popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

PE Compile Time

2020-08-29 15:54:20

PE Imphash

51a1d638436da72d7fa5fb524e02d427

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00012eab 0x00013000 6.49494739154
.rdata 0x00014000 0x000049ce 0x00004a00 5.28154165346
.data 0x00019000 0x001350d8 0x00000600 4.99296329391
.rsrc 0x0014f000 0x00044d40 0x00044e00 5.70847117237
.reloc 0x00194000 0x00000fa8 0x00001000 6.69065323226
.bss 0x00195000 0x00001000 0x00000200 3.74792101096

Resources

Name Offset Size Language Sub-language File type
WM_DSP 0x0014f104 0x00002c00 LANG_ENGLISH SUBLANG_ARABIC_QATAR PE32 executable (GUI) Intel 80386, for MS Windows
RT_ICON 0x00151d04 0x00042028 LANG_NEUTRAL SUBLANG_NEUTRAL data
RT_GROUP_ICON 0x00193d2c 0x00000014 LANG_NEUTRAL SUBLANG_NEUTRAL data

Imports

Library bcrypt.dll:
0x414330 BCryptSetProperty
0x41433c BCryptDecrypt
Library KERNEL32.dll:
0x41408c HeapFree
0x414090 VirtualAlloc
0x414094 HeapReAlloc
0x414098 VirtualQuery
0x41409c TerminateThread
0x4140a0 CreateThread
0x4140a4 WriteProcessMemory
0x4140a8 GetCurrentProcess
0x4140ac OpenProcess
0x4140b4 VirtualProtectEx
0x4140b8 VirtualAllocEx
0x4140bc CreateRemoteThread
0x4140c0 CreateProcessA
0x4140c4 GetModuleHandleW
0x4140c8 IsWow64Process
0x4140cc WriteFile
0x4140d0 CreateFileW
0x4140d4 LoadLibraryW
0x4140d8 GetLocalTime
0x4140dc GetCurrentThreadId
0x4140e0 GetCurrentProcessId
0x4140e4 ReadFile
0x4140e8 FindFirstFileA
0x4140ec GetBinaryTypeW
0x4140f0 FindNextFileA
0x4140f4 GetFullPathNameA
0x4140f8 GetTempPathW
0x414100 CreateFileA
0x414104 GlobalAlloc
0x414110 GetFileSize
0x414114 FreeLibrary
0x414118 SetDllDirectoryW
0x41411c GetFileSizeEx
0x414120 LoadLibraryA
0x414124 LocalFree
0x414128 WaitForSingleObject
0x414130 CreatePipe
0x414134 PeekNamedPipe
0x414138 DuplicateHandle
0x41413c SetEvent
0x414140 GetStartupInfoA
0x414144 CreateEventA
0x414148 GetModuleFileNameW
0x41414c LoadResource
0x414150 FindResourceW
0x414154 GetComputerNameW
0x41415c LoadLibraryExW
0x414160 FindFirstFileW
0x414164 FindNextFileW
0x414168 SetFilePointer
0x414170 DeleteFileW
0x414174 CopyFileW
0x414178 GetDriveTypeW
0x41418c GetProcessHeap
0x414190 ReleaseMutex
0x414194 TerminateProcess
0x41419c Process32NextW
0x4141a0 Process32FirstW
0x4141a4 SizeofResource
0x4141a8 VirtualProtect
0x4141ac GetSystemDirectoryW
0x4141b0 LockResource
0x4141b8 Process32First
0x4141bc Process32Next
0x4141c0 WinExec
0x4141c4 GetTempPathA
0x4141c8 HeapAlloc
0x4141cc lstrcmpW
0x4141d0 GetTickCount
0x4141d4 lstrcpyW
0x4141d8 WideCharToMultiByte
0x4141dc lstrcpyA
0x4141e0 Sleep
0x4141e4 MultiByteToWideChar
0x4141e8 GetCommandLineA
0x4141ec GetModuleHandleA
0x4141f0 ExitProcess
0x4141f4 CreateProcessW
0x4141f8 lstrcatA
0x4141fc lstrcmpA
0x414200 lstrlenA
0x414208 lstrlenW
0x41420c CloseHandle
0x414210 lstrcatW
0x414214 GetLastError
0x414218 VirtualFree
0x41421c GetProcAddress
0x414220 SetLastError
0x414224 GetModuleFileNameA
0x414228 CreateDirectoryW
0x41422c LocalAlloc
0x414230 CreateMutexA
Library USER32.dll:
0x414298 GetKeyState
0x41429c GetMessageA
0x4142a0 DispatchMessageA
0x4142a4 CreateWindowExW
0x4142a8 CallNextHookEx
0x4142ac GetAsyncKeyState
0x4142b0 RegisterClassW
0x4142b4 GetRawInputData
0x4142b8 MapVirtualKeyA
0x4142bc DefWindowProcA
0x4142c4 TranslateMessage
0x4142c8 GetForegroundWindow
0x4142cc GetKeyNameTextW
0x4142d0 PostQuitMessage
0x4142d4 MessageBoxA
0x4142d8 GetLastInputInfo
0x4142dc wsprintfW
0x4142e0 GetWindowTextW
0x4142e4 wsprintfA
0x4142e8 ToUnicode
Library ADVAPI32.dll:
0x414000 RegDeleteKeyW
0x414004 RegCreateKeyExW
0x414008 RegSetValueExA
0x41400c RegDeleteValueW
0x41401c OpenProcessToken
0x414024 RegDeleteKeyA
0x41402c RegOpenKeyExW
0x414030 RegOpenKeyExA
0x414034 RegEnumKeyExW
0x414038 RegQueryValueExA
0x41403c RegQueryInfoKeyW
0x414040 RegCloseKey
0x414044 OpenServiceW
0x41404c QueryServiceConfigW
0x414054 StartServiceW
0x414058 RegSetValueExW
0x41405c RegCreateKeyExA
0x414060 OpenSCManagerW
0x414064 CloseServiceHandle
0x414068 GetTokenInformation
0x41406c LookupAccountSidW
0x414070 FreeSid
0x414074 RegQueryValueExW
Library SHELL32.dll:
0x414254 ShellExecuteExA
0x414258 ShellExecuteExW
0x41425c None
0x414268 ShellExecuteW
0x41426c SHGetFolderPathW
Library urlmon.dll:
0x41435c URLDownloadToFileW
Library WS2_32.dll:
0x4142f0 htons
0x4142f4 recv
0x4142f8 connect
0x4142fc socket
0x414300 send
0x414304 WSAStartup
0x414308 shutdown
0x41430c closesocket
0x414310 WSACleanup
0x414314 InetNtopW
0x414318 gethostbyname
0x41431c inet_addr
0x414320 getaddrinfo
0x414324 setsockopt
0x414328 freeaddrinfo
Library ole32.dll:
0x414348 CoCreateInstance
0x41434c CoInitialize
0x414350 CoUninitialize
0x414354 CoTaskMemFree
Library SHLWAPI.dll:
0x414278 StrStrW
0x41427c PathRemoveFileSpecA
0x414280 StrStrA
0x414284 PathCombineA
0x414288 PathFindFileNameW
0x41428c PathFileExistsW
0x414290 PathFindExtensionW
Library NETAPI32.dll:
0x41423c NetUserAdd
Library OLEAUT32.dll:
0x414244 VariantInit
Library CRYPT32.dll:
0x41407c CryptUnprotectData
Library PSAPI.DLL:
!This program cannot be run in DOS mode.
Rich><
`.rdata
@.data
@.reloc
9w4tah
93tfVVVV
?vOj@_+
SVWj@R
PWWWWQ
;_,s8VPS
YPh4IA
t>h4IA
PPPWPPV
tIh4IA
u9WhPIA
WWWWWWWWWW
WWWWWW
t&h|_A
PVSh8\A
PVSh0]A
SSSSSS
PVVVVV
:MjZXu
VVh,SA
t VVSPj
u2Vj h
*WWWWWWWj
G$;C,u;
QQh(iA
D$(uBj
VVVhxgA
QQSVWh
PSSSSSSh
f93trS
tG;HtsB
f99t,+
QQSVWQ
TSVjD3
RSSSSSSQ
PWWhPEA
w(9s t
9_Pt=Sh
PWVWWWSh
QQSVWj
QQVPQQ
9\$lt
9\$Ht;
127.0.0.2
abcdefghijklmnopqrstuvwxyzABCDEFGHIJK...
warzone160
USER32.DLL
MessageBoxA
Assert
An assertion condition failed
PureCall
A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application
XXXXXX
\System32\cmd.exe
LdrGetProcedureAddress
RtlNtStatusToDosError
RtlSetLastWin32Error
NtAllocateVirtualMemory
NtProtectVirtualMemory
NtWriteVirtualMemory
LdrLoadDll
RtlCreateUserThread
GetRawInputData
ToUnicode
MapVirtualKeyA
c:\windows\system32\user32.dll
SetWindowsHookExA
select signon_realm, origin_url, username_value, password_value from wow_logins
select signon_realm, origin_url, username_value, password_value from logins
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSSBase64_DecodeBuffer
PK11_CheckUserPassword
NSS_Shutdown
PK11_FreeSlot
PR_GetError
vaultcli.dll
VaultOpenVault
VaultCloseVault
VaultEnumerateItems
VaultGetItem
VaultFree
encryptedUsername
hostname
encryptedPassword
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_column_text
sqlite3_step
sqlite3_exec
sqlite3_open_v2
sqlite3_column_blob
sqlite3_column_type
sqlite3_column_bytes
sqlite3_close_v2
sqlite3_finalize
Storage
Accounts\Account.rec0
software\Aerofox\FoxmailPreview
Executable
UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
ntdll.dll
RtlGetVersion
K.$RtlCreateUnicodeStringFromAsciiz
RtlInitAnsiString
IsWow64Process
kernel32
VirtualQuery
cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
Software\Classes\Folder\shell\open\command
DelegateExecute
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
explorer.exe
powershell Add-MpPreference -ExclusionPath
find.exe
find.db
-w %ws -d C -f %s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server
MaxConnectionsPerServer
BQAaR$43!QAFff
?lst@@YAXHJ@Z
.text$di
.text$mn
.text$yd
.idata$5
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.CRT$XCA
.CRT$XCU
.CRT$XCZ
.rsrc$01
.rsrc$02
BCryptDecrypt
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptGenerateSymmetricKey
bcrypt.dll
CreateDirectoryW
GetModuleFileNameA
SetLastError
VirtualFree
GetLastError
lstrcatW
CloseHandle
lstrlenW
ExpandEnvironmentStringsW
lstrlenA
lstrcmpA
lstrcatA
MultiByteToWideChar
lstrcpyA
WideCharToMultiByte
lstrcpyW
GetTickCount
lstrcmpW
HeapAlloc
GetProcessHeap
LoadLibraryA
GetProcAddress
ExitProcess
GetModuleHandleA
GetCommandLineA
GetStartupInfoA
HeapFree
VirtualAlloc
HeapReAlloc
VirtualQuery
TerminateThread
CreateThread
WriteProcessMemory
GetCurrentProcess
OpenProcess
GetWindowsDirectoryA
VirtualProtectEx
VirtualAllocEx
CreateRemoteThread
CreateProcessA
GetModuleHandleW
IsWow64Process
WriteFile
CreateFileW
LoadLibraryW
GetLocalTime
GetCurrentThreadId
GetCurrentProcessId
ReadFile
FindFirstFileA
GetBinaryTypeW
FindNextFileA
GetFullPathNameA
GetTempPathW
GetPrivateProfileStringW
CreateFileA
GlobalAlloc
GetCurrentDirectoryW
SetCurrentDirectoryW
GetFileSize
FreeLibrary
SetDllDirectoryW
GetFileSizeEx
LocalAlloc
LocalFree
WaitForSingleObject
WaitForMultipleObjects
CreatePipe
PeekNamedPipe
DuplicateHandle
SetEvent
CreateProcessW
CreateEventA
GetModuleFileNameW
LoadResource
FindResourceW
GetComputerNameW
GlobalMemoryStatusEx
LoadLibraryExW
FindFirstFileW
FindNextFileW
SetFilePointer
GetLogicalDriveStringsW
DeleteFileW
CopyFileW
GetDriveTypeW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
CreateMutexA
ReleaseMutex
TerminateProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
SizeofResource
VirtualProtect
GetSystemDirectoryW
LockResource
GetWindowsDirectoryW
Process32First
Process32Next
WinExec
GetTempPathA
KERNEL32.dll
wsprintfW
wsprintfA
GetWindowTextW
GetForegroundWindow
GetLastInputInfo
MessageBoxA
PostQuitMessage
GetKeyNameTextW
ToUnicode
TranslateMessage
RegisterRawInputDevices
DefWindowProcA
MapVirtualKeyA
GetRawInputData
RegisterClassW
GetAsyncKeyState
CallNextHookEx
CreateWindowExW
DispatchMessageA
GetMessageA
GetKeyState
USER32.dll
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyExA
RegEnumKeyExW
RegQueryValueExA
RegQueryInfoKeyW
RegCloseKey
OpenServiceW
ChangeServiceConfigW
QueryServiceConfigW
EnumServicesStatusExW
StartServiceW
RegSetValueExW
RegCreateKeyExA
OpenSCManagerW
CloseServiceHandle
GetTokenInformation
LookupAccountSidW
FreeSid
OpenProcessToken
AllocateAndInitializeSid
AdjustTokenPrivileges
LookupPrivilegeValueW
RegDeleteValueW
RegSetValueExA
RegCreateKeyExW
RegDeleteKeyW
InitializeSecurityDescriptor
RegDeleteKeyA
SetSecurityDescriptorDacl
ADVAPI32.dll
ShellExecuteW
SHGetFolderPathW
SHCreateDirectoryExW
SHGetSpecialFolderPathW
SHGetKnownFolderPath
ShellExecuteExW
ShellExecuteExA
SHELL32.dll
URLDownloadToFileW
urlmon.dll
getaddrinfo
freeaddrinfo
InetNtopW
WS2_32.dll
CoInitialize
CoCreateInstance
CoInitializeSecurity
CoUninitialize
CoTaskMemFree
ole32.dll
PathFindExtensionW
PathFindFileNameW
PathCombineA
StrStrA
PathRemoveFileSpecA
StrStrW
PathFileExistsW
SHLWAPI.dll
NetLocalGroupAddMembers
NetUserAdd
NETAPI32.dll
OLEAUT32.dll
CryptStringToBinaryA
CryptUnprotectData
CryptStringToBinaryW
CRYPT32.dll
GetModuleFileNameExW
PSAPI.DLL
PPPPPPPS
PPPPPPPS
PPPPPPPS
!This program cannot be run in DOS mode.
`.rdata
@.data
u*hh;@
VWh@"@
RtlGetCurrentPeb
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlInitUnicodeString
RtlFillMemory
NtAllocateVirtualMemory
LdrEnumerateLoadedModules
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing>
<package action="install">
<assemblyIdentity name="Package_1_for_KB929761" version="6.0.1.1" language="neutral" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"/>
<source location="%configsetroot%\Windows6.0-KB929761-x86.CAB" />
</package>
</servicing>
</unattend>
.text$mn
.idata$5
.00cfg
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
SizeofResource
WriteFile
GetModuleFileNameW
GetTempPathW
WaitForSingleObject
CreateFileW
GetSystemDirectoryW
lstrcatW
LockResource
CloseHandle
LoadLibraryW
LoadResource
FindResourceW
GetWindowsDirectoryW
GetProcAddress
ExitProcess
KERNEL32.dll
MessageBoxW
USER32.dll
SHCreateItemFromParsingName
ShellExecuteExW
SHELL32.dll
CoInitialize
CoUninitialize
CoCreateInstance
CoGetObject
ole32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
!This program cannot be run in DOS mode.
/Rich3
`.rdata
@.data
.reloc
.text$mn
.idata$5
.00cfg
.rdata
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
GetStartupInfoW
ExpandEnvironmentStringsW
TerminateProcess
OpenProcess
CreateToolhelp32Snapshot
Process32NextW
Process32FirstW
CloseHandle
ExitProcess
CreateProcessW
lstrcmpW
KERNEL32.dll
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
PathFindFileNameW
SHLWAPI.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
IsProcessorFeaturePresent
1)1E1U1[1n1
2(212<2C2c2i2o2u2{2
3.373F3
X0`0d0,181
2"212<2B2I2P2W2b2m2w2
2W;b;{;
;><O<Z<e<p<{<
2<5G5|5
5(6D6p6w6
6,7Q7d7
:7:Y:}:
8G8[8k8
8$929C9[9
:!:-:4:y:
=!=(=8=?=K=R=^=e=
>Z>a>h>q>
?Q?X?_?h?
60H0U0
2P243Z324_4 5M5)6o6
=0^0{0
1*2G2k2
313N3g3n3
6(7J8a8
<:=D=I=V=k=r=
?X?_?k?q?v?}?
:<:]:u:
;+<3<?<E<
6%6+6=6K6_6p6x6
7B8H8m8
9.949>9K9c9p9w9~9
:+:0:::D:N:X:b:l:v:
:>;H;R;t;~;
<d<n<x<
<$=)=.=8===B=O=T=Y=f=k=p=}=
>!>%>)>->1>5>9>=>A>E>_>
?8?Z?_?{?
131[1m1
1%2E2J2e2k2q2
3$3<3M3W3`3
6-62686@6H6S6X6x6
7#7S7Z7`7
8!8N8Z8a8m8y8
9#9/949;9E9K9T9Z9_9g9r9
:%:*:7:<:
;;N;U;#=
>>*>H>r>
0$040D0T0d0t0
1&161C1S1`1p1}1
5T5[5c5x5
7 797R7k7
9'9:9Y9
<'<C<_<{<
>">;>T>m>
I0Y0l0
1O1V1d1}1
1,272<2G2R2W2b2m2r2}2
3#3*313<3G3L3W3b3g3r3}3
4)4R4x4
9)9.939=9Q9V9[9i9q9x9~9
:&;=;];
<'<B<J<u<
172E2V2
3353e3y3
5.5;5H5R5d5m5{5
6 6M6Z6g6t6
7U8g8}8
=K=P=^=
=->S>`>
3E3K3Q3W3b3h3s3y3
4 4%4,484>4B4H4Z4t4
6%6+6:6Y6`6l6q6
7&70767=7C7I7j7o7t7z7
8/8D8I8Z8g8s8
;C;Q;h;
<<&<+<4<:<?<p<
>9>?>Z>v>
?-?4?@?Z?
1(1?1U1s1
3'4R4b4j4
4'575@5G5
7'7I7a7
7'8.8>8F8L8k8
8H92:L:\:e:l:
<5<J<^<y<
031`1v1
1C2K2S2^2j2u2
:8;S;h;r;
<@<E<M<T<
1`2f2v2
5<5Z5<7B7
798B8P8_8q8|8
9"9-9L9v9
:!:*:3:D:Z:`:~:
:';2;?;Y;^;k;z;
=Q=h=o=
=P>c>t>
>'?.?R?`?g?n?
0*0I0S0j0
2h3s3|3
474=4B4V4b4j4p4
6!6=6^6r6~6N7Z7p7u7
9 9,949@9W9
=%=.=4=I=
1/1B1M1c1
1"222F2
5&51575F5[5k5
:1:;:J:P:_:z:
; ;*;F;P;Z;d;n;x;
<2<O<n<
> >3>8>=>B>I>P>T>Z>x>
7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8
=,=0=4=
3 4$4T4X4
5 5$5(5,5054585
0 0$0(0P1T1X5
\Microsoft Vision\
ntdll.dll
dUser32.dll
ExplorerIdentifier
%02d-%02d-%02d_%02d.%02d.%02d
Unknow
{Unknown}
[ENTER]
[BKSP]
[CTRL]
[CAPS]
[INSERT]
\Google\Chrome\User Data\Local State
\Google\Chrome\User Data\Default\Login Data
\Epic Privacy Browser\User Data\Local State
\Epic Privacy Browser\User Data\Default\Login Data
\Microsoft\Edge\User Data\Local State
\Microsoft\Edge\User Data\Default\Login Data
\UCBrowser\User Data_i18n\Local State
\UCBrowser\User Data_i18n\Default\UC Login Data.17
\Tencent\QQBrowser\User Data\Local State
\Tencent\QQBrowser\User Data\Default\Login Data
\Opera Software\Opera Stable\Local State
\Opera Software\Opera Stable\Login Data
\Blisk\User Data\Local State
\Blisk\User Data\Default\Login Data
\Chromium\User Data\Local State
\Chromium\User Data\Default\Login Data
\BraveSoftware\Brave-Browser\User Data\Local State
\BraveSoftware\Brave-Browser\User Data\Default\Login Data
\Vivaldi\User Data\Local State
\Vivaldi\User Data\Default\Login Data
\Comodo\Dragon\User Data\Local State
\Comodo\Dragon\User Data\Default\Login Data
\Torch\User Data\Local State
\Torch\User Data\Default\Login Data
\Slimjet\User Data\Local State
\Slimjet\User Data\Default\Login Data
\CentBrowser\User Data\Local State
\CentBrowser\User Data\Default\Login Data
Software\Microsoft\Windows\CurrentVersion\App Paths\
softokn3.dll
msvcp140.dll
mozglue.dll
vcruntime140.dll
freebl3.dll
nss3.dll
msvcr120.dll
msvcp120.dll
Internet Explorer
Profile
firefox.exe
\firefox.exe
\Mozilla\Firefox\
profiles.ini
\logins.json
thunderbird.exe
\Thunderbird\
Could not decrypt
Account Name
POP3 Server
POP3 User
SMTP Server
POP3 Password
SMTP Password
HTTP Password
IMAP Password
Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
ChainingModeGCM
ChainingMode
"os_crypt":{"encrypted_key":"
TermService
%ProgramFiles%
%windir%\System32
%ProgramW6432%
\Microsoft DN1
\rfxvmt.dll
\rdpwrap.ini
\sqlmap.dll
SeDebugPrivilege
SYSTEM\CurrentControlSet\Services\TermService\Parameters
ServiceDll
SYSTEM\CurrentControlSet\Services\TermService
ImagePath
svchost.exe
svchost.exe -k
CertPropSvc
SessionEnv
ServicesActive
SYSTEM\CurrentControlSet\Control\Terminal Server
SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns
SYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip Redirector
SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC
fDenyTSConnections
EnableConcurrentSessions
AllowMultipleTSSessions
RDPClip
@\cmd.exe
@SOFTWARE\Microsoft\Cryptography
MachineGuid
root\CIMV2
SELECT Name FROM Win32_VideoController
Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\
InitWindows
Software\Microsoft\Windows\CurrentVersion\Run\
\programs.bat
for /F "usebackq tokens=*" %%A in ("
:start
") do %%A
:ApplicationData
wmic process call create '"
:Zone.Identifier
SOFTWARE\_rptls
Install
\System32\cmd.exe
WM_DSP
e\sdclt.exe
ADescription
FriendlyName
Source
Grabber
Asend.db
WM_DSP
ntdll.dll
Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
explorer.exe
\explorer.exe
WM_DISP
dismcore.dll
ellocnak.xml
\pkgmgr.exe
/n:%temp%\ellocnak.xml
Hey I'm Admin
WM_DISP
SOFTWARE\_rptls
Install
%systemroot%\system32\
Antivirus Signature
Bkav Clean
Elastic malicious (high confidence)
MicroWorld-eScan DeepScan:Generic.Malware.SLl!prn!g.A8B2F0B4
FireEye Generic.mg.e4cb6177f54802a8
CAT-QuickHeal Trojan.IGENERIC
ALYac DeepScan:Generic.Malware.SLl!prn!g.A8B2F0B4
Cylance Unsafe
VIPRE Clean
AegisLab Trojan.Win32.Agentb.trG2
Sangfor Trojan.Win32.Save.a
K7AntiVirus Clean
BitDefender DeepScan:Generic.Malware.SLl!prn!g.A8B2F0B4
K7GW Trojan ( 0019d9b81 )
CrowdStrike win/malicious_confidence_90% (W)
Baidu Clean
Cyren W32/Antiav.INDT-0919
Symantec ML.Attribute.HighConfidence
ESET-NOD32 Win32/Agent.TJS
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Malware.AveMaria-8799014-1
Kaspersky Trojan.Win32.Agentb.jiad
Alibaba Backdoor:Win32/Agentb.ba380ae8
NANO-Antivirus Trojan.Win32.AntiAV.fljpfv
ViRobot Trojan.Win32.Agent.1392640.E
Rising Stealer.AveMaria!1.BA1C (CLOUD)
Ad-Aware DeepScan:Generic.Malware.SLl!prn!g.A8B2F0B4
Emsisoft DeepScan:Generic.Malware.SLl!prn!g.A8B2F0B4 (B)
F-Secure Clean
DrWeb Trojan.PWS.Maria.3
Zillya Trojan.Agent.Win32.1391531
TrendMicro TrojanSpy.Win32.MOCRT.SM
McAfee-GW-Edition BehavesLike.Win32.Dropper.fh
CMC Clean
Sophos Mal/Generic-R
Ikarus Trojan-Spy.Agent
GData Win32.Backdoor.AveMaria.A
Jiangmin Trojan.Agentb.eab
Webroot Clean
Avira TR/Redcap.ghjpt
MAX malware (ai score=85)
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Trojan.Win32.Agent.oa!s1
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm HEUR:Trojan.Win32.Invader
Microsoft Backdoor:Win32/Remcos!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.RL_Generic.R357760
Acronis Clean
McAfee GenericRXLJ-HT!E4CB6177F548
TACHYON Clean
VBA32 Trojan.Agentb
Malwarebytes AveMaria.Backdoor.Stealer.DDS
Panda Trj/CI.A
Zoner Trojan.Win32.96822
TrendMicro-HouseCall TrojanSpy.Win32.MOCRT.SM
Tencent Malware.Win32.Gencirc.11baf0e3
Yandex Trojan.GenAsa!++8lN4UW0KE
SentinelOne Static AI - Malicious PE
MaxSecure Clean
Fortinet W32/Razy.571245!tr
BitDefenderTheta Gen:NN.ZexaF.34678.xyW@a4OWhGii
AVG Win32:Malware-gen
Paloalto generic.ml
Qihoo-360 Clean
No IRMA results available.