",
2239. "kernel32.dll.FlsGetValue",
2240. "kernel32.dll.FlsSetValue",
2241. "kernel32.dll.FlsFree",
2242. "olly.dll.Disasm",
2243. "eclean.dll.eXpaj",
2244. "eclean.dll.eVirutCF_Aep",
2245. "eclean.dll.eCheckVirutCH",
2246. "eclean.dll.eVirutD_Aep",
2247. "eclean.dll.eVirutD_CallOverWrite",
2248. "eclean.dll.eExpiro",
2249. "eclean.dll.eExpiroNR",
2250. "eclean.dll.eExpiroNS",
2251. "eclean.dll.salityVParameters",
2252. "eclean.dll.get_VirtobCH_Size",
2253. "disasm.dll.VirutCE_DecryptKey",
2254. "disasm.dll.VirutCE_AEP",
2255. "disasm.dll.VirutCE_AEP_File",
2256. "disasm.dll.VirtutCE_EJumpOffset",
2257. "disasm.dll.VirtobCEI_AtAep",
2258. "disasm.dll.VirtobCE_BufferSize",
2259. "pclean.dll.PolyCleanFileEx",
2260. "uxtheme.dll.DrawThemeParentBackgroundEx",
2261. "uxtheme.dll.GetThemeEnumValue",
2262. "uxtheme.dll.BeginBufferedPaint",
2263. "uxtheme.dll.DrawThemeTextEx",
2264. "advapi32.dll.CheckTokenMembership",
2265. "pclean.dll.GetPCleanVirusName",
2266. "imm32.dll.ImmAssociateContext",
2267. "uxtheme.dll.GetThemeBackgroundExtent",
2268. "uxtheme.dll.EndBufferedPaint",
2269. "uxtheme.dll.BufferedPaintStopAllAnimations",
2270. "uxtheme.dll.BufferedPaintUnInit",
2271. "sechost.dll.LookupAccountNameLocalW",
2272. "advapi32.dll.LookupAccountSidW",
2273. "sechost.dll.LookupAccountSidLocalW",
2274. "kernel32.dll.LCMapStringEx",
2275. "kernel32.dll.InitializeCriticalSectionEx",
2276. "kernel32.dll.InitOnceExecuteOnce",
2277. "kernel32.dll.CreateEventExW",
2278. "kernel32.dll.CreateSemaphoreW",
2279. "kernel32.dll.CreateSemaphoreExW",
2280. "kernel32.dll.CreateThreadpoolTimer",
2281. "kernel32.dll.SetThreadpoolTimer",
2282. "kernel32.dll.WaitForThreadpoolTimerCallbacks",
2283. "kernel32.dll.CloseThreadpoolTimer",
2284. "kernel32.dll.CreateThreadpoolWait",
2285. "kernel32.dll.SetThreadpoolWait",
2286. "kernel32.dll.CloseThreadpoolWait",
2287. "kernel32.dll.FlushProcessWriteBuffers",
2288. "kernel32.dll.FreeLibraryWhenCallbackReturns",
2289. "kernel32.dll.GetCurrentProcessorNumber",
2290. "kernel32.dll.CreateSymbolicLinkW",
2291. "kernel32.dll.GetTickCount64",
2292. "kernel32.dll.GetFileInformationByHandleEx",
2293. "kernel32.dll.SetFileInformationByHandle",
2294. "kernel32.dll.InitializeConditionVariable",
2295. "kernel32.dll.WakeConditionVariable",
2296. "kernel32.dll.WakeAllConditionVariable",
2297. "kernel32.dll.SleepConditionVariableCS",
2298. "kernel32.dll.TryAcquireSRWLockExclusive",
2299. "kernel32.dll.SleepConditionVariableSRW",
2300. "kernel32.dll.CreateThreadpoolWork",
2301. "kernel32.dll.SubmitThreadpoolWork",
2302. "kernel32.dll.CloseThreadpoolWork",
2303. "kernel32.dll.CompareStringEx",
2304. "kernel32.dll.GetLocaleInfoEx",
2305. "goopdate.dll.DllEntry",
2306. "kernel32.dll.RtlCaptureStackBackTrace",
2307. "wkscli.dll.NetWkstaGetInfo",
2308. "cscapi.dll.CscNetApiGetInterface",
2309. "kernel32.dll.CreateMutexExW",
2310. "dbghelp.dll.MiniDumpWriteDump",
2311. "rpcrt4.dll.UuidCreate",
2312. "cryptsp.dll.CryptAcquireContextW",
2313. "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
2314. "ole32.dll.CoGetClassObject",
2315. "ole32.dll.CoGetMarshalSizeMax",
2316. "ole32.dll.CoMarshalInterface",
2317. "ole32.dll.CoUnmarshalInterface",
2318. "ole32.dll.StringFromIID",
2319. "ole32.dll.CoGetPSClsid",
2320. "ole32.dll.CoReleaseMarshalData",
2321. "ole32.dll.DcomChannelSetHResult",
2322. "psmachine.dll.DllGetClassObject",
2323. "psmachine.dll.DllCanUnloadNow",
2324. "advapi32.dll.RegOpenKeyW",
2325. "ntdll.dll.RtlGetVersion",
2326. "kernel32.dll.GetNativeSystemInfo",
2327. "winhttp.dll.WinHttpAddRequestHeaders",
2328. "winhttp.dll.WinHttpCheckPlatform",
2329. "winhttp.dll.WinHttpCloseHandle",
2330. "winhttp.dll.WinHttpConnect",
2331. "winhttp.dll.WinHttpCrackUrl",
2332. "winhttp.dll.WinHttpCreateUrl",
2333. "winhttp.dll.WinHttpDetectAutoProxyConfigUrl",
2334. "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
2335. "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
2336. "winhttp.dll.WinHttpGetProxyForUrl",
2337. "winhttp.dll.WinHttpOpen",
2338. "winhttp.dll.WinHttpOpenRequest",
2339. "winhttp.dll.WinHttpQueryAuthSchemes",
2340. "winhttp.dll.WinHttpQueryDataAvailable",
2341. "winhttp.dll.WinHttpQueryHeaders",
2342. "winhttp.dll.WinHttpQueryOption",
2343. "winhttp.dll.WinHttpReadData",
2344. "winhttp.dll.WinHttpReceiveResponse",
2345. "winhttp.dll.WinHttpSendRequest",
2346. "winhttp.dll.WinHttpSetDefaultProxyConfiguration",
2347. "winhttp.dll.WinHttpSetCredentials",
2348. "winhttp.dll.WinHttpSetOption",
2349. "winhttp.dll.WinHttpSetStatusCallback",
2350. "winhttp.dll.WinHttpSetTimeouts",
2351. "winhttp.dll.WinHttpWriteData",
2352. "shlwapi.dll.StrCmpNW",
2353. "shlwapi.dll.#153",
2354. "ws2_32.dll.GetAddrInfoW",
2355. "ws2_32.dll.WSASocketW",
2356. "ws2_32.dll.#2",
2357. "ws2_32.dll.#21",
2358. "ws2_32.dll.#9",
2359. "ws2_32.dll.WSAIoctl",
2360. "ws2_32.dll.FreeAddrInfoW",
2361. "ws2_32.dll.#6",
2362. "ws2_32.dll.#5",
2363. "schannel.dll.SpUserModeInitialize",
2364. "advapi32.dll.RegCreateKeyExW",
2365. "ws2_32.dll.WSASend",
2366. "ws2_32.dll.WSARecv",
2367. "advapi32.dll.RevertToSelf",
2368. "secur32.dll.FreeContextBuffer",
2369. "ncrypt.dll.SslOpenProvider",
2370. "ncrypt.dll.GetSChannelInterface",
2371. "bcryptprimitives.dll.GetHashInterface",
2372. "ncrypt.dll.SslIncrementProviderReferenceCount",
2373. "ncrypt.dll.SslImportKey",
2374. "bcryptprimitives.dll.GetCipherInterface",
2375. "ncrypt.dll.SslLookupCipherSuiteInfo",
2376. "user32.dll.LoadStringW",
2377. "ncrypt.dll.BCryptOpenAlgorithmProvider",
2378. "ncrypt.dll.BCryptGetProperty",
2379. "ncrypt.dll.BCryptCreateHash",
2380. "ncrypt.dll.BCryptHashData",
2381. "ncrypt.dll.BCryptFinishHash",
2382. "ncrypt.dll.BCryptDestroyHash",
2383. "crypt32.dll.CertGetCertificateChain",
2384. "userenv.dll.GetUserProfileDirectoryW",
2385. "sechost.dll.ConvertStringSidToSidW",
2386. "userenv.dll.RegisterGPNotification",
2387. "gpapi.dll.RegisterGPNotificationInternal",
2388. "sechost.dll.OpenSCManagerW",
2389. "sechost.dll.OpenServiceW",
2390. "sechost.dll.CloseServiceHandle",
2391. "sechost.dll.QueryServiceConfigW",
2392. "winsta.dll.WinStationRegisterNotificationEvent",
2393. "advapi32.dll.CreateWellKnownSid",
2394. "rpcrt4.dll.RpcAsyncInitializeHandle",
2395. "rpcrt4.dll.NdrAsyncClientCall",
2396. "cryptsp.dll.CryptCreateHash",
2397. "cryptsp.dll.CryptHashData",
2398. "cryptsp.dll.CryptVerifySignatureA",
2399. "cryptsp.dll.CryptDestroyKey",
2400. "cryptsp.dll.CryptDestroyHash",
2401. "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
2402. "ncrypt.dll.BCryptImportKeyPair",
2403. "ncrypt.dll.BCryptVerifySignature",
2404. "ncrypt.dll.BCryptDestroyKey",
2405. "crypt32.dll.CertVerifyCertificateChainPolicy",
2406. "crypt32.dll.CertFreeCertificateChain",
2407. "crypt32.dll.CertDuplicateCertificateContext",
2408. "ncrypt.dll.SslEncryptPacket",
2409. "ncrypt.dll.SslDecryptPacket",
2410. "kernel32.dll.WTSGetActiveConsoleSessionId",
2411. "winsta.dll.WinStationQueryInformationW",
2412. "rpcrt4.dll.I_RpcExceptionFilter",
2413. "rpcrt4.dll.RpcBindingFree",
2414. "kernel32.dll.IsWow64Process",
2415. "psapi.dll.GetProcessImageFileNameW",
2416. "crypt32.dll.CertFreeCertificateContext",
2417. "ncrypt.dll.SslFreeObject"
2418. ]
2419.  
2420. [*] Static Analysis: {
2421. "pe": {
2422. "peid_signatures": null,
2423. "imports": [
2424. {
2425. "imports": [
2426. {
2427. "name": "MultiByteToWideChar",
2428. "address": "0x48c034"
2429. },
2430. {
2431. "name": "LCMapStringA",
2432. "address": "0x48c038"
2433. },
2434. {
2435. "name": "LCMapStringW",
2436. "address": "0x48c03c"
2437. },
2438. {
2439. "name": "VirtualAlloc",
2440. "address": "0x48c040"
2441. },
2442. {
2443. "name": "IsBadWritePtr",
2444. "address": "0x48c044"
2445. },
2446. {
2447. "name": "SetUnhandledExceptionFilter",
2448. "address": "0x48c048"
2449. },
2450. {
2451. "name": "IsBadCodePtr",
2452. "address": "0x48c04c"
2453. },
2454. {
2455. "name": "SetStdHandle",
2456. "address": "0x48c050"
2457. },
2458. {
2459. "name": "FlushFileBuffers",
2460. "address": "0x48c054"
2461. },
2462. {
2463. "name": "CreateProcessA",
2464. "address": "0x48c058"
2465. },
2466. {
2467. "name": "CompareStringA",
2468. "address": "0x48c05c"
2469. },
2470. {
2471. "name": "CompareStringW",
2472. "address": "0x48c060"
2473. },
2474. {
2475. "name": "SetEnvironmentVariableA",
2476. "address": "0x48c064"
2477. },
2478. {
2479. "name": "GetStringTypeA",
2480. "address": "0x48c068"
2481. },
2482. {
2483. "name": "GetStringTypeW",
2484. "address": "0x48c06c"
2485. },
2486. {
2487. "name": "GetCurrentDirectoryW",
2488. "address": "0x48c070"
2489. },
2490. {
2491. "name": "GetCurrentDirectoryA",
2492. "address": "0x48c074"
2493. },
2494. {
2495. "name": "DeleteFileA",
2496. "address": "0x48c078"
2497. },
2498. {
2499. "name": "WaitForSingleObject",
2500. "address": "0x48c07c"
2501. },
2502. {
2503. "name": "GetCPInfo",
2504. "address": "0x48c080"
2505. },
2506. {
2507. "name": "VirtualFree",
2508. "address": "0x48c084"
2509. },
2510. {
2511. "name": "HeapCreate",
2512. "address": "0x48c088"
2513. },
2514. {
2515. "name": "HeapDestroy",
2516. "address": "0x48c08c"
2517. },
2518. {
2519. "name": "GetEnvironmentVariableA",
2520. "address": "0x48c090"
2521. },
2522. {
2523. "name": "GetFileType",
2524. "address": "0x48c094"
2525. },
2526. {
2527. "name": "GetStdHandle",
2528. "address": "0x48c098"
2529. },
2530. {
2531. "name": "SetHandleCount",
2532. "address": "0x48c09c"
2533. },
2534. {
2535. "name": "GetEnvironmentStringsW",
2536. "address": "0x48c0a0"
2537. },
2538. {
2539. "name": "GetEnvironmentStrings",
2540. "address": "0x48c0a4"
2541. },
2542. {
2543. "name": "FreeEnvironmentStringsW",
2544. "address": "0x48c0a8"
2545. },
2546. {
2547. "name": "FreeEnvironmentStringsA",
2548. "address": "0x48c0ac"
2549. },
2550. {
2551. "name": "UnhandledExceptionFilter",
2552. "address": "0x48c0b0"
2553. },
2554. {
2555. "name": "HeapFree",
2556. "address": "0x48c0b4"
2557. },
2558. {
2559. "name": "HeapSize",
2560. "address": "0x48c0b8"
2561. },
2562. {
2563. "name": "HeapAlloc",
2564. "address": "0x48c0bc"
2565. },
2566. {
2567. "name": "HeapReAlloc",
2568. "address": "0x48c0c0"
2569. },
2570. {
2571. "name": "GetVersion",
2572. "address": "0x48c0c4"
2573. },
2574. {
2575. "name": "GetCommandLineA",
2576. "address": "0x48c0c8"
2577. },
2578. {
2579. "name": "GetStartupInfoA",
2580. "address": "0x48c0cc"
2581. },
2582. {
2583. "name": "GetModuleHandleA",
2584. "address": "0x48c0d0"
2585. },
2586. {
2587. "name": "GetCurrentProcess",
2588. "address": "0x48c0d4"
2589. },
2590. {
2591. "name": "TerminateProcess",
2592. "address": "0x48c0d8"
2593. },
2594. {
2595. "name": "ExitProcess",
2596. "address": "0x48c0dc"
2597. },
2598. {
2599. "name": "GetTickCount",
2600. "address": "0x48c0e0"
2601. },
2602. {
2603. "name": "GetSystemTime",
2604. "address": "0x48c0e4"
2605. },
2606. {
2607. "name": "GetOEMCP",
2608. "address": "0x48c0e8"
2609. },
2610. {
2611. "name": "Sleep",
2612. "address": "0x48c0ec"
2613. },
2614. {
2615. "name": "CloseHandle",
2616. "address": "0x48c0f0"
2617. },
2618. {
2619. "name": "SetEndOfFile",
2620. "address": "0x48c0f4"
2621. },
2622. {
2623. "name": "SetFilePointer",
2624. "address": "0x48c0f8"
2625. },
2626. {
2627. "name": "CompareFileTime",
2628. "address": "0x48c0fc"
2629. },
2630. {
2631. "name": "FileTimeToLocalFileTime",
2632. "address": "0x48c100"
2633. },
2634. {
2635. "name": "FileTimeToDosDateTime",
2636. "address": "0x48c104"
2637. },
2638. {
2639. "name": "SystemTimeToFileTime",
2640. "address": "0x48c108"
2641. },
2642. {
2643. "name": "GetLocalTime",
2644. "address": "0x48c10c"
2645. },
2646. {
2647. "name": "LocalFileTimeToFileTime",
2648. "address": "0x48c110"
2649. },
2650. {
2651. "name": "DosDateTimeToFileTime",
2652. "address": "0x48c114"
2653. },
2654. {
2655. "name": "SetFileTime",
2656. "address": "0x48c118"
2657. },
2658. {
2659. "name": "GetACP",
2660. "address": "0x48c11c"
2661. },
2662. {
2663. "name": "ReadFile",
2664. "address": "0x48c120"
2665. },
2666. {
2667. "name": "GetFileSize",
2668. "address": "0x48c124"
2669. },
2670. {
2671. "name": "GetLastError",
2672. "address": "0x48c128"
2673. },
2674. {
2675. "name": "LocalFree",
2676. "address": "0x48c12c"
2677. },
2678. {
2679. "name": "GetFullPathNameW",
2680. "address": "0x48c130"
2681. },
2682. {
2683. "name": "GetFullPathNameA",
2684. "address": "0x48c134"
2685. },
2686. {
2687. "name": "GetTempPathW",
2688. "address": "0x48c138"
2689. },
2690. {
2691. "name": "GetModuleFileNameW",
2692. "address": "0x48c13c"
2693. },
2694. {
2695. "name": "MoveFileW",
2696. "address": "0x48c140"
2697. },
2698. {
2699. "name": "CopyFileW",
2700. "address": "0x48c144"
2701. },
2702. {
2703. "name": "DeleteFileW",
2704. "address": "0x48c148"
2705. },
2706. {
2707. "name": "GetFileAttributesW",
2708. "address": "0x48c14c"
2709. },
2710. {
2711. "name": "CreateDirectoryW",
2712. "address": "0x48c150"
2713. },
2714. {
2715. "name": "SetCurrentDirectoryW",
2716. "address": "0x48c154"
2717. },
2718. {
2719. "name": "SetCurrentDirectoryA",
2720. "address": "0x48c158"
2721. },
2722. {
2723. "name": "SetFileAttributesW",
2724. "address": "0x48c15c"
2725. },
2726. {
2727. "name": "GetFileTime",
2728. "address": "0x48c160"
2729. },
2730. {
2731. "name": "RemoveDirectoryW",
2732. "address": "0x48c164"
2733. },
2734. {
2735. "name": "GetTimeZoneInformation",
2736. "address": "0x48c168"
2737. },
2738. {
2739. "name": "MoveFileA",
2740. "address": "0x48c16c"
2741. },
2742. {
2743. "name": "WriteFile",
2744. "address": "0x48c170"
2745. },
2746. {
2747. "name": "CopyFileA",
2748. "address": "0x48c174"
2749. },
2750. {
2751. "name": "GetFileAttributesA",
2752. "address": "0x48c178"
2753. },
2754. {
2755. "name": "FormatMessageA",
2756. "address": "0x48c17c"
2757. },
2758. {
2759. "name": "GetTempPathA",
2760. "address": "0x48c180"
2761. },
2762. {
2763. "name": "GetModuleFileNameA",
2764. "address": "0x48c184"
2765. },
2766. {
2767. "name": "CreateDirectoryA",
2768. "address": "0x48c188"
2769. },
2770. {
2771. "name": "SetFileAttributesA",
2772. "address": "0x48c18c"
2773. },
2774. {
2775. "name": "CreateFileA",
2776. "address": "0x48c190"
2777. },
2778. {
2779. "name": "GetComputerNameA",
2780. "address": "0x48c194"
2781. },
2782. {
2783. "name": "IsBadReadPtr",
2784. "address": "0x48c198"
2785. },
2786. {
2787. "name": "CreateFileW",
2788. "address": "0x48c19c"
2789. },
2790. {
2791. "name": "GetVersionExA",
2792. "address": "0x48c1a0"
2793. },
2794. {
2795. "name": "WideCharToMultiByte",
2796. "address": "0x48c1a4"
2797. },
2798. {
2799. "name": "GetProcAddress",
2800. "address": "0x48c1a8"
2801. },
2802. {
2803. "name": "LoadLibraryA",
2804. "address": "0x48c1ac"
2805. },
2806. {
2807. "name": "LocalAlloc",
2808. "address": "0x48c1b0"
2809. },
2810. {
2811. "name": "FreeLibrary",
2812. "address": "0x48c1b4"
2813. },
2814. {
2815. "name": "RtlUnwind",
2816. "address": "0x48c1b8"
2817. },
2818. {
2819. "name": "GetExitCodeProcess",
2820. "address": "0x48c1bc"
2821. }
2822. ],
2823. "dll": "KERNEL32.dll"
2824. },
2825. {
2826. "imports": [
2827. {
2828. "name": "RegisterClassExW",
2829. "address": "0x48c1d8"
2830. },
2831. {
2832. "name": "LoadCursorA",
2833. "address": "0x48c1dc"
2834. },
2835. {
2836. "name": "DialogBoxParamW",
2837. "address": "0x48c1e0"
2838. },
2839. {
2840. "name": "CreateWindowExW",
2841. "address": "0x48c1e4"
2842. },
2843. {
2844. "name": "LoadStringW",
2845. "address": "0x48c1e8"
2846. },
2847. {
2848. "name": "OffsetRect",
2849. "address": "0x48c1ec"
2850. },
2851. {
2852. "name": "CopyRect",
2853. "address": "0x48c1f0"
2854. },
2855. {
2856. "name": "GetWindowRect",
2857. "address": "0x48c1f4"
2858. },
2859. {
2860. "name": "GetDesktopWindow",
2861. "address": "0x48c1f8"
2862. },
2863. {
2864. "name": "MessageBoxW",
2865. "address": "0x48c1fc"
2866. },
2867. {
2868. "name": "PostQuitMessage",
2869. "address": "0x48c200"
2870. },
2871. {
2872. "name": "EndDialog",
2873. "address": "0x48c204"
2874. },
2875. {
2876. "name": "GetMessageA",
2877. "address": "0x48c208"
2878. },
2879. {
2880. "name": "TranslateMessage",
2881. "address": "0x48c20c"
2882. },
2883. {
2884. "name": "DispatchMessageA",
2885. "address": "0x48c210"
2886. },
2887. {
2888. "name": "MessageBoxA",
2889. "address": "0x48c214"
2890. },
2891. {
2892. "name": "GetDlgItem",
2893. "address": "0x48c218"
2894. },
2895. {
2896. "name": "SendMessageA",
2897. "address": "0x48c21c"
2898. },
2899. {
2900. "name": "SetWindowPos",
2901. "address": "0x48c220"
2902. },
2903. {
2904. "name": "PostMessageA",
2905. "address": "0x48c224"
2906. },
2907. {
2908. "name": "SetTimer",
2909. "address": "0x48c228"
2910. },
2911. {
2912. "name": "GetDlgItemTextA",
2913. "address": "0x48c22c"
2914. },
2915. {
2916. "name": "LoadStringA",
2917. "address": "0x48c230"
2918. },
2919. {
2920. "name": "DefWindowProcA",
2921. "address": "0x48c234"
2922. },
2923. {
2924. "name": "DestroyWindow",
2925. "address": "0x48c238"
2926. },
2927. {
2928. "name": "BeginPaint",
2929. "address": "0x48c23c"
2930. },
2931. {
2932. "name": "EndPaint",
2933. "address": "0x48c240"
2934. },
2935. {
2936. "name": "GetDlgItemTextW",
2937. "address": "0x48c244"
2938. },
2939. {
2940. "name": "SetWindowTextW",
2941. "address": "0x48c248"
2942. },
2943. {
2944. "name": "MoveWindow",
2945. "address": "0x48c24c"
2946. },
2947. {
2948. "name": "SetDlgItemTextW",
2949. "address": "0x48c250"
2950. },
2951. {
2952. "name": "EnableWindow",
2953. "address": "0x48c254"
2954. },
2955. {
2956. "name": "SetDlgItemTextA",
2957. "address": "0x48c258"
2958. }
2959. ],
2960. "dll": "USER32.dll"
2961. },
2962. {
2963. "imports": [
2964. {
2965. "name": "SHGetPathFromIDListW",
2966. "address": "0x48c1c4"
2967. },
2968. {
2969. "name": "SHBrowseForFolderW",
2970. "address": "0x48c1c8"
2971. },
2972. {
2973. "name": "ShellExecuteExW",
2974. "address": "0x48c1cc"
2975. },
2976. {
2977. "name": "SHGetMalloc",
2978. "address": "0x48c1d0"
2979. }
2980. ],
2981. "dll": "SHELL32.dll"
2982. },
2983. {
2984. "imports": [
2985. {
2986. "name": "CertNameToStrA",
2987. "address": "0x48c020"
2988. },
2989. {
2990. "name": "CertFreeCertificateContext",
2991. "address": "0x48c024"
2992. },
2993. {
2994. "name": "CryptDecodeObject",
2995. "address": "0x48c028"
2996. },
2997. {
2998. "name": "CertCloseStore",
2999. "address": "0x48c02c"
3000. }
3001. ],
3002. "dll": "CRYPT32.dll"
3003. },
3004. {
3005. "imports": [
3006. {
3007. "name": "WSAStartup",
3008. "address": "0x48c260"
3009. },
3010. {
3011. "name": "setsockopt",
3012. "address": "0x48c264"
3013. },
3014. {
3015. "name": "WSAGetLastError",
3016. "address": "0x48c268"
3017. },
3018. {
3019. "name": "socket",
3020. "address": "0x48c26c"
3021. },
3022. {
3023. "name": "inet_addr",
3024. "address": "0x48c270"
3025. },
3026. {
3027. "name": "htons",
3028. "address": "0x48c274"
3029. },
3030. {
3031. "name": "gethostbyname",
3032. "address": "0x48c278"
3033. },
3034. {
3035. "name": "connect",
3036. "address": "0x48c27c"
3037. },
3038. {
3039. "name": "ioctlsocket",
3040. "address": "0x48c280"
3041. },
3042. {
3043. "name": "select",
3044. "address": "0x48c284"
3045. },
3046. {
3047. "name": "bind",
3048. "address": "0x48c288"
3049. },
3050. {
3051. "name": "closesocket",
3052. "address": "0x48c28c"
3053. },
3054. {
3055. "name": "recv",
3056. "address": "0x48c290"
3057. },
3058. {
3059. "name": "send",
3060. "address": "0x48c294"
3061. },
3062. {
3063. "name": "shutdown",
3064. "address": "0x48c298"
3065. }
3066. ],
3067. "dll": "WS2_32.dll"
3068. },
3069. {
3070. "imports": [
3071. {
3072. "name": "RegOpenKeyExA",
3073. "address": "0x48c000"
3074. },
3075. {
3076. "name": "CryptAcquireContextA",
3077. "address": "0x48c004"
3078. },
3079. {
3080. "name": "CryptReleaseContext",
3081. "address": "0x48c008"
3082. },
3083. {
3084. "name": "CryptGenRandom",
3085. "address": "0x48c00c"
3086. },
3087. {
3088. "name": "RegQueryValueExA",
3089. "address": "0x48c010"
3090. },
3091. {
3092. "name": "RegCloseKey",
3093. "address": "0x48c014"
3094. },
3095. {
3096. "name": "GetUserNameA",
3097. "address": "0x48c018"
3098. }
3099. ],
3100. "dll": "ADVAPI32.dll"
3101. }
3102. ],
3103. "digital_signers": null,
3104. "exported_dll_name": null,
3105. "actual_checksum": "0x00204fd4",
3106. "overlay": {
3107. "size": "0x0013b5c8",
3108. "offset": "0x000bb000"
3109. },
3110. "imagebase": "0x00400000",
3111. "reported_checksum": "0x00000000",
3112. "icon_hash": null,
3113. "entrypoint": "0x0046ffb4",
3114. "timestamp": "2009-10-31 12:28:29",
3115. "osversion": "4.0",
3116. "sections": [
3117. {
3118. "name": ".text",
3119. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
3120. "virtual_address": "0x00001000",
3121. "size_of_data": "0x0008b000",
3122. "entropy": "6.55",
3123. "raw_address": "0x00001000",
3124. "virtual_size": "0x0008a4f2",
3125. "characteristics_raw": "0x60000020"
3126. },
3127. {
3128. "name": ".rdata",
3129. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
3130. "virtual_address": "0x0008c000",
3131. "size_of_data": "0x00012000",
3132. "entropy": "4.44",
3133. "raw_address": "0x0008c000",
3134. "virtual_size": "0x00011796",
3135. "characteristics_raw": "0x40000040"
3136. },
3137. {
3138. "name": ".data",
3139. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
3140. "virtual_address": "0x0009e000",
3141. "size_of_data": "0x0001c000",
3142. "entropy": "6.08",
3143. "raw_address": "0x0009e000",
3144. "virtual_size": "0x00020878",
3145. "characteristics_raw": "0xc0000040"
3146. },
3147. {
3148. "name": ".rsrc",
3149. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
3150. "virtual_address": "0x000bf000",
3151. "size_of_data": "0x00001000",
3152. "entropy": "2.23",
3153. "raw_address": "0x000ba000",
3154. "virtual_size": "0x000008d0",
3155. "characteristics_raw": "0x40000040"
3156. }
3157. ],
3158. "resources": [],
3159. "dirents": [
3160. {
3161. "virtual_address": "0x00000000",
3162. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
3163. "size": "0x00000000"
3164. },
3165. {
3166. "virtual_address": "0x0009c9e0",
3167. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
3168. "size": "0x0000008c"
3169. },
3170. {
3171. "virtual_address": "0x000bf000",
3172. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
3173. "size": "0x000008d0"
3174. },
3175. {
3176. "virtual_address": "0x00000000",
3177. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
3178. "size": "0x00000000"
3179. },
3180. {
3181. "virtual_address": "0x00000000",
3182. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
3183. "size": "0x00000000"
3184. },
3185. {
3186. "virtual_address": "0x00000000",
3187. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
3188. "size": "0x00000000"
3189. },
3190. {
3191. "virtual_address": "0x00000000",
3192. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
3193. "size": "0x00000000"
3194. },
3195. {
3196. "virtual_address": "0x00000000",
3197. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
3198. "size": "0x00000000"
3199. },
3200. {
3201. "virtual_address": "0x00000000",
3202. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
3203. "size": "0x00000000"
3204. },
3205. {
3206. "virtual_address": "0x00000000",
3207. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
3208. "size": "0x00000000"
3209. },
3210. {
3211. "virtual_address": "0x00000000",
3212. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
3213. "size": "0x00000000"
3214. },
3215. {
3216. "virtual_address": "0x00000000",
3217. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
3218. "size": "0x00000000"
3219. },
3220. {
3221. "virtual_address": "0x0008c000",
3222. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
3223. "size": "0x000002a0"
3224. },
3225. {
3226. "virtual_address": "0x00000000",
3227. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
3228. "size": "0x00000000"
3229. },
3230. {
3231. "virtual_address": "0x00000000",
3232. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
3233. "size": "0x00000000"
3234. },
3235. {
3236. "virtual_address": "0x00000000",
3237. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
3238. "size": "0x00000000"
3239. }
3240. ],
3241. "exports": [],
3242. "guest_signers": {},
3243. "imphash": "61a42ebe2c6271565f77bdad50265621",
3244. "icon_fuzzy": null,
3245. "icon": null,
3246. "pdbpath": null,
3247. "imported_dll_count": 6,
3248. "versioninfo": []
3249. }
3250. }