· 6 years ago · Jun 28, 2019, 07:34 AM
1
2[*] MalFamily: "Malicious"
3
4[*] MalScore: 10.0
5
6[*] File Name: "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe"
7[*] File Size: 1024000
8[*] File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
9[*] SHA256: "7c960445b3740bcfc291a5a802f10df665173dd492d09368071c5e1b0ed03795"
10[*] MD5: "8b6d34e15b5e3ca155a361c5e425d2a3"
11[*] SHA1: "008de87ec8c36a397a0adf9fcc49bc50953719a6"
12[*] SHA512: "f58e58ec508030760b0db85ccc4b7ea36860b7faf697b4148b2c0680e933b8c23aed7be27538b853db424a31139693d0c70f020f9ec7dd33e03d5715219bfded"
13[*] CRC32: "B85486A3"
14[*] SSDEEP: "12288:exVPGc+QB4qR8DDUONY5eN+ckK8i5ItHONSnmGfuAiaZ5JfUiSPef5hXJVzZGm:e7PmnDrYRcKhkNCbZ5JXSPSXJRY"
15
16[*] Process Execution: [
17 "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe",
18 "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe",
19 "schtasks.exe",
20 "schtasks.exe",
21 "reg.exe",
22 "svchost.exe",
23 "WMIADAP.exe",
24 "taskeng.exe",
25 "taskeng.exe",
26 "client.exe",
27 "taskeng.exe",
28 "client.exe",
29 "net.exe",
30 "net1.exe",
31 "svchost.exe",
32 "WmiPrvSE.exe",
33 "net.exe",
34 "svchost.exe"
35]
36
37[*] Signatures Detected: [
38 {
39 "Description": "Attempts to connect to a dead IP:Port (2 unique times)",
40 "Details": [
41 {
42 "IP": "23.4.43.27:80"
43 },
44 {
45 "IP": "72.21.91.29:80"
46 }
47 ]
48 },
49 {
50 "Description": "Creates RWX memory",
51 "Details": []
52 },
53 {
54 "Description": "Possible date expiration check, exits too soon after checking local time",
55 "Details": [
56 {
57 "process": "schtasks.exe, PID 2532"
58 }
59 ]
60 },
61 {
62 "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
63 "Details": [
64 {
65 "ioc": "abms.epsilon"
66 },
67 {
68 "ioc": "gmail.com"
69 },
70 {
71 "ioc": "www.digicert.com1"
72 },
73 {
74 "ioc": "http://www.symauth.com/cps0"
75 },
76 {
77 "ioc": "http://www.symauth.com/rpa0"
78 }
79 ]
80 },
81 {
82 "Description": "A process created a hidden window",
83 "Details": [
84 {
85 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
86 }
87 ]
88 },
89 {
90 "Description": "Drops a binary and executes it",
91 "Details": [
92 {
93 "binary": "C:\\Program Files (x86)\\Client\\client.exe"
94 }
95 ]
96 },
97 {
98 "Description": "Performs some HTTP requests",
99 "Details": [
100 {
101 "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
102 },
103 {
104 "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
105 },
106 {
107 "url": "http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl"
108 },
109 {
110 "url": "http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl"
111 },
112 {
113 "url": "http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D"
114 },
115 {
116 "url": "http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFl%2BTkXLwRW7pkAmAuicv0U%3D"
117 },
118 {
119 "url": "http://sv.symcb.com/sv.crl"
120 }
121 ]
122 },
123 {
124 "Description": "The binary likely contains encrypted or compressed data.",
125 "Details": [
126 {
127 "section": "name: .text, entropy: 7.75, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000f7000, virtual_size: 0x000f6a94"
128 }
129 ]
130 },
131 {
132 "Description": "Detects Avast Antivirus through the presence of a library",
133 "Details": []
134 },
135 {
136 "Description": "Executed a process and injected code into it, probably while unpacking",
137 "Details": [
138 {
139 "Injection": "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe(1880) -> Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe(1712)"
140 }
141 ]
142 },
143 {
144 "Description": "Attempts to remove evidence of file being downloaded from the Internet",
145 "Details": [
146 {
147 "file": "C:\\Program Files (x86)\\Client\\client.exe:Zone.Identifier"
148 }
149 ]
150 },
151 {
152 "Description": "Sniffs keystrokes",
153 "Details": [
154 {
155 "SetWindowsHookExW": "Process: Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe(1712)"
156 }
157 ]
158 },
159 {
160 "Description": "Code injection with CreateRemoteThread in a remote process",
161 "Details": [
162 {
163 "Injection": "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe(1712) -> None(2540)"
164 }
165 ]
166 },
167 {
168 "Description": "Tries to suspend Cuckoo threads to prevent logging of malicious activity",
169 "Details": [
170 {
171 "Process": "net.exe (2800)"
172 }
173 ]
174 },
175 {
176 "Description": "A process attempted to delay the analysis task by a long amount of time.",
177 "Details": [
178 {
179 "Process": "Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe tried to sleep 24284 seconds, actually delayed analysis time by 0 seconds"
180 },
181 {
182 "Process": "svchost.exe tried to sleep 324 seconds, actually delayed analysis time by 0 seconds"
183 },
184 {
185 "Process": "taskeng.exe tried to sleep 360 seconds, actually delayed analysis time by 0 seconds"
186 }
187 ]
188 },
189 {
190 "Description": "Tries to unhook or modify Windows functions monitored by Cuckoo",
191 "Details": [
192 {
193 "unhook": "function_name: NtQuerySystemInformation, type: modification"
194 }
195 ]
196 },
197 {
198 "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
199 "Details": [
200 {
201 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
202 }
203 ]
204 },
205 {
206 "Description": "Installs itself for autorun at Windows startup",
207 "Details": [
208 {
209 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Client Monitor"
210 },
211 {
212 "data": "cmd /c \"start \"Client Monitor\" \"C:\\Program Files (x86)\\Client\\client.exe\""
213 },
214 {
215 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\shell"
216 },
217 {
218 "data": "explorer.exe,\"C:\\Windows\\system32\\clientmonitor.exe\""
219 },
220 {
221 "task": "schtasks /create /tn \"Client Monitor\" /tr \"'C:\\Program Files (x86)\\Client\\client.exe' /startup\" /sc MINUTE /f /rl highest"
222 }
223 ]
224 },
225 {
226 "Description": "Creates a hidden or system file",
227 "Details": [
228 {
229 "file": "C:\\Program Files (x86)\\Client\\"
230 },
231 {
232 "file": "C:\\Users\\user\\AppData\\Roaming\\Monitor\\"
233 },
234 {
235 "file": "C:\\Program Files (x86)\\Client\\client.exe"
236 },
237 {
238 "file": "C:\\Windows\\System32\\clientmonitor.exe"
239 }
240 ]
241 },
242 {
243 "Description": "File has been identified by 54 Antiviruses on VirusTotal as malicious",
244 "Details": [
245 {
246 "K7AntiVirus": "Trojan ( 005068ac1 )"
247 },
248 {
249 "MicroWorld-eScan": "Trojan.Generic.20659386"
250 },
251 {
252 "FireEye": "Generic.mg.8b6d34e15b5e3ca1"
253 },
254 {
255 "McAfee": "Packed-KD!8B6D34E15B5E"
256 },
257 {
258 "Cylance": "Unsafe"
259 },
260 {
261 "Alibaba": "Trojan:MSIL/Agent.dab2eb4f"
262 },
263 {
264 "K7GW": "Trojan ( 005068ac1 )"
265 },
266 {
267 "Arcabit": "Trojan.Generic.D13B3CBA"
268 },
269 {
270 "TrendMicro": "TROJ_GEN.R03FC0PDO19"
271 },
272 {
273 "F-Prot": "W32/Msil.EEK"
274 },
275 {
276 "Symantec": "Trojan.Gen.2"
277 },
278 {
279 "APEX": "Malicious"
280 },
281 {
282 "Paloalto": "generic.ml"
283 },
284 {
285 "Kaspersky": "Trojan.MSIL.Agent.fpau"
286 },
287 {
288 "BitDefender": "Trojan.Generic.20659386"
289 },
290 {
291 "NANO-Antivirus": "Trojan.Win32.Mlw.elxxim"
292 },
293 {
294 "ViRobot": "Trojan.Win32.Z.Agent.1024000.DS"
295 },
296 {
297 "Avast": "Win32:Malware-gen"
298 },
299 {
300 "Ad-Aware": "Trojan.Generic.20659386"
301 },
302 {
303 "Emsisoft": "Trojan.Generic.20659386 (B)"
304 },
305 {
306 "Comodo": "Malware@#2a6j39g6btql7"
307 },
308 {
309 "F-Secure": "Heuristic.HEUR/AGEN.1001106"
310 },
311 {
312 "DrWeb": "Trojan.PWS.Stealer.13025"
313 },
314 {
315 "Zillya": "Trojan.Agent.Win32.758982"
316 },
317 {
318 "Invincea": "heuristic"
319 },
320 {
321 "McAfee-GW-Edition": "BehavesLike.Win32.Generic.fc"
322 },
323 {
324 "Sophos": "Mal/Generic-S"
325 },
326 {
327 "Ikarus": "Trojan.MSIL.Injector"
328 },
329 {
330 "Cyren": "W32/Trojan.RHTD-8572"
331 },
332 {
333 "Webroot": "W32.Malware.Gen"
334 },
335 {
336 "Avira": "HEUR/AGEN.1001106"
337 },
338 {
339 "Antiy-AVL": "Trojan/Win32.AGeneric"
340 },
341 {
342 "Endgame": "malicious (high confidence)"
343 },
344 {
345 "Microsoft": "Trojan:Win32/Dynamer!ac"
346 },
347 {
348 "AegisLab": "Trojan.Win32.Generic.4!c"
349 },
350 {
351 "ZoneAlarm": "Trojan.MSIL.Agent.fpau"
352 },
353 {
354 "GData": "Trojan.Generic.20659386"
355 },
356 {
357 "AhnLab-V3": "Win-Trojan/MSILKrypt02.Exp"
358 },
359 {
360 "Acronis": "suspicious"
361 },
362 {
363 "VBA32": "Trojan.MSIL.Agent"
364 },
365 {
366 "ALYac": "Trojan.Generic.20659386"
367 },
368 {
369 "MAX": "malware (ai score=99)"
370 },
371 {
372 "ESET-NOD32": "a variant of MSIL/Injector.RME"
373 },
374 {
375 "TrendMicro-HouseCall": "TROJ_GEN.R03FC0PDO19"
376 },
377 {
378 "Tencent": "Msil.Trojan.Agent.Ecav"
379 },
380 {
381 "Yandex": "Trojan.Injector!2g86pc3lqvA"
382 },
383 {
384 "SentinelOne": "DFI - Malicious PE"
385 },
386 {
387 "eGambit": "Generic.Malware"
388 },
389 {
390 "Fortinet": "MSIL/GenKryptik.VIH!tr"
391 },
392 {
393 "AVG": "Win32:Malware-gen"
394 },
395 {
396 "Cybereason": "malicious.15b5e3"
397 },
398 {
399 "Panda": "Trj/GdSda.A"
400 },
401 {
402 "CrowdStrike": "win/malicious_confidence_100% (W)"
403 },
404 {
405 "Qihoo-360": "Win32/Trojan.6af"
406 }
407 ]
408 },
409 {
410 "Description": "Creates a copy of itself",
411 "Details": [
412 {
413 "copy": "C:\\Program Files (x86)\\Client\\client.exe"
414 },
415 {
416 "copy": "C:\\Windows\\System32\\clientmonitor.exe"
417 }
418 ]
419 }
420]
421
422[*] Started Service: []
423
424[*] Executed Commands: [
425 "\"C:\\Users\\user\\AppData\\Local\\Temp\\Exes_8b6d34e15b5e3ca155a361c5e425d2a3.exe\"",
426 "schtasks /create /tn \"Client Monitor\" /tr \"'C:\\Program Files (x86)\\Client\\client.exe' /startup\" /sc MINUTE /f /rl highest",
427 "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\" /v \"Client Monitor\" /d \"cmd /c \"\"\"start \"\"\"Client Monitor\"\"\" \"\"\"C:\\Program Files (x86)\\Client\\client.exe\"\"\"\" /f /reg:64",
428 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
429 "taskeng.exe {A26A4551-CE27-4734-B3B5-4A6AC6CCFA5D} S-1-5-18:NT AUTHORITY\\System:Service:",
430 "taskeng.exe {7D634482-E765-4A78-A521-5F1A16E7266C} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]",
431 "taskeng.exe {279AB446-CEDA-418D-8012-17782CB44D54} S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:[1]",
432 "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
433 "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
434 "\"C:\\Program Files (x86)\\Client\\client.exe\" /startup",
435 "\"C:\\Program Files (x86)\\Client\\client.exe\""
436]
437
438[*] Mutexes: [
439 "Global\\CLR_CASOFF_MUTEX",
440 "\\xd0\\xb9\\xd0\\x9b\\xd1\\x8f\\xd1\\x8d\\xd0\\xae\\xd0\\xac\\xd0\\x98",
441 "Global\\ user1f769cd394f2c2dfe9902eb6447d138b55c39a59",
442 "Global\\.net clr networking",
443 "1f769cd394f2c2dfe9902eb6447d138b55c39a59",
444 "Global\\ADAP_WMI_ENTRY",
445 "Global\\RefreshRA_Mutex",
446 "Global\\RefreshRA_Mutex_Lib",
447 "Global\\RefreshRA_Mutex_Flag",
448 "FireFX2800",
449 "FireFX2128",
450 "FireFX1684"
451]
452
453[*] Modified Files: [
454 "C:\\Program Files (x86)\\Client\\client.exe",
455 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Guard\\1",
456 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\7.52 AM",
457 "C:\\Users\\user\\AppData\\Local\\Temp\\8260",
458 "C:\\Users\\user\\AppData\\Local\\Temp\\7837",
459 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.21 AM",
460 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D",
461 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D",
462 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab278E.tmp",
463 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC",
464 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\DA3B6E45325D5FFF28CF6BAD6065C907_FBEAFB4EE7383EC8E0A3A2C1EC7FCEAC",
465 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar278F.tmp",
466 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.33 AM",
467 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\782AC1F7D5B160B0F71F6F92B0912799",
468 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6E47DC54834F661FE77B461D2DF73D9D",
469 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\782AC1F7D5B160B0F71F6F92B0912799",
470 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\6E47DC54834F661FE77B461D2DF73D9D",
471 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE",
472 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE",
473 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5",
474 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\EA618097E393409AFA316F0F87E2C202_1958C8FC5F0E0F8549703D0A9B9309B5",
475 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\ECF3006D44DA211141391220EE5049F4",
476 "C:\\Users\\user\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\ECF3006D44DA211141391220EE5049F4",
477 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.45 AM",
478 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab3897.tmp",
479 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar3898.tmp",
480 "C:\\Windows\\System32\\clientmonitor.exe",
481 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.12 AM",
482 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4079.tmp",
483 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar407A.tmp",
484 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.22 AM",
485 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4A6E.tmp",
486 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4A6F.tmp",
487 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.32 AM",
488 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5230.tmp",
489 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5231.tmp",
490 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.42 AM",
491 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5CF0.tmp",
492 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5CF1.tmp",
493 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.53 AM",
494 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab64C2.tmp",
495 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar64C3.tmp",
496 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.19 AM",
497 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6CB3.tmp",
498 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6CB4.tmp",
499 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.30 AM",
500 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7485.tmp",
501 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7486.tmp",
502 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.41 AM",
503 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7C48.tmp",
504 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7C58.tmp",
505 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.52 AM",
506 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab841A.tmp",
507 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar841B.tmp",
508 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.03 AM",
509 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8BFB.tmp",
510 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8BFC.tmp",
511 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.29 AM",
512 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab93CD.tmp",
513 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar93CE.tmp",
514 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.40 AM",
515 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab9BBF.tmp",
516 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9BC0.tmp",
517 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.50 AM",
518 "C:\\Users\\user\\AppData\\Local\\Temp\\CabA3C0.tmp",
519 "C:\\Users\\user\\AppData\\Local\\Temp\\TarA3D0.tmp",
520 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\12.01 PM",
521 "C:\\Users\\user\\AppData\\Local\\Temp\\CabAB82.tmp",
522 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAB83.tmp",
523 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\12.12 PM",
524 "C:\\Users\\user\\AppData\\Local\\Temp\\CabB354.tmp",
525 "C:\\Users\\user\\AppData\\Local\\Temp\\TarB355.tmp",
526 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\12.37 PM",
527 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\12.47 PM",
528 "C:\\Users\\user\\AppData\\Local\\Temp\\CabBEFE.tmp",
529 "C:\\Users\\user\\AppData\\Local\\Temp\\TarBEFF.tmp",
530 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\12.58 PM",
531 "C:\\Users\\user\\AppData\\Local\\Temp\\CabC6D0.tmp",
532 "C:\\Users\\user\\AppData\\Local\\Temp\\TarC6D1.tmp",
533 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\1.09 PM",
534 "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEB2.tmp",
535 "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEB3.tmp",
536 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\1.21 PM",
537 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD636.tmp",
538 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD637.tmp",
539 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD9F1.tmp",
540 "C:\\Users\\user\\AppData\\Local\\Temp\\TarDA02.tmp",
541 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\1.47 PM",
542 "C:\\Users\\user\\AppData\\Local\\Temp\\CabEF8E.tmp",
543 "C:\\Users\\user\\AppData\\Local\\Temp\\TarEF8F.tmp",
544 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\2.04 PM",
545 "C:\\Users\\user\\AppData\\Local\\Temp\\CabF7BE.tmp",
546 "C:\\Users\\user\\AppData\\Local\\Temp\\TarF7CF.tmp",
547 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\2.29 PM",
548 "C:\\Users\\user\\AppData\\Local\\Temp\\2652",
549 "C:\\Users\\user\\AppData\\Local\\Temp\\5309",
550 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4EF.tmp",
551 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4F0.tmp",
552 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\2.43 PM",
553 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab18C7.tmp",
554 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar18C8.tmp",
555 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\2.54 PM",
556 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab2C61.tmp",
557 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar2C62.tmp",
558 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\3.21 PM",
559 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4912.tmp",
560 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\3.33 PM",
561 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4913.tmp",
562 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\4.03 PM",
563 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab56FF.tmp",
564 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5700.tmp",
565 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6970.tmp",
566 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6971.tmp",
567 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\4.19 PM",
568 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\4.31 PM",
569 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7410.tmp",
570 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7411.tmp",
571 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab79DF.tmp",
572 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar79E0.tmp",
573 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7B19.tmp",
574 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\4.59 PM",
575 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7B1A.tmp",
576 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab808A.tmp",
577 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar808B.tmp",
578 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\5.12 PM",
579 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab976F.tmp",
580 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9770.tmp",
581 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\5.24 PM",
582 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\5.45 PM",
583 "C:\\Users\\user\\AppData\\Local\\Temp\\CabAA2E.tmp",
584 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAA2F.tmp",
585 "C:\\Users\\user\\AppData\\Local\\Temp\\CabBC12.tmp",
586 "C:\\Users\\user\\AppData\\Local\\Temp\\TarBC13.tmp",
587 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\6.05 PM",
588 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\6.09 PM",
589 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\6.27 PM",
590 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD394.tmp",
591 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD395.tmp",
592 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\6.53 PM",
593 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab3BE.tmp",
594 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar3CF.tmp",
595 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\7.03 PM",
596 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab1CB7.tmp",
597 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar1CC7.tmp",
598 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\7.36 PM",
599 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\7.54 PM",
600 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab40AC.tmp",
601 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar40AD.tmp",
602 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab48CC.tmp",
603 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar490B.tmp",
604 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.14 PM",
605 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab659D.tmp",
606 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar659E.tmp",
607 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.26 PM",
608 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7186.tmp",
609 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7187.tmp",
610 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\8.49 PM",
611 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab837A.tmp",
612 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar837B.tmp",
613 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.00 PM",
614 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab9FCE.tmp",
615 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9FCF.tmp",
616 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.26 PM",
617 "C:\\Users\\user\\AppData\\Local\\Temp\\CabACFF.tmp",
618 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAD00.tmp",
619 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\9.39 PM",
620 "C:\\Users\\user\\AppData\\Local\\Temp\\CabC413.tmp",
621 "C:\\Users\\user\\AppData\\Local\\Temp\\TarC414.tmp",
622 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.12 PM",
623 "C:\\Users\\user\\AppData\\Local\\Temp\\CabCE65.tmp",
624 "C:\\Users\\user\\AppData\\Local\\Temp\\TarCE66.tmp",
625 "C:\\Users\\user\\AppData\\Local\\Temp\\CabE5B8.tmp",
626 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.25 PM",
627 "C:\\Users\\user\\AppData\\Local\\Temp\\TarE5B9.tmp",
628 "C:\\Users\\user\\AppData\\Local\\Temp\\CabF134.tmp",
629 "C:\\Users\\user\\AppData\\Local\\Temp\\TarF135.tmp",
630 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\10.51 PM",
631 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD49.tmp",
632 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD4A.tmp",
633 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.07 PM",
634 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab21EC.tmp",
635 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.32 PM",
636 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar21ED.tmp",
637 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.46 PM",
638 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab36FD.tmp",
639 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar36FE.tmp",
640 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-28-2019\\11.59 PM",
641 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4538.tmp",
642 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-29-2019\\12.18 AM",
643 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4539.tmp",
644 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-29-2019\\12.36 AM",
645 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5C9A.tmp",
646 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5CBA.tmp",
647 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-29-2019\\1.00 AM",
648 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6CD8.tmp",
649 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6CD9.tmp",
650 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab72F5.tmp",
651 "C:\\Users\\user\\AppData\\Roaming\\Monitor\\Screenshots\\06-29-2019\\1.13 AM",
652 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar72F6.tmp",
653 "C:\\Windows\\sysnative\\Tasks\\Client Monitor",
654 "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
655 "\\Device\\LanmanDatagramReceiver",
656 "\\??\\PIPE\\srvsvc",
657 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
658 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
659 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
660 "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
661 "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
662 "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.ini",
663 "\\??\\PIPE\\samr",
664 "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
665 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
666 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
667 "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
668 "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
669 "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
670 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER",
671 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
672 "\\??\\WMIDataDevice"
673]
674
675[*] Deleted Files: [
676 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.1880.30179531",
677 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.1880.30179531",
678 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.1880.30179546",
679 "C:\\Program Files (x86)\\Client\\client.exe:Zone.Identifier",
680 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe",
681 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab278E.tmp",
682 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar278F.tmp",
683 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab3897.tmp",
684 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar3898.tmp",
685 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4079.tmp",
686 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar407A.tmp",
687 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4A6E.tmp",
688 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4A6F.tmp",
689 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5230.tmp",
690 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5231.tmp",
691 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5CF0.tmp",
692 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5CF1.tmp",
693 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab64C2.tmp",
694 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar64C3.tmp",
695 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6CB3.tmp",
696 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6CB4.tmp",
697 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7485.tmp",
698 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7486.tmp",
699 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7C48.tmp",
700 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7C58.tmp",
701 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab841A.tmp",
702 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar841B.tmp",
703 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab8BFB.tmp",
704 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar8BFC.tmp",
705 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab93CD.tmp",
706 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar93CE.tmp",
707 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab9BBF.tmp",
708 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9BC0.tmp",
709 "C:\\Users\\user\\AppData\\Local\\Temp\\CabA3C0.tmp",
710 "C:\\Users\\user\\AppData\\Local\\Temp\\TarA3D0.tmp",
711 "C:\\Users\\user\\AppData\\Local\\Temp\\CabAB82.tmp",
712 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAB83.tmp",
713 "C:\\Users\\user\\AppData\\Local\\Temp\\CabB354.tmp",
714 "C:\\Users\\user\\AppData\\Local\\Temp\\TarB355.tmp",
715 "C:\\Users\\user\\AppData\\Local\\Temp\\CabBEFE.tmp",
716 "C:\\Users\\user\\AppData\\Local\\Temp\\TarBEFF.tmp",
717 "C:\\Users\\user\\AppData\\Local\\Temp\\CabC6D0.tmp",
718 "C:\\Users\\user\\AppData\\Local\\Temp\\TarC6D1.tmp",
719 "C:\\Users\\user\\AppData\\Local\\Temp\\CabCEB2.tmp",
720 "C:\\Users\\user\\AppData\\Local\\Temp\\TarCEB3.tmp",
721 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD636.tmp",
722 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD637.tmp",
723 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD9F1.tmp",
724 "C:\\Users\\user\\AppData\\Local\\Temp\\TarDA02.tmp",
725 "C:\\Users\\user\\AppData\\Local\\Temp\\CabEF8E.tmp",
726 "C:\\Users\\user\\AppData\\Local\\Temp\\TarEF8F.tmp",
727 "C:\\Users\\user\\AppData\\Local\\Temp\\CabF7BE.tmp",
728 "C:\\Users\\user\\AppData\\Local\\Temp\\TarF7CF.tmp",
729 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4EF.tmp",
730 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4F0.tmp",
731 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab18C7.tmp",
732 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar18C8.tmp",
733 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab2C61.tmp",
734 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar2C62.tmp",
735 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4912.tmp",
736 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4913.tmp",
737 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab56FF.tmp",
738 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5700.tmp",
739 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6970.tmp",
740 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6971.tmp",
741 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7410.tmp",
742 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7411.tmp",
743 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab79DF.tmp",
744 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar79E0.tmp",
745 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7B19.tmp",
746 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7B1A.tmp",
747 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab808A.tmp",
748 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar808B.tmp",
749 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab976F.tmp",
750 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9770.tmp",
751 "C:\\Users\\user\\AppData\\Local\\Temp\\CabAA2E.tmp",
752 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAA2F.tmp",
753 "C:\\Users\\user\\AppData\\Local\\Temp\\CabBC12.tmp",
754 "C:\\Users\\user\\AppData\\Local\\Temp\\TarBC13.tmp",
755 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD394.tmp",
756 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD395.tmp",
757 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab3BE.tmp",
758 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar3CF.tmp",
759 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab1CB7.tmp",
760 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar1CC7.tmp",
761 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab40AC.tmp",
762 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar40AD.tmp",
763 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab48CC.tmp",
764 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar490B.tmp",
765 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab659D.tmp",
766 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar659E.tmp",
767 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab7186.tmp",
768 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar7187.tmp",
769 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab837A.tmp",
770 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar837B.tmp",
771 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab9FCE.tmp",
772 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar9FCF.tmp",
773 "C:\\Users\\user\\AppData\\Local\\Temp\\CabACFF.tmp",
774 "C:\\Users\\user\\AppData\\Local\\Temp\\TarAD00.tmp",
775 "C:\\Users\\user\\AppData\\Local\\Temp\\CabC413.tmp",
776 "C:\\Users\\user\\AppData\\Local\\Temp\\TarC414.tmp",
777 "C:\\Users\\user\\AppData\\Local\\Temp\\CabCE65.tmp",
778 "C:\\Users\\user\\AppData\\Local\\Temp\\TarCE66.tmp",
779 "C:\\Users\\user\\AppData\\Local\\Temp\\CabE5B8.tmp",
780 "C:\\Users\\user\\AppData\\Local\\Temp\\TarE5B9.tmp",
781 "C:\\Users\\user\\AppData\\Local\\Temp\\CabF134.tmp",
782 "C:\\Users\\user\\AppData\\Local\\Temp\\TarF135.tmp",
783 "C:\\Users\\user\\AppData\\Local\\Temp\\CabD49.tmp",
784 "C:\\Users\\user\\AppData\\Local\\Temp\\TarD4A.tmp",
785 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab21EC.tmp",
786 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar21ED.tmp",
787 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab36FD.tmp",
788 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar36FE.tmp",
789 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab4538.tmp",
790 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar4539.tmp",
791 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab5C9A.tmp",
792 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar5CBA.tmp",
793 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab6CD8.tmp",
794 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar6CD9.tmp",
795 "C:\\Users\\user\\AppData\\Local\\Temp\\Cab72F5.tmp",
796 "C:\\Users\\user\\AppData\\Local\\Temp\\Tar72F6.tmp",
797 "C:\\Windows\\Tasks\\Client Monitor.job",
798 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
799 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
800 "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
801 "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl.h",
802 "C:\\Windows\\sysnative\\wbem\\Performance\\WmiApRpl_new.h",
803 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch.2152.30450000",
804 "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch.2152.30450000",
805 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch.2152.30450015"
806]
807
808[*] Modified Registry Keys: [
809 "HKEY_CURRENT_USER\\Software\\QqYXE61FQEZBQos7Y7HgAw==",
810 "HKEY_CURRENT_USER\\Software\\aPCuZjSsI3pDIkDuoy5Llg==",
811 "HKEY_CURRENT_USER\\Software\\PTH",
812 "HKEY_CURRENT_USER\\Software\\MTX",
813 "HKEY_CURRENT_USER\\Software\\PRC",
814 "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\MuiCache\\2F\\52C64B7E\\LanguageList",
815 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\shell",
816 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Client Monitor\\Index",
817 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E8E03AA9-EB19-4AB1-8D4A-4369FFC664E6}\\Hash",
818 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E8E03AA9-EB19-4AB1-8D4A-4369FFC664E6}\\Triggers",
819 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
820 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
821 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
822 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{D23BBC0A-1A78-4A02-AD90-C10384FEC795}\\Path",
823 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{D23BBC0A-1A78-4A02-AD90-C10384FEC795}\\Hash",
824 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
825 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
826 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{D23BBC0A-1A78-4A02-AD90-C10384FEC795}\\Triggers",
827 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{D23BBC0A-1A78-4A02-AD90-C10384FEC795}\\DynamicInfo",
828 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05}\\DynamicInfo",
829 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{A26A4551-CE27-4734-B3B5-4A6AC6CCFA5D}",
830 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E8E03AA9-EB19-4AB1-8D4A-4369FFC664E6}\\DynamicInfo",
831 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{7D634482-E765-4A78-A521-5F1A16E7266C}",
832 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{279AB446-CEDA-418D-8012-17782CB44D54}",
833 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Client Monitor",
834 "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
835 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
836 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
837 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
838 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
839 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
840 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider",
841 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\IDE\\DiskVBOX_HARDDISK___________________________1.0_____\\5&33d1638a&0&0.0.0_0-{00000000-0000-0000-0000-000000000000}",
842 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\advapi32.dll[MofResourceName]",
843 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]",
844 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ACPI.sys[ACPIMOFResource]",
845 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ACPI.sys.mui[ACPIMOFResource]",
846 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\ndis.sys[MofResourceName]",
847 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\drivers\\en-US\\ndis.sys.mui[MofResourceName]",
848 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\mssmbios.sys[MofResource]",
849 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\mssmbios.sys.mui[MofResource]",
850 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\HDAudBus.sys[HDAudioMofName]",
851 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\HDAudBus.sys.mui[HDAudioMofName]",
852 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\intelppm.sys[PROCESSORWMI]",
853 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\en-US\\intelppm.sys.mui[PROCESSORWMI]",
854 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\portcls.SYS[PortclsMof]",
855 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\System32\\Drivers\\en-US\\portcls.SYS.mui[PortclsMof]",
856 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]",
857 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{A26A4551-CE27-4734-B3B5-4A6AC6CCFA5D}\\data",
858 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{7D634482-E765-4A78-A521-5F1A16E7266C}\\data",
859 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\{279AB446-CEDA-418D-8012-17782CB44D54}\\data"
860]
861
862[*] Deleted Registry Keys: [
863 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\SunJavaUpdateSched",
864 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\Client Monitor.job",
865 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\Client Monitor.job.fp",
866 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
867 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM\\C:\\Windows\\system32\\DRIVERS\\monitor.sys[MonitorWMI]"
868]
869
870[*] DNS Communications: [
871 {
872 "type": "A",
873 "request": "akika321.ddns.net",
874 "answers": [
875 {
876 "data": "0.0.0.0",
877 "type": "A"
878 }
879 ]
880 },
881 {
882 "type": "A",
883 "request": "crl3.digicert.com",
884 "answers": [
885 {
886 "data": "cs9.wac.phicdn.net",
887 "type": "CNAME"
888 },
889 {
890 "data": "72.21.91.29",
891 "type": "A"
892 }
893 ]
894 },
895 {
896 "type": "A",
897 "request": "crl4.digicert.com",
898 "answers": [
899 {
900 "data": "cs9.wac.phicdn.net",
901 "type": "CNAME"
902 },
903 {
904 "data": "72.21.91.29",
905 "type": "A"
906 }
907 ]
908 },
909 {
910 "type": "A",
911 "request": "s2.symcb.com",
912 "answers": [
913 {
914 "data": "23.4.43.27",
915 "type": "A"
916 },
917 {
918 "data": "ocsp-ds.ws.symantec.com.edgekey.net",
919 "type": "CNAME"
920 },
921 {
922 "data": "e8218.dscb1.akamaiedge.net",
923 "type": "CNAME"
924 }
925 ]
926 },
927 {
928 "type": "A",
929 "request": "sv.symcd.com",
930 "answers": [
931 {
932 "data": "23.4.43.27",
933 "type": "A"
934 },
935 {
936 "data": "ocsp-ds.ws.symantec.com.edgekey.net",
937 "type": "CNAME"
938 },
939 {
940 "data": "e8218.dscb1.akamaiedge.net",
941 "type": "CNAME"
942 }
943 ]
944 },
945 {
946 "type": "A",
947 "request": "sv.symcb.com",
948 "answers": [
949 {
950 "data": "crl-symcprod.digicert.com",
951 "type": "CNAME"
952 },
953 {
954 "data": "cs9.wac.phicdn.net",
955 "type": "CNAME"
956 },
957 {
958 "data": "72.21.91.29",
959 "type": "A"
960 }
961 ]
962 }
963]
964
965[*] Domains: [
966 {
967 "ip": "72.21.91.29",
968 "domain": "crl3.digicert.com"
969 },
970 {
971 "ip": "23.4.43.27",
972 "domain": "sv.symcd.com"
973 },
974 {
975 "ip": "72.21.91.29",
976 "domain": "crl4.digicert.com"
977 },
978 {
979 "ip": "0.0.0.0",
980 "domain": "akika321.ddns.net"
981 },
982 {
983 "ip": "72.21.91.29",
984 "domain": "sv.symcb.com"
985 },
986 {
987 "ip": "23.4.43.27",
988 "domain": "s2.symcb.com"
989 }
990]
991
992[*] Network Communication - ICMP: []
993
994[*] Network Communication - HTTP: [
995 {
996 "count": 1,
997 "body": "",
998 "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
999 "user-agent": "Microsoft-CryptoAPI/6.1",
1000 "method": "GET",
1001 "host": "ocsp.digicert.com",
1002 "version": "1.1",
1003 "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
1004 "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 150849\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 10:50:30 GMT\r\nIf-None-Match: \"5ced1276-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
1005 "port": 80
1006 },
1007 {
1008 "count": 1,
1009 "body": "",
1010 "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
1011 "user-agent": "Microsoft-CryptoAPI/6.1",
1012 "method": "GET",
1013 "host": "ocsp.digicert.com",
1014 "version": "1.1",
1015 "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
1016 "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 168744\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 15:00:08 GMT\r\nIf-None-Match: \"5ced4cf8-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
1017 "port": 80
1018 },
1019 {
1020 "count": 1,
1021 "body": "",
1022 "uri": "http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl",
1023 "user-agent": "Microsoft-CryptoAPI/6.1",
1024 "method": "GET",
1025 "host": "crl4.digicert.com",
1026 "version": "1.1",
1027 "path": "/EVCodeSigningSHA2-g1.crl",
1028 "data": "GET /EVCodeSigningSHA2-g1.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl4.digicert.com\r\n\r\n",
1029 "port": 80
1030 },
1031 {
1032 "count": 1,
1033 "body": "",
1034 "uri": "http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl",
1035 "user-agent": "Microsoft-CryptoAPI/6.1",
1036 "method": "GET",
1037 "host": "crl3.digicert.com",
1038 "version": "1.1",
1039 "path": "/EVCodeSigningSHA2-g1.crl",
1040 "data": "GET /EVCodeSigningSHA2-g1.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl3.digicert.com\r\n\r\n",
1041 "port": 80
1042 },
1043 {
1044 "count": 1,
1045 "body": "",
1046 "uri": "http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D",
1047 "user-agent": "Microsoft-CryptoAPI/6.1",
1048 "method": "GET",
1049 "host": "s2.symcb.com",
1050 "version": "1.1",
1051 "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D",
1052 "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: s2.symcb.com\r\n\r\n",
1053 "port": 80
1054 },
1055 {
1056 "count": 1,
1057 "body": "",
1058 "uri": "http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFl%2BTkXLwRW7pkAmAuicv0U%3D",
1059 "user-agent": "Microsoft-CryptoAPI/6.1",
1060 "method": "GET",
1061 "host": "sv.symcd.com",
1062 "version": "1.1",
1063 "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFl%2BTkXLwRW7pkAmAuicv0U%3D",
1064 "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFl%2BTkXLwRW7pkAmAuicv0U%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: sv.symcd.com\r\n\r\n",
1065 "port": 80
1066 },
1067 {
1068 "count": 1,
1069 "body": "",
1070 "uri": "http://sv.symcb.com/sv.crl",
1071 "user-agent": "Microsoft-CryptoAPI/6.1",
1072 "method": "GET",
1073 "host": "sv.symcb.com",
1074 "version": "1.1",
1075 "path": "/sv.crl",
1076 "data": "GET /sv.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: sv.symcb.com\r\n\r\n",
1077 "port": 80
1078 }
1079]
1080
1081[*] Network Communication - SMTP: []
1082
1083[*] Network Communication - Hosts: []
1084
1085[*] Network Communication - IRC: []
1086
1087[*] Static Analysis: {
1088 "dotnet": {
1089 "customattrs": null,
1090 "assemblyinfo": {
1091 "version": "1.0.0.0",
1092 "name": "Documents0"
1093 },
1094 "assemblyrefs": [
1095 {
1096 "version": "2.0.0.0",
1097 "name": "mscorlib"
1098 },
1099 {
1100 "version": "8.0.0.0",
1101 "name": "Microsoft.VisualBasic"
1102 },
1103 {
1104 "version": "2.0.0.0",
1105 "name": "System"
1106 },
1107 {
1108 "version": "2.0.0.0",
1109 "name": "System.Drawing"
1110 }
1111 ],
1112 "typerefs": [
1113 {
1114 "typename": "Microsoft.VisualBasic.ApplicationServices.ApplicationBase",
1115 "assembly": "Microsoft.VisualBasic"
1116 },
1117 {
1118 "typename": "Microsoft.VisualBasic.ApplicationServices.User",
1119 "assembly": "Microsoft.VisualBasic"
1120 },
1121 {
1122 "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
1123 "assembly": "Microsoft.VisualBasic"
1124 },
1125 {
1126 "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
1127 "assembly": "Microsoft.VisualBasic"
1128 },
1129 {
1130 "typename": "Microsoft.VisualBasic.CompilerServices.Operators",
1131 "assembly": "Microsoft.VisualBasic"
1132 },
1133 {
1134 "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
1135 "assembly": "Microsoft.VisualBasic"
1136 },
1137 {
1138 "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
1139 "assembly": "Microsoft.VisualBasic"
1140 },
1141 {
1142 "typename": "Microsoft.VisualBasic.Devices.Computer",
1143 "assembly": "Microsoft.VisualBasic"
1144 },
1145 {
1146 "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
1147 "assembly": "Microsoft.VisualBasic"
1148 },
1149 {
1150 "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
1151 "assembly": "Microsoft.VisualBasic"
1152 },
1153 {
1154 "typename": "Microsoft.VisualBasic.VBMath",
1155 "assembly": "Microsoft.VisualBasic"
1156 },
1157 {
1158 "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
1159 "assembly": "System"
1160 },
1161 {
1162 "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
1163 "assembly": "System"
1164 },
1165 {
1166 "typename": "System.ComponentModel.EditorBrowsableAttribute",
1167 "assembly": "System"
1168 },
1169 {
1170 "typename": "System.ComponentModel.EditorBrowsableState",
1171 "assembly": "System"
1172 },
1173 {
1174 "typename": "System.Drawing.Bitmap",
1175 "assembly": "System.Drawing"
1176 },
1177 {
1178 "typename": "System.Drawing.Color",
1179 "assembly": "System.Drawing"
1180 },
1181 {
1182 "typename": "System.Drawing.Graphics",
1183 "assembly": "System.Drawing"
1184 },
1185 {
1186 "typename": "System.Drawing.Image",
1187 "assembly": "System.Drawing"
1188 },
1189 {
1190 "typename": "System.Activator",
1191 "assembly": "mscorlib"
1192 },
1193 {
1194 "typename": "System.Array",
1195 "assembly": "mscorlib"
1196 },
1197 {
1198 "typename": "System.Boolean",
1199 "assembly": "mscorlib"
1200 },
1201 {
1202 "typename": "System.Byte",
1203 "assembly": "mscorlib"
1204 },
1205 {
1206 "typename": "System.Collections.Generic.List`1",
1207 "assembly": "mscorlib"
1208 },
1209 {
1210 "typename": "System.Diagnostics.DebuggerHiddenAttribute",
1211 "assembly": "mscorlib"
1212 },
1213 {
1214 "typename": "System.Enum",
1215 "assembly": "mscorlib"
1216 },
1217 {
1218 "typename": "System.Exception",
1219 "assembly": "mscorlib"
1220 },
1221 {
1222 "typename": "System.FlagsAttribute",
1223 "assembly": "mscorlib"
1224 },
1225 {
1226 "typename": "System.Int32",
1227 "assembly": "mscorlib"
1228 },
1229 {
1230 "typename": "System.Math",
1231 "assembly": "mscorlib"
1232 },
1233 {
1234 "typename": "System.Object",
1235 "assembly": "mscorlib"
1236 },
1237 {
1238 "typename": "System.Reflection.Assembly",
1239 "assembly": "mscorlib"
1240 },
1241 {
1242 "typename": "System.Reflection.AssemblyCompanyAttribute",
1243 "assembly": "mscorlib"
1244 },
1245 {
1246 "typename": "System.Reflection.AssemblyCopyrightAttribute",
1247 "assembly": "mscorlib"
1248 },
1249 {
1250 "typename": "System.Reflection.AssemblyDescriptionAttribute",
1251 "assembly": "mscorlib"
1252 },
1253 {
1254 "typename": "System.Reflection.AssemblyFileVersionAttribute",
1255 "assembly": "mscorlib"
1256 },
1257 {
1258 "typename": "System.Reflection.AssemblyProductAttribute",
1259 "assembly": "mscorlib"
1260 },
1261 {
1262 "typename": "System.Reflection.AssemblyTitleAttribute",
1263 "assembly": "mscorlib"
1264 },
1265 {
1266 "typename": "System.Reflection.AssemblyTrademarkAttribute",
1267 "assembly": "mscorlib"
1268 },
1269 {
1270 "typename": "System.Reflection.MethodInfo",
1271 "assembly": "mscorlib"
1272 },
1273 {
1274 "typename": "System.Resources.ResourceManager",
1275 "assembly": "mscorlib"
1276 },
1277 {
1278 "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
1279 "assembly": "mscorlib"
1280 },
1281 {
1282 "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
1283 "assembly": "mscorlib"
1284 },
1285 {
1286 "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
1287 "assembly": "mscorlib"
1288 },
1289 {
1290 "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
1291 "assembly": "mscorlib"
1292 },
1293 {
1294 "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
1295 "assembly": "mscorlib"
1296 },
1297 {
1298 "typename": "System.Runtime.InteropServices.LayoutKind",
1299 "assembly": "mscorlib"
1300 },
1301 {
1302 "typename": "System.Runtime.InteropServices.StructLayoutAttribute",
1303 "assembly": "mscorlib"
1304 },
1305 {
1306 "typename": "System.RuntimeTypeHandle",
1307 "assembly": "mscorlib"
1308 },
1309 {
1310 "typename": "System.STAThreadAttribute",
1311 "assembly": "mscorlib"
1312 },
1313 {
1314 "typename": "System.Security.Cryptography.CipherMode",
1315 "assembly": "mscorlib"
1316 },
1317 {
1318 "typename": "System.Security.Cryptography.HashAlgorithm",
1319 "assembly": "mscorlib"
1320 },
1321 {
1322 "typename": "System.Security.Cryptography.ICryptoTransform",
1323 "assembly": "mscorlib"
1324 },
1325 {
1326 "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
1327 "assembly": "mscorlib"
1328 },
1329 {
1330 "typename": "System.Security.Cryptography.RC2CryptoServiceProvider",
1331 "assembly": "mscorlib"
1332 },
1333 {
1334 "typename": "System.Security.Cryptography.SymmetricAlgorithm",
1335 "assembly": "mscorlib"
1336 },
1337 {
1338 "typename": "System.String",
1339 "assembly": "mscorlib"
1340 },
1341 {
1342 "typename": "System.Text.Encoding",
1343 "assembly": "mscorlib"
1344 },
1345 {
1346 "typename": "System.Text.StringBuilder",
1347 "assembly": "mscorlib"
1348 },
1349 {
1350 "typename": "System.ThreadStaticAttribute",
1351 "assembly": "mscorlib"
1352 },
1353 {
1354 "typename": "System.Type",
1355 "assembly": "mscorlib"
1356 },
1357 {
1358 "typename": "System.ValueType",
1359 "assembly": "mscorlib"
1360 }
1361 ]
1362 },
1363 "pe": {
1364 "peid_signatures": null,
1365 "imports": [
1366 {
1367 "imports": [
1368 {
1369 "name": "_CorExeMain",
1370 "address": "0x402000"
1371 }
1372 ],
1373 "dll": "mscoree.dll"
1374 }
1375 ],
1376 "digital_signers": null,
1377 "exported_dll_name": null,
1378 "actual_checksum": "0x000fe7ad",
1379 "overlay": null,
1380 "imagebase": "0x00400000",
1381 "reported_checksum": "0x00000000",
1382 "icon_hash": null,
1383 "entrypoint": "0x004f8a8e",
1384 "timestamp": "2017-02-24 22:18:03",
1385 "osversion": "4.0",
1386 "sections": [
1387 {
1388 "name": ".text",
1389 "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1390 "virtual_address": "0x00002000",
1391 "size_of_data": "0x000f7000",
1392 "entropy": "7.75",
1393 "raw_address": "0x00001000",
1394 "virtual_size": "0x000f6a94",
1395 "characteristics_raw": "0x60000020"
1396 },
1397 {
1398 "name": ".rsrc",
1399 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1400 "virtual_address": "0x000fa000",
1401 "size_of_data": "0x00001000",
1402 "entropy": "0.70",
1403 "raw_address": "0x000f8000",
1404 "virtual_size": "0x000002b0",
1405 "characteristics_raw": "0x40000040"
1406 },
1407 {
1408 "name": ".reloc",
1409 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
1410 "virtual_address": "0x000fc000",
1411 "size_of_data": "0x00001000",
1412 "entropy": "0.02",
1413 "raw_address": "0x000f9000",
1414 "virtual_size": "0x0000000c",
1415 "characteristics_raw": "0x42000040"
1416 }
1417 ],
1418 "resources": [],
1419 "dirents": [
1420 {
1421 "virtual_address": "0x00000000",
1422 "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1423 "size": "0x00000000"
1424 },
1425 {
1426 "virtual_address": "0x000f8a34",
1427 "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1428 "size": "0x00000057"
1429 },
1430 {
1431 "virtual_address": "0x000fa000",
1432 "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1433 "size": "0x000002b0"
1434 },
1435 {
1436 "virtual_address": "0x00000000",
1437 "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1438 "size": "0x00000000"
1439 },
1440 {
1441 "virtual_address": "0x00000000",
1442 "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1443 "size": "0x00000000"
1444 },
1445 {
1446 "virtual_address": "0x000fc000",
1447 "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1448 "size": "0x0000000c"
1449 },
1450 {
1451 "virtual_address": "0x00000000",
1452 "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1453 "size": "0x00000000"
1454 },
1455 {
1456 "virtual_address": "0x00000000",
1457 "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1458 "size": "0x00000000"
1459 },
1460 {
1461 "virtual_address": "0x00000000",
1462 "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1463 "size": "0x00000000"
1464 },
1465 {
1466 "virtual_address": "0x00000000",
1467 "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1468 "size": "0x00000000"
1469 },
1470 {
1471 "virtual_address": "0x00000000",
1472 "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1473 "size": "0x00000000"
1474 },
1475 {
1476 "virtual_address": "0x00000000",
1477 "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1478 "size": "0x00000000"
1479 },
1480 {
1481 "virtual_address": "0x00002000",
1482 "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1483 "size": "0x00000008"
1484 },
1485 {
1486 "virtual_address": "0x00000000",
1487 "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1488 "size": "0x00000000"
1489 },
1490 {
1491 "virtual_address": "0x00002008",
1492 "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1493 "size": "0x00000048"
1494 },
1495 {
1496 "virtual_address": "0x00000000",
1497 "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1498 "size": "0x00000000"
1499 }
1500 ],
1501 "exports": [],
1502 "guest_signers": {},
1503 "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
1504 "icon_fuzzy": null,
1505 "icon": null,
1506 "pdbpath": null,
1507 "imported_dll_count": 1,
1508 "versioninfo": []
1509 }
1510}
1511
1512[*] Resolved APIs: [
1513 "advapi32.dll.RegOpenKeyExW",
1514 "advapi32.dll.RegQueryInfoKeyW",
1515 "advapi32.dll.RegEnumKeyExW",
1516 "advapi32.dll.RegEnumValueW",
1517 "advapi32.dll.RegCloseKey",
1518 "advapi32.dll.RegQueryValueExW",
1519 "kernel32.dll.QueryActCtxW",
1520 "shlwapi.dll.UrlIsW",
1521 "kernel32.dll.FlsAlloc",
1522 "kernel32.dll.FlsGetValue",
1523 "kernel32.dll.FlsSetValue",
1524 "kernel32.dll.FlsFree",
1525 "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1526 "kernel32.dll.IsProcessorFeaturePresent",
1527 "msvcrt.dll._set_error_mode",
1528 "msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z",
1529 "kernel32.dll.FindActCtxSectionStringW",
1530 "kernel32.dll.GetSystemWindowsDirectoryW",
1531 "mscoree.dll.GetProcessExecutableHeap",
1532 "mscorwks.dll._CorExeMain",
1533 "mscorwks.dll.GetCLRFunction",
1534 "advapi32.dll.RegisterTraceGuidsW",
1535 "advapi32.dll.UnregisterTraceGuids",
1536 "advapi32.dll.GetTraceLoggerHandle",
1537 "advapi32.dll.GetTraceEnableLevel",
1538 "advapi32.dll.GetTraceEnableFlags",
1539 "advapi32.dll.TraceEvent",
1540 "mscoree.dll.IEE",
1541 "mscorwks.dll.IEE",
1542 "mscoree.dll.GetStartupFlags",
1543 "mscoree.dll.GetHostConfigurationFile",
1544 "mscoree.dll.GetCORSystemDirectory",
1545 "ntdll.dll.RtlUnwind",
1546 "kernel32.dll.IsWow64Process",
1547 "advapi32.dll.AllocateAndInitializeSid",
1548 "advapi32.dll.OpenProcessToken",
1549 "advapi32.dll.GetTokenInformation",
1550 "advapi32.dll.InitializeAcl",
1551 "advapi32.dll.AddAccessAllowedAce",
1552 "advapi32.dll.FreeSid",
1553 "kernel32.dll.SetThreadStackGuarantee",
1554 "kernel32.dll.AddVectoredContinueHandler",
1555 "kernel32.dll.RemoveVectoredContinueHandler",
1556 "advapi32.dll.ConvertSidToStringSidW",
1557 "shell32.dll.SHGetFolderPathW",
1558 "kernel32.dll.FlushProcessWriteBuffers",
1559 "kernel32.dll.GetWriteWatch",
1560 "kernel32.dll.ResetWriteWatch",
1561 "kernel32.dll.CreateMemoryResourceNotification",
1562 "kernel32.dll.QueryMemoryResourceNotification",
1563 "ole32.dll.CoInitializeEx",
1564 "cryptbase.dll.SystemFunction036",
1565 "uxtheme.dll.ThemeInitApiHook",
1566 "user32.dll.IsProcessDPIAware",
1567 "ole32.dll.CoGetContextToken",
1568 "kernel32.dll.GetVersionExW",
1569 "kernel32.dll.GetFullPathNameW",
1570 "advapi32.dll.CryptAcquireContextA",
1571 "advapi32.dll.CryptReleaseContext",
1572 "advapi32.dll.CryptCreateHash",
1573 "advapi32.dll.CryptDestroyHash",
1574 "advapi32.dll.CryptHashData",
1575 "advapi32.dll.CryptGetHashParam",
1576 "advapi32.dll.CryptImportKey",
1577 "advapi32.dll.CryptExportKey",
1578 "advapi32.dll.CryptGenKey",
1579 "advapi32.dll.CryptGetKeyParam",
1580 "advapi32.dll.CryptDestroyKey",
1581 "advapi32.dll.CryptVerifySignatureA",
1582 "advapi32.dll.CryptSignHashA",
1583 "advapi32.dll.CryptGetProvParam",
1584 "advapi32.dll.CryptGetUserKey",
1585 "advapi32.dll.CryptEnumProvidersA",
1586 "mscoree.dll.GetMetaDataInternalInterface",
1587 "mscorwks.dll.GetMetaDataInternalInterface",
1588 "mscorjit.dll.getJit",
1589 "kernel32.dll.GetUserDefaultUILanguage",
1590 "kernel32.dll.SetErrorMode",
1591 "kernel32.dll.GetFileAttributesExW",
1592 "culture.dll.ConvertLangIdToCultureName",
1593 "kernel32.dll.lstrlen",
1594 "kernel32.dll.lstrlenW",
1595 "mscoree.dll.ND_RI4",
1596 "kernel32.dll.GlobalMemoryStatusEx",
1597 "bcrypt.dll.BCryptGetFipsAlgorithmMode",
1598 "cryptsp.dll.CryptAcquireContextW",
1599 "cryptsp.dll.CryptGetProvParam",
1600 "cryptsp.dll.CryptCreateHash",
1601 "cryptsp.dll.CryptHashData",
1602 "cryptsp.dll.CryptGetHashParam",
1603 "cryptsp.dll.CryptDestroyHash",
1604 "cryptsp.dll.CryptGenRandom",
1605 "cryptsp.dll.CryptImportKey",
1606 "cryptsp.dll.CryptSetKeyParam",
1607 "cryptsp.dll.CryptDecrypt",
1608 "cryptsp.dll.CryptEncrypt",
1609 "cryptsp.dll.CryptDestroyKey",
1610 "cryptsp.dll.CryptReleaseContext",
1611 "kernel32.dll.OpenMutexW",
1612 "kernel32.dll.CloseHandle",
1613 "kernel32.dll.ReleaseMutex",
1614 "kernel32.dll.CreateMutexW",
1615 "kernel32.dll.GetModuleHandleW",
1616 "kernel32.dll.GetTempPathW",
1617 "kernel32.dll.FindFirstFileW",
1618 "kernel32.dll.FindClose",
1619 "kernel32.dll.FindNextFileW",
1620 "kernel32.dll.GetCurrentProcessId",
1621 "advapi32.dll.LookupPrivilegeValueW",
1622 "kernel32.dll.GetCurrentProcess",
1623 "advapi32.dll.AdjustTokenPrivileges",
1624 "kernel32.dll.OpenProcess",
1625 "psapi.dll.EnumProcessModules",
1626 "psapi.dll.GetModuleInformation",
1627 "psapi.dll.GetModuleBaseNameW",
1628 "psapi.dll.GetModuleFileNameExW",
1629 "kernel32.dll.LoadLibraryA",
1630 "kernel32.dll.GetProcAddress",
1631 "kernel32.dll.CreateProcessA",
1632 "kernel32.dll.ReadProcessMemory",
1633 "kernel32.dll.WriteProcessMemory",
1634 "kernel32.dll.GetThreadContext",
1635 "ntdll.dll.NtSetContextThread",
1636 "ntdll.dll.NtUnmapViewOfSection",
1637 "kernel32.dll.VirtualAllocEx",
1638 "ntdll.dll.NtResumeThread",
1639 "ole32.dll.CoWaitForMultipleHandles",
1640 "sechost.dll.LookupAccountNameLocalW",
1641 "advapi32.dll.LookupAccountSidW",
1642 "sechost.dll.LookupAccountSidLocalW",
1643 "ole32.dll.NdrOleInitializeExtension",
1644 "ole32.dll.CoGetClassObject",
1645 "ole32.dll.CoGetMarshalSizeMax",
1646 "ole32.dll.CoMarshalInterface",
1647 "ole32.dll.CoUnmarshalInterface",
1648 "ole32.dll.StringFromIID",
1649 "ole32.dll.CoGetPSClsid",
1650 "ole32.dll.CoTaskMemAlloc",
1651 "ole32.dll.CoTaskMemFree",
1652 "ole32.dll.CoCreateInstance",
1653 "ole32.dll.CoReleaseMarshalData",
1654 "ole32.dll.DcomChannelSetHResult",
1655 "rpcrtremote.dll.I_RpcExtInitializeExtensionPoint",
1656 "kernel32.dll.CreateActCtxW",
1657 "kernel32.dll.AddRefActCtx",
1658 "kernel32.dll.ReleaseActCtx",
1659 "kernel32.dll.ActivateActCtx",
1660 "kernel32.dll.DeactivateActCtx",
1661 "kernel32.dll.GetCurrentActCtx",
1662 "shfolder.dll.SHGetFolderPathW",
1663 "advapi32.dll.RegSetValueExW",
1664 "kernel32.dll.LocalFree",
1665 "kernel32.dll.LocalAlloc",
1666 "advapi32.dll.DuplicateTokenEx",
1667 "advapi32.dll.CheckTokenMembership",
1668 "kernel32.dll.CreateDirectoryW",
1669 "advapi32.dll.SetNamedSecurityInfoW",
1670 "ntmarta.dll.GetMartaExtensionInterface",
1671 "kernel32.dll.CopyFileW",
1672 "kernel32.dll.DeleteFileW",
1673 "advapi32.dll.GetUserNameW",
1674 "kernel32.dll.SwitchToThread",
1675 "kernel32.dll.GetEnvironmentVariableW",
1676 "advapi32.dll.LsaClose",
1677 "advapi32.dll.LsaFreeMemory",
1678 "kernel32.dll.GetACP",
1679 "ole32.dll.CoUninitialize",
1680 "advapi32.dll.LsaOpenPolicy",
1681 "user32.dll.SetWindowsHookExW",
1682 "advapi32.dll.LsaLookupNames2",
1683 "kernel32.dll.UnmapViewOfFile",
1684 "mscoree.dll.ND_RU1",
1685 "user32.dll.GetSystemMetrics",
1686 "user32.dll.GetLastInputInfo",
1687 "kernel32.dll.CreateFileW",
1688 "kernel32.dll.CreateIoCompletionPort",
1689 "kernel32.dll.PostQueuedCompletionStatus",
1690 "ntdll.dll.NtQueryInformationThread",
1691 "ntdll.dll.NtQuerySystemInformation",
1692 "ntdll.dll.NtGetCurrentProcessorNumber",
1693 "kernel32.dll.GetFileType",
1694 "kernel32.dll.GetFileSize",
1695 "kernel32.dll.ReadFile",
1696 "kernel32.dll.GetStartupInfoW",
1697 "kernel32.dll.CreateProcessW",
1698 "advapi32.dll.GetKernelObjectSecurity",
1699 "advapi32.dll.CreateWellKnownSid",
1700 "advapi32.dll.SetKernelObjectSecurity",
1701 "mscoree.dll.ND_RI2",
1702 "ws2_32.dll.WSAStartup",
1703 "kernel32.dll.ReadDirectoryChangesW",
1704 "ws2_32.dll.WSASocketW",
1705 "ws2_32.dll.setsockopt",
1706 "ws2_32.dll.WSAEventSelect",
1707 "ws2_32.dll.ioctlsocket",
1708 "ws2_32.dll.closesocket",
1709 "kernel32.dll.GetComputerNameW",
1710 "advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
1711 "user32.dll.WaitForInputIdle",
1712 "kernel32.dll.CreateFileMappingW",
1713 "kernel32.dll.MapViewOfFile",
1714 "kernel32.dll.VirtualQuery",
1715 "kernel32.dll.SetThreadExecutionState",
1716 "kernel32.dll.WaitForSingleObject",
1717 "kernel32.dll.GetProcessTimes",
1718 "user32.dll.SendMessageW",
1719 "ws2_32.dll.getaddrinfo",
1720 "ws2_32.dll.freeaddrinfo",
1721 "kernel32.dll.CreateEventW",
1722 "kernel32.dll.GetSystemTimeAsFileTime",
1723 "user32.dll.GetDC",
1724 "user32.dll.EnumDisplayMonitors",
1725 "user32.dll.GetMonitorInfoW",
1726 "gdi32.dll.GetDeviceCaps",
1727 "user32.dll.ReleaseDC",
1728 "user32.dll.GetProcessWindowStation",
1729 "user32.dll.GetUserObjectInformationA",
1730 "kernel32.dll.SetConsoleCtrlHandler",
1731 "user32.dll.GetClassInfoW",
1732 "user32.dll.RegisterClassW",
1733 "user32.dll.CreateWindowExW",
1734 "user32.dll.DefWindowProcW",
1735 "kernel32.dll.SetEvent",
1736 "user32.dll.MsgWaitForMultipleObjectsEx",
1737 "kernel32.dll.FindAtomW",
1738 "kernel32.dll.AddAtomW",
1739 "mscoree.dll.LoadLibraryShim",
1740 "gdiplus.dll.GdiplusStartup",
1741 "user32.dll.GetWindowInfo",
1742 "user32.dll.GetAncestor",
1743 "user32.dll.GetMonitorInfoA",
1744 "user32.dll.EnumDisplayDevicesA",
1745 "gdi32.dll.ExtTextOutW",
1746 "gdi32.dll.GdiIsMetaPrintDC",
1747 "gdiplus.dll.GdipCreateBitmapFromScan0",
1748 "gdiplus.dll.GdipGetImagePixelFormat",
1749 "gdiplus.dll.GdipGetImageGraphicsContext",
1750 "kernel32.dll.FormatMessageW",
1751 "gdi32.dll.GetCurrentObject",
1752 "gdiplus.dll.GdipGetDC",
1753 "gdi32.dll.BitBlt",
1754 "gdiplus.dll.GdipReleaseDC",
1755 "mscoree.dll.ND_WI4",
1756 "gdiplus.dll.GdipGetImageEncodersSize",
1757 "gdiplus.dll.GdipGetImageEncoders",
1758 "kernel32.dll.RtlMoveMemory",
1759 "gdiplus.dll.GdipSaveImageToStream",
1760 "windowscodecs.dll.DllGetClassObject",
1761 "kernel32.dll.WerRegisterMemoryBlock",
1762 "oleaut32.dll.#8",
1763 "oleaut32.dll.#9",
1764 "oleaut32.dll.#10",
1765 "kernel32.dll.WriteFile",
1766 "psapi.dll.EnumProcesses",
1767 "kernel32.dll.GetModuleHandleA",
1768 "kernel32.dll.CreateActCtxA",
1769 "kernel32.dll.GetProcessId",
1770 "kernel32.dll.VirtualFree",
1771 "kernel32.dll.VirtualAlloc",
1772 "kernel32.dll.Sleep",
1773 "kernel32.dll.GetLastError",
1774 "kernel32.dll.CreateMutexA",
1775 "kernel32.dll.CreateThread",
1776 "kernel32.dll.HeapReAlloc",
1777 "kernel32.dll.SetThreadContext",
1778 "kernel32.dll.HeapAlloc",
1779 "kernel32.dll.HeapFree",
1780 "kernel32.dll.Thread32First",
1781 "kernel32.dll.HeapCreate",
1782 "kernel32.dll.Thread32Next",
1783 "kernel32.dll.FlushInstructionCache",
1784 "kernel32.dll.OpenThread",
1785 "kernel32.dll.VirtualProtect",
1786 "kernel32.dll.CreateToolhelp32Snapshot",
1787 "kernel32.dll.GetCurrentThreadId",
1788 "kernel32.dll.SuspendThread",
1789 "kernel32.dll.ResumeThread",
1790 "kernel32.dll.GetCommandLineA",
1791 "kernel32.dll.IsDebuggerPresent",
1792 "kernel32.dll.WideCharToMultiByte",
1793 "kernel32.dll.SetLastError",
1794 "kernel32.dll.ExitProcess",
1795 "kernel32.dll.GetModuleHandleExW",
1796 "kernel32.dll.MultiByteToWideChar",
1797 "kernel32.dll.GetProcessHeap",
1798 "kernel32.dll.GetStdHandle",
1799 "kernel32.dll.DeleteCriticalSection",
1800 "kernel32.dll.GetModuleFileNameA",
1801 "kernel32.dll.QueryPerformanceCounter",
1802 "kernel32.dll.GetEnvironmentStringsW",
1803 "kernel32.dll.FreeEnvironmentStringsW",
1804 "kernel32.dll.UnhandledExceptionFilter",
1805 "kernel32.dll.SetUnhandledExceptionFilter",
1806 "kernel32.dll.TerminateProcess",
1807 "kernel32.dll.TlsAlloc",
1808 "kernel32.dll.TlsGetValue",
1809 "kernel32.dll.TlsSetValue",
1810 "kernel32.dll.TlsFree",
1811 "kernel32.dll.GetStringTypeW",
1812 "kernel32.dll.IsValidCodePage",
1813 "kernel32.dll.GetOEMCP",
1814 "kernel32.dll.GetCPInfo",
1815 "kernel32.dll.EnterCriticalSection",
1816 "kernel32.dll.LeaveCriticalSection",
1817 "kernel32.dll.GetModuleFileNameW",
1818 "kernel32.dll.LoadLibraryExW",
1819 "kernel32.dll.RtlUnwind",
1820 "kernel32.dll.LCMapStringW",
1821 "kernel32.dll.OutputDebugStringW",
1822 "kernel32.dll.HeapSize",
1823 "kernel32.dll.FlushFileBuffers",
1824 "kernel32.dll.GetConsoleCP",
1825 "kernel32.dll.GetConsoleMode",
1826 "kernel32.dll.SetStdHandle",
1827 "kernel32.dll.SetFilePointerEx",
1828 "kernel32.dll.WriteConsoleW",
1829 "kernel32.dll.VirtualProtectEx",
1830 "kernel32.dll.CreateRemoteThread",
1831 "user32.dll.EnumWindows",
1832 "user32.dll.GetWindowThreadProcessId",
1833 "user32.dll.FindWindowW",
1834 "user32.dll.IsWindowVisible",
1835 "kernel32.dll.MoveFileExA",
1836 "kernel32.dll.MoveFileW",
1837 "gdiplus.dll.GdipDeleteGraphics",
1838 "gdiplus.dll.GdipDisposeImage",
1839 "kernel32.dll.lstrcpy",
1840 "kernel32.dll.lstrcpyW",
1841 "wintrust.dll.WinVerifyTrust",
1842 "imagehlp.dll.ImageEnumerateCertificates",
1843 "wintrust.dll.WintrustCertificateTrust",
1844 "wintrust.dll.SoftpubAuthenticode",
1845 "wintrust.dll.SoftpubInitialize",
1846 "wintrust.dll.SoftpubLoadMessage",
1847 "wintrust.dll.SoftpubLoadSignature",
1848 "wintrust.dll.SoftpubCheckCert",
1849 "wintrust.dll.SoftpubCleanup",
1850 "cryptsp.dll.CryptAcquireContextA",
1851 "wintrust.dll.CryptSIPPutSignedDataMsg",
1852 "wintrust.dll.CryptSIPGetSignedDataMsg",
1853 "imagehlp.dll.ImageGetCertificateData",
1854 "user32.dll.LoadStringW",
1855 "ncrypt.dll.BCryptOpenAlgorithmProvider",
1856 "bcryptprimitives.dll.GetHashInterface",
1857 "ncrypt.dll.BCryptGetProperty",
1858 "ncrypt.dll.BCryptCreateHash",
1859 "ncrypt.dll.BCryptHashData",
1860 "wintrust.dll.CryptSIPVerifyIndirectData",
1861 "bcrypt.dll.BCryptOpenAlgorithmProvider",
1862 "bcrypt.dll.BCryptGetProperty",
1863 "bcrypt.dll.BCryptCreateHash",
1864 "bcrypt.dll.BCryptHashData",
1865 "bcrypt.dll.BCryptFinishHash",
1866 "bcrypt.dll.BCryptDestroyHash",
1867 "bcrypt.dll.BCryptCloseAlgorithmProvider",
1868 "ncrypt.dll.BCryptDestroyHash",
1869 "crypt32.dll.CryptVerifyTimeStampSignature",
1870 "ncrypt.dll.BCryptFinishHash",
1871 "bcryptprimitives.dll.GetAsymmetricEncryptionInterface",
1872 "ncrypt.dll.BCryptImportKeyPair",
1873 "ncrypt.dll.BCryptVerifySignature",
1874 "ncrypt.dll.BCryptDestroyKey",
1875 "userenv.dll.GetUserProfileDirectoryW",
1876 "sechost.dll.ConvertSidToStringSidW",
1877 "sechost.dll.ConvertStringSidToSidW",
1878 "userenv.dll.RegisterGPNotification",
1879 "gpapi.dll.RegisterGPNotificationInternal",
1880 "sechost.dll.OpenSCManagerW",
1881 "sechost.dll.OpenServiceW",
1882 "sechost.dll.CloseServiceHandle",
1883 "sechost.dll.QueryServiceConfigW",
1884 "cryptsp.dll.CryptVerifySignatureA",
1885 "cryptnet.dll.CertDllVerifyRevocation",
1886 "profapi.dll.#104",
1887 "sensapi.dll.IsNetworkAlive",
1888 "rpcrt4.dll.RpcBindingFromStringBindingW",
1889 "rpcrt4.dll.RpcBindingSetAuthInfoExW",
1890 "rpcrt4.dll.NdrClientCall2",
1891 "winhttp.dll.WinHttpOpen",
1892 "winhttp.dll.WinHttpSetTimeouts",
1893 "winhttp.dll.WinHttpSetOption",
1894 "winhttp.dll.WinHttpCrackUrl",
1895 "shlwapi.dll.StrCmpNW",
1896 "winhttp.dll.WinHttpConnect",
1897 "winhttp.dll.WinHttpOpenRequest",
1898 "winhttp.dll.WinHttpGetDefaultProxyConfiguration",
1899 "winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser",
1900 "winhttp.dll.WinHttpTimeFromSystemTime",
1901 "winhttp.dll.WinHttpSendRequest",
1902 "ws2_32.dll.GetAddrInfoW",
1903 "ws2_32.dll.#2",
1904 "ws2_32.dll.#21",
1905 "ws2_32.dll.#9",
1906 "ws2_32.dll.WSAIoctl",
1907 "ws2_32.dll.FreeAddrInfoW",
1908 "oleaut32.dll.#500",
1909 "ws2_32.dll.#6",
1910 "ws2_32.dll.#5",
1911 "ws2_32.dll.WSARecv",
1912 "ws2_32.dll.WSASend",
1913 "winhttp.dll.WinHttpReceiveResponse",
1914 "winhttp.dll.WinHttpQueryHeaders",
1915 "shlwapi.dll.StrStrIW",
1916 "winhttp.dll.WinHttpQueryDataAvailable",
1917 "winhttp.dll.WinHttpReadData",
1918 "winhttp.dll.WinHttpCloseHandle",
1919 "rpcrt4.dll.RpcBindingFree",
1920 "cryptnet.dll.I_CryptNetGetConnectivity",
1921 "cryptnet.dll.CryptRetrieveObjectByUrlW",
1922 "setupapi.dll.SetupIterateCabinetW",
1923 "kernel32.dll.RegOpenKeyExW",
1924 "kernel32.dll.RegCloseKey",
1925 "cabinet.dll.#20",
1926 "cabinet.dll.#22",
1927 "devrtl.dll.DevRtlGetThreadLogToken",
1928 "cabinet.dll.#23",
1929 "cryptsp.dll.CryptSetHashParam",
1930 "sechost.dll.QueryServiceConfigA",
1931 "sechost.dll.QueryServiceStatus",
1932 "rpcrt4.dll.RpcStringBindingComposeA",
1933 "rpcrt4.dll.RpcBindingFromStringBindingA",
1934 "rpcrt4.dll.RpcEpResolveBinding",
1935 "rpcrt4.dll.RpcStringFreeA",
1936 "advapi32.dll.SaferiSearchMatchingHashRules",
1937 "advapi32.dll.RegDeleteValueW",
1938 "kernel32.dll.SetFileAttributesW",
1939 "kernel32.dll.GetExitCodeThread",
1940 "kernel32.dll.VirtualFreeEx",
1941 "ws2_32.dll.#22",
1942 "ws2_32.dll.#3",
1943 "ws2_32.dll.#116",
1944 "version.dll.GetFileVersionInfoSizeW",
1945 "version.dll.GetFileVersionInfoW",
1946 "version.dll.VerQueryValueW",
1947 "kernel32.dll.SortGetHandle",
1948 "kernel32.dll.SortCloseHandle",
1949 "sspicli.dll.GetUserNameExW",
1950 "xmllite.dll.CreateXmlWriter",
1951 "xmllite.dll.CreateXmlWriterOutputWithEncodingName",
1952 "rasapi32.dll.RasEnumConnectionsW",
1953 "rasapi32.dll.RasConnectionNotificationW",
1954 "advapi32.dll.WmiMofEnumerateResourcesW",
1955 "advapi32.dll.WmiFreeBuffer",
1956 "advapi32.dll.WmiCloseBlock",
1957 "propsys.dll.PropVariantToVariant",
1958 "ole32.dll.CoDisconnectObject",
1959 "wbemcore.dll.Shutdown",
1960 "advapi32.dll.RegDeleteKeyExW",
1961 "kernel32.dll.RegDeleteValueW",
1962 "advapi32.dll.EventUnregister",
1963 "kernel32.dll.GetThreadPreferredUILanguages",
1964 "kernel32.dll.SetThreadPreferredUILanguages",
1965 "kernel32.dll.LocaleNameToLCID",
1966 "kernel32.dll.GetLocaleInfoEx",
1967 "kernel32.dll.LCIDToLocaleName",
1968 "kernel32.dll.GetSystemDefaultLocaleName",
1969 "fastprox.dll.DllGetClassObject",
1970 "fastprox.dll.DllCanUnloadNow",
1971 "oleaut32.dll.#283",
1972 "oleaut32.dll.#284",
1973 "kernel32.dll.InitializeCriticalSectionEx",
1974 "kernel32.dll.CreateEventExW",
1975 "kernel32.dll.CreateSemaphoreExW",
1976 "kernel32.dll.CreateThreadpoolTimer",
1977 "kernel32.dll.SetThreadpoolTimer",
1978 "kernel32.dll.WaitForThreadpoolTimerCallbacks",
1979 "kernel32.dll.CloseThreadpoolTimer",
1980 "kernel32.dll.CreateThreadpoolWait",
1981 "kernel32.dll.SetThreadpoolWait",
1982 "kernel32.dll.CloseThreadpoolWait",
1983 "kernel32.dll.FreeLibraryWhenCallbackReturns",
1984 "kernel32.dll.GetCurrentProcessorNumber",
1985 "kernel32.dll.GetLogicalProcessorInformation",
1986 "kernel32.dll.CreateSymbolicLinkW",
1987 "kernel32.dll.EnumSystemLocalesEx",
1988 "kernel32.dll.CompareStringEx",
1989 "kernel32.dll.GetDateFormatEx",
1990 "kernel32.dll.GetTimeFormatEx",
1991 "kernel32.dll.GetUserDefaultLocaleName",
1992 "kernel32.dll.IsValidLocaleName",
1993 "kernel32.dll.LCMapStringEx",
1994 "kernel32.dll.GetTickCount64",
1995 "rpcrt4.dll.I_RpcSNCHOption",
1996 "vssapi.dll.CreateWriter",
1997 "oleaut32.dll.#6",
1998 "oleaut32.dll.#2",
1999 "advapi32.dll.LookupAccountNameW",
2000 "samcli.dll.NetLocalGroupGetMembers",
2001 "samlib.dll.SamConnect",
2002 "rpcrt4.dll.NdrClientCall3",
2003 "rpcrt4.dll.RpcStringBindingComposeW",
2004 "rpcrt4.dll.RpcStringFreeW",
2005 "samlib.dll.SamOpenDomain",
2006 "samlib.dll.SamLookupNamesInDomain",
2007 "samlib.dll.SamOpenAlias",
2008 "samlib.dll.SamFreeMemory",
2009 "samlib.dll.SamCloseHandle",
2010 "samlib.dll.SamGetMembersInAlias",
2011 "netutils.dll.NetApiBufferFree",
2012 "ole32.dll.CoCreateGuid",
2013 "ole32.dll.StringFromCLSID",
2014 "oleaut32.dll.#4",
2015 "oleaut32.dll.#7",
2016 "propsys.dll.VariantToPropVariant",
2017 "wbemcore.dll.Reinitialize",
2018 "wbemsvc.dll.DllGetClassObject",
2019 "wbemsvc.dll.DllCanUnloadNow",
2020 "authz.dll.AuthzInitializeContextFromToken",
2021 "authz.dll.AuthzInitializeObjectAccessAuditEvent2",
2022 "authz.dll.AuthzAccessCheck",
2023 "authz.dll.AuthzFreeAuditEvent",
2024 "authz.dll.AuthzFreeContext",
2025 "authz.dll.AuthzInitializeResourceManager",
2026 "authz.dll.AuthzFreeResourceManager",
2027 "rpcrt4.dll.RpcBindingCreateW",
2028 "rpcrt4.dll.RpcBindingBind",
2029 "rpcrt4.dll.I_RpcMapWin32Status",
2030 "advapi32.dll.EventRegister",
2031 "advapi32.dll.EventWrite",
2032 "kernel32.dll.RegSetValueExW",
2033 "kernel32.dll.RegQueryValueExW",
2034 "wmisvc.dll.IsImproperShutdownDetected",
2035 "wevtapi.dll.EvtRender",
2036 "wevtapi.dll.EvtNext",
2037 "wevtapi.dll.EvtClose",
2038 "wevtapi.dll.EvtQuery",
2039 "wevtapi.dll.EvtCreateRenderContext",
2040 "rpcrt4.dll.RpcBindingSetOption",
2041 "ole32.dll.CoCreateFreeThreadedMarshaler",
2042 "ole32.dll.CreateStreamOnHGlobal",
2043 "advapi32.dll.RegCreateKeyExW",
2044 "kernelbase.dll.InitializeAcl",
2045 "kernelbase.dll.AddAce",
2046 "sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW",
2047 "kernel32.dll.IsThreadAFiber",
2048 "kernel32.dll.OpenProcessToken",
2049 "kernelbase.dll.GetTokenInformation",
2050 "kernelbase.dll.DuplicateTokenEx",
2051 "kernelbase.dll.AdjustTokenPrivileges",
2052 "kernelbase.dll.AllocateAndInitializeSid",
2053 "kernelbase.dll.CheckTokenMembership",
2054 "oleaut32.dll.#285",
2055 "advapi32.dll.RegOpenKeyW",
2056 "kernel32.dll.SetThreadToken",
2057 "ole32.dll.CLSIDFromString",
2058 "oleaut32.dll.#17",
2059 "oleaut32.dll.#20",
2060 "oleaut32.dll.#19",
2061 "oleaut32.dll.#25",
2062 "oleaut32.dll.#286",
2063 "authz.dll.AuthzInitializeContextFromSid",
2064 "ole32.dll.CoGetCallContext",
2065 "ole32.dll.CoImpersonateClient",
2066 "advapi32.dll.OpenThreadToken",
2067 "ole32.dll.CoRevertToSelf",
2068 "ole32.dll.CoSwitchCallContext",
2069 "advapi32.dll.CryptAcquireContextW",
2070 "shlwapi.dll.PathIsDirectoryW",
2071 "advapi32.dll.RegNotifyChangeKeyValue",
2072 "ole32.dll.CLSIDFromOle1Class",
2073 "clbcatq.dll.GetCatalogObject",
2074 "clbcatq.dll.GetCatalogObject2",
2075 "tschannel.dll.DllGetClassObject",
2076 "tschannel.dll.DllCanUnloadNow",
2077 "shlwapi.dll.PathIsPrefixW",
2078 "xmllite.dll.CreateXmlReader",
2079 "dwmapi.dll.DwmIsCompositionEnabled"
2080]
2081
2082[*] Static Analysis: {
2083 "dotnet": {
2084 "customattrs": null,
2085 "assemblyinfo": {
2086 "version": "1.0.0.0",
2087 "name": "Documents0"
2088 },
2089 "assemblyrefs": [
2090 {
2091 "version": "2.0.0.0",
2092 "name": "mscorlib"
2093 },
2094 {
2095 "version": "8.0.0.0",
2096 "name": "Microsoft.VisualBasic"
2097 },
2098 {
2099 "version": "2.0.0.0",
2100 "name": "System"
2101 },
2102 {
2103 "version": "2.0.0.0",
2104 "name": "System.Drawing"
2105 }
2106 ],
2107 "typerefs": [
2108 {
2109 "typename": "Microsoft.VisualBasic.ApplicationServices.ApplicationBase",
2110 "assembly": "Microsoft.VisualBasic"
2111 },
2112 {
2113 "typename": "Microsoft.VisualBasic.ApplicationServices.User",
2114 "assembly": "Microsoft.VisualBasic"
2115 },
2116 {
2117 "typename": "Microsoft.VisualBasic.CompilerServices.Conversions",
2118 "assembly": "Microsoft.VisualBasic"
2119 },
2120 {
2121 "typename": "Microsoft.VisualBasic.CompilerServices.NewLateBinding",
2122 "assembly": "Microsoft.VisualBasic"
2123 },
2124 {
2125 "typename": "Microsoft.VisualBasic.CompilerServices.Operators",
2126 "assembly": "Microsoft.VisualBasic"
2127 },
2128 {
2129 "typename": "Microsoft.VisualBasic.CompilerServices.ProjectData",
2130 "assembly": "Microsoft.VisualBasic"
2131 },
2132 {
2133 "typename": "Microsoft.VisualBasic.CompilerServices.StandardModuleAttribute",
2134 "assembly": "Microsoft.VisualBasic"
2135 },
2136 {
2137 "typename": "Microsoft.VisualBasic.Devices.Computer",
2138 "assembly": "Microsoft.VisualBasic"
2139 },
2140 {
2141 "typename": "Microsoft.VisualBasic.HideModuleNameAttribute",
2142 "assembly": "Microsoft.VisualBasic"
2143 },
2144 {
2145 "typename": "Microsoft.VisualBasic.MyGroupCollectionAttribute",
2146 "assembly": "Microsoft.VisualBasic"
2147 },
2148 {
2149 "typename": "Microsoft.VisualBasic.VBMath",
2150 "assembly": "Microsoft.VisualBasic"
2151 },
2152 {
2153 "typename": "System.CodeDom.Compiler.GeneratedCodeAttribute",
2154 "assembly": "System"
2155 },
2156 {
2157 "typename": "System.ComponentModel.Design.HelpKeywordAttribute",
2158 "assembly": "System"
2159 },
2160 {
2161 "typename": "System.ComponentModel.EditorBrowsableAttribute",
2162 "assembly": "System"
2163 },
2164 {
2165 "typename": "System.ComponentModel.EditorBrowsableState",
2166 "assembly": "System"
2167 },
2168 {
2169 "typename": "System.Drawing.Bitmap",
2170 "assembly": "System.Drawing"
2171 },
2172 {
2173 "typename": "System.Drawing.Color",
2174 "assembly": "System.Drawing"
2175 },
2176 {
2177 "typename": "System.Drawing.Graphics",
2178 "assembly": "System.Drawing"
2179 },
2180 {
2181 "typename": "System.Drawing.Image",
2182 "assembly": "System.Drawing"
2183 },
2184 {
2185 "typename": "System.Activator",
2186 "assembly": "mscorlib"
2187 },
2188 {
2189 "typename": "System.Array",
2190 "assembly": "mscorlib"
2191 },
2192 {
2193 "typename": "System.Boolean",
2194 "assembly": "mscorlib"
2195 },
2196 {
2197 "typename": "System.Byte",
2198 "assembly": "mscorlib"
2199 },
2200 {
2201 "typename": "System.Collections.Generic.List`1",
2202 "assembly": "mscorlib"
2203 },
2204 {
2205 "typename": "System.Diagnostics.DebuggerHiddenAttribute",
2206 "assembly": "mscorlib"
2207 },
2208 {
2209 "typename": "System.Enum",
2210 "assembly": "mscorlib"
2211 },
2212 {
2213 "typename": "System.Exception",
2214 "assembly": "mscorlib"
2215 },
2216 {
2217 "typename": "System.FlagsAttribute",
2218 "assembly": "mscorlib"
2219 },
2220 {
2221 "typename": "System.Int32",
2222 "assembly": "mscorlib"
2223 },
2224 {
2225 "typename": "System.Math",
2226 "assembly": "mscorlib"
2227 },
2228 {
2229 "typename": "System.Object",
2230 "assembly": "mscorlib"
2231 },
2232 {
2233 "typename": "System.Reflection.Assembly",
2234 "assembly": "mscorlib"
2235 },
2236 {
2237 "typename": "System.Reflection.AssemblyCompanyAttribute",
2238 "assembly": "mscorlib"
2239 },
2240 {
2241 "typename": "System.Reflection.AssemblyCopyrightAttribute",
2242 "assembly": "mscorlib"
2243 },
2244 {
2245 "typename": "System.Reflection.AssemblyDescriptionAttribute",
2246 "assembly": "mscorlib"
2247 },
2248 {
2249 "typename": "System.Reflection.AssemblyFileVersionAttribute",
2250 "assembly": "mscorlib"
2251 },
2252 {
2253 "typename": "System.Reflection.AssemblyProductAttribute",
2254 "assembly": "mscorlib"
2255 },
2256 {
2257 "typename": "System.Reflection.AssemblyTitleAttribute",
2258 "assembly": "mscorlib"
2259 },
2260 {
2261 "typename": "System.Reflection.AssemblyTrademarkAttribute",
2262 "assembly": "mscorlib"
2263 },
2264 {
2265 "typename": "System.Reflection.MethodInfo",
2266 "assembly": "mscorlib"
2267 },
2268 {
2269 "typename": "System.Resources.ResourceManager",
2270 "assembly": "mscorlib"
2271 },
2272 {
2273 "typename": "System.Runtime.CompilerServices.CompilationRelaxationsAttribute",
2274 "assembly": "mscorlib"
2275 },
2276 {
2277 "typename": "System.Runtime.CompilerServices.CompilerGeneratedAttribute",
2278 "assembly": "mscorlib"
2279 },
2280 {
2281 "typename": "System.Runtime.CompilerServices.RuntimeCompatibilityAttribute",
2282 "assembly": "mscorlib"
2283 },
2284 {
2285 "typename": "System.Runtime.CompilerServices.RuntimeHelpers",
2286 "assembly": "mscorlib"
2287 },
2288 {
2289 "typename": "System.Runtime.InteropServices.ComVisibleAttribute",
2290 "assembly": "mscorlib"
2291 },
2292 {
2293 "typename": "System.Runtime.InteropServices.LayoutKind",
2294 "assembly": "mscorlib"
2295 },
2296 {
2297 "typename": "System.Runtime.InteropServices.StructLayoutAttribute",
2298 "assembly": "mscorlib"
2299 },
2300 {
2301 "typename": "System.RuntimeTypeHandle",
2302 "assembly": "mscorlib"
2303 },
2304 {
2305 "typename": "System.STAThreadAttribute",
2306 "assembly": "mscorlib"
2307 },
2308 {
2309 "typename": "System.Security.Cryptography.CipherMode",
2310 "assembly": "mscorlib"
2311 },
2312 {
2313 "typename": "System.Security.Cryptography.HashAlgorithm",
2314 "assembly": "mscorlib"
2315 },
2316 {
2317 "typename": "System.Security.Cryptography.ICryptoTransform",
2318 "assembly": "mscorlib"
2319 },
2320 {
2321 "typename": "System.Security.Cryptography.MD5CryptoServiceProvider",
2322 "assembly": "mscorlib"
2323 },
2324 {
2325 "typename": "System.Security.Cryptography.RC2CryptoServiceProvider",
2326 "assembly": "mscorlib"
2327 },
2328 {
2329 "typename": "System.Security.Cryptography.SymmetricAlgorithm",
2330 "assembly": "mscorlib"
2331 },
2332 {
2333 "typename": "System.String",
2334 "assembly": "mscorlib"
2335 },
2336 {
2337 "typename": "System.Text.Encoding",
2338 "assembly": "mscorlib"
2339 },
2340 {
2341 "typename": "System.Text.StringBuilder",
2342 "assembly": "mscorlib"
2343 },
2344 {
2345 "typename": "System.ThreadStaticAttribute",
2346 "assembly": "mscorlib"
2347 },
2348 {
2349 "typename": "System.Type",
2350 "assembly": "mscorlib"
2351 },
2352 {
2353 "typename": "System.ValueType",
2354 "assembly": "mscorlib"
2355 }
2356 ]
2357 },
2358 "pe": {
2359 "peid_signatures": null,
2360 "imports": [
2361 {
2362 "imports": [
2363 {
2364 "name": "_CorExeMain",
2365 "address": "0x402000"
2366 }
2367 ],
2368 "dll": "mscoree.dll"
2369 }
2370 ],
2371 "digital_signers": null,
2372 "exported_dll_name": null,
2373 "actual_checksum": "0x000fe7ad",
2374 "overlay": null,
2375 "imagebase": "0x00400000",
2376 "reported_checksum": "0x00000000",
2377 "icon_hash": null,
2378 "entrypoint": "0x004f8a8e",
2379 "timestamp": "2017-02-24 22:18:03",
2380 "osversion": "4.0",
2381 "sections": [
2382 {
2383 "name": ".text",
2384 "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2385 "virtual_address": "0x00002000",
2386 "size_of_data": "0x000f7000",
2387 "entropy": "7.75",
2388 "raw_address": "0x00001000",
2389 "virtual_size": "0x000f6a94",
2390 "characteristics_raw": "0x60000020"
2391 },
2392 {
2393 "name": ".rsrc",
2394 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2395 "virtual_address": "0x000fa000",
2396 "size_of_data": "0x00001000",
2397 "entropy": "0.70",
2398 "raw_address": "0x000f8000",
2399 "virtual_size": "0x000002b0",
2400 "characteristics_raw": "0x40000040"
2401 },
2402 {
2403 "name": ".reloc",
2404 "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
2405 "virtual_address": "0x000fc000",
2406 "size_of_data": "0x00001000",
2407 "entropy": "0.02",
2408 "raw_address": "0x000f9000",
2409 "virtual_size": "0x0000000c",
2410 "characteristics_raw": "0x42000040"
2411 }
2412 ],
2413 "resources": [],
2414 "dirents": [
2415 {
2416 "virtual_address": "0x00000000",
2417 "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2418 "size": "0x00000000"
2419 },
2420 {
2421 "virtual_address": "0x000f8a34",
2422 "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2423 "size": "0x00000057"
2424 },
2425 {
2426 "virtual_address": "0x000fa000",
2427 "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2428 "size": "0x000002b0"
2429 },
2430 {
2431 "virtual_address": "0x00000000",
2432 "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2433 "size": "0x00000000"
2434 },
2435 {
2436 "virtual_address": "0x00000000",
2437 "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2438 "size": "0x00000000"
2439 },
2440 {
2441 "virtual_address": "0x000fc000",
2442 "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2443 "size": "0x0000000c"
2444 },
2445 {
2446 "virtual_address": "0x00000000",
2447 "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2448 "size": "0x00000000"
2449 },
2450 {
2451 "virtual_address": "0x00000000",
2452 "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2453 "size": "0x00000000"
2454 },
2455 {
2456 "virtual_address": "0x00000000",
2457 "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2458 "size": "0x00000000"
2459 },
2460 {
2461 "virtual_address": "0x00000000",
2462 "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2463 "size": "0x00000000"
2464 },
2465 {
2466 "virtual_address": "0x00000000",
2467 "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2468 "size": "0x00000000"
2469 },
2470 {
2471 "virtual_address": "0x00000000",
2472 "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2473 "size": "0x00000000"
2474 },
2475 {
2476 "virtual_address": "0x00002000",
2477 "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2478 "size": "0x00000008"
2479 },
2480 {
2481 "virtual_address": "0x00000000",
2482 "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2483 "size": "0x00000000"
2484 },
2485 {
2486 "virtual_address": "0x00002008",
2487 "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2488 "size": "0x00000048"
2489 },
2490 {
2491 "virtual_address": "0x00000000",
2492 "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2493 "size": "0x00000000"
2494 }
2495 ],
2496 "exports": [],
2497 "guest_signers": {},
2498 "imphash": "f34d5f2d4577ed6d9ceec516c1f5a744",
2499 "icon_fuzzy": null,
2500 "icon": null,
2501 "pdbpath": null,
2502 "imported_dll_count": 1,
2503 "versioninfo": []
2504 }
2505}