Advanced File Analysis System

CREATED / DROPPED FILES

File Path	Type and Hashes
C:\Users\user\AppData\Local\Temp\SAVAPI\aegen.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : ec545a77015ee17f2015eb5befea2a83 SHA-1 : 42a892bb31a2035a599b54cea8731ad923c818d5 SHA-256 : 44f3a24fa8423f65c61338772c8a9ffb655be8e845b58d0265658e1b10e89c42 SHA-512 : a8ca86748bbf30260a9b2abce6be20c36e1f6ee7aa648e90cb2316d50a494b7d50a710a44d4a5058809c471c58c6a8f960cba37951c285d8ac9daa3e685fd84f Size : 707.016 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	Type : data MD5 : 365d10d8837447dcb15c117fe3b8368a SHA-1 : 3815d4499231b0892ffade9d36bde552c2929775 SHA-256 : a0b6611ee75d3b26516a22a27d22c3c3ddb3fd5b71d767c339229c505791253f SHA-512 : 5cd5f2fa469b9a0accf9b405d25090514b7fa2d22dcfb22ef88a9d76dfc985f90686ac3c15fb5341a3b2e0cc1e44b0ac83d039b0b0eeb86802a3de833162aaad Size : 0.43 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	Type : data MD5 : 255a5fb8b19ecee9847b77fe4975e21c SHA-1 : 75f6f00bf1b470b711dd0796c22d318323f099a3 SHA-256 : 778611b79e23a1eaf7b899a1a31687310bc10bf207ce3e0ae9c8205b4d13f8b5 SHA-512 : f712e446c14a6e06bcbd911ca8fd4b2c0a7578fc79c170a1911a6aea6625ccd1093b7fa7ee51f5750a9f2be0fa16fdd94d37ae4fdd58310e117129e491d2b32e Size : 0.328 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\utils\on-access-drivers-final.cmd	Type : ASCII text, with CRLF line terminators MD5 : 99f88fb25d97a1712de7d107cdd9eb32 SHA-1 : e4d3ec77c037b3667837e9b3ebf1d56729fbd270 SHA-256 : 2b917642a0c8d4777b51c1b6b6c55e550b01af7ae5d517d313ea6a11b0ef6df9 SHA-512 : b5e827baf7a9ff1da1ff372f82edd1275031bdae8877bedc7fc27b04cb35b75c91a5ff64c40b32ea446170cde1d93f4d658f01a0ea836301e5f94ef97571f39d Size : 2.385 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.sys C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.sys	Type : PE32 executable (native) Intel 80386, for MS Windows MD5 : a84684bebc36790cae1d5c771666e480 SHA-1 : f0b6aaee56b8f5c0370b4573f45ac30e3a9baacc SHA-256 : 831fdfae43f95f8c4485d1f7c8ad84653555c936228b459758a6961e053073c9 SHA-512 : 486684d58559e9e94549c75b94af9e250037db747b2671b686c0a91a3fe075ea6bcda7b50bf5a8996e6f2faa57907aabdc1035b7483c0fb2be62f9542eea05c8 Size : 130.912 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aedroid.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 8bd9ad92261aa190a6af51f7d29ab391 SHA-1 : 37fd397d4e33d6750a4ff080fe68d19611deb226 SHA-256 : e3ee2e5e91e89b931167e99818c779dc0c5dc488ac1ddbd880d440277f3fae9e SHA-512 : ece28d6a294fd84b08dda1cb0ab6ef0325fad917ae868216dcc714b9adb812b7ca7b361e9efce57cb7a32419b8511895c2c0e8b58bdfae642d55299a5920bac6 Size : 2801.64 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\savapiclient.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : ab90d31f5ff147483a0bc0cf2f95c2f1 SHA-1 : 48fff5c338f4d7194c68691eafeef77aa917a05b SHA-256 : 6862a4e1bc0233378710b4fa03ee53fd3d2a899bb3e06c6d8d2d08f19de871b4 SHA-512 : 698857df9b472673556eb905ef89021e5cc56b1c3ada73258286292140505050b05e23124ee6dc769fbafe2de50e960d6ac2855b0001c4f3cde8ee7fdcd43090 Size : 126.032 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\apchash.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : cce3f50e5eb4797684e8d228c44d23bf SHA-1 : bdb9fe6e7ff36bcde1a2ceeab38b6cd5fae5f173 SHA-256 : 6fa32b8b36b807e4aec6a19e04f7e898116b5993f7f6c933124c6c32d521e70c SHA-512 : 35c08115ab0f24ada9120c3d1d472bc9b156c708a196cd66005e4335eb782904ca93244d052a9496f8c4ecb6562db18709070bc53f031b081a3e4493693e633e Size : 133.264 Kilobytes.
C:\Users\user\AppData\Local\Temp\logs\main.log	Type : ASCII text, with very long lines, with CRLF line terminators MD5 : 56ba356b1900f6fa2ae6deb9f36908a2 SHA-1 : 6962f605c020a3a68bfd156217be44edbe115323 SHA-256 : 13158628316edaaa01b21d20953c33f33b8281351d76426deb92441bb9ac1334 SHA-512 : 3f6aece68cd8c2743796f4b9626a3ba6fe83874e1f40d280e4b85e401b2de55541851e61d4d25cb87e5fbc931270f206e243fb92e9f3e04da587f441230c504a Size : 16.885 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\cacert.crt	Type : PEM certificate MD5 : 51ccb61f5718d83b07a33c1b696fdcd1 SHA-1 : 94f361ddadf5acbe287daa7aa0377b01f6163a48 SHA-256 : 6d382f5bafe9d933ee1756438ea8e565978ee7d5f0c7d960364268ed70ba719a SHA-512 : 7a3476885252045b2743a4664e8043530b0ff4b588ad0a755ba0ad21a2ba6e965814d1cccffd62914a13529870a8f1cba30b4f29ff37731b958b7e2b47b36a6b Size : 6.065 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\utils\sd_inst.exe	Type : PE32 executable (console) Intel 80386, for MS Windows MD5 : 3a42f27bd1d209ff45b38aa7d6fbd3b0 SHA-1 : d1c28b306efeb164481e10f866009acf4be649f7 SHA-256 : 621f2bda22c2fd358c56fc7b61a52687a5085d966422d90ebb54f49d1ec1d164 SHA-512 : 8de7ae65a08d2d923b44eec90aca47829493ed3165a3a63e75daac48ff01bebdef75415b46f0db2e33473502bc4999b5f27cf8f644609780c84b2c789f12d657 Size : 90.368 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Type : Microsoft Cabinet archive data, 6509 bytes, 1 file MD5 : 33b39e2a516ef730a8fa922894f0fbd5 SHA-1 : 03d455583dda59215d945af76af6293b202f586f SHA-256 : 9446e8f2056fea3ac1365a809ada04602606242c396f72ffe42fd1b781c24cba SHA-512 : 75763aa13b43eb96294b0f84e13106611198872e06fb79f4af4f35d020ed0add9d8d1b42fe7ec2c6340ac8e08b182f83469d813087c321c878f96970c8112267 Size : 6.509 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aehelp.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 189679348cecebd814ccf11f0be048ff SHA-1 : 43851ca4401d3cb176575c30dc0f767893ba28fd SHA-256 : 3e993b11d1e6b9d471c1248b466eb02e106e5da21516f1e975580646f5fc4b19 SHA-512 : 4d6bb5e929383836a9fc158b2be8fa5bf5b08f7104bd7f076ea8fe7f31078b125414134f900bc1f86502020ddc28107ca414f2121c108a92a71dd8212cf031a5 Size : 299.728 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\msvcr120.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 034ccadc1c073e4216e9466b720f9849 SHA-1 : f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1 SHA-256 : 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f SHA-512 : 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7 Size : 970.912 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aecrypto.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : dff010b4b3da7bc89660debc1d5f7afa SHA-1 : 8181f22a85c96260ba516b8210bfb6e1d92f405c SHA-256 : 151cefe5119fd59636986befec370aed14bbac2ce18f89d878aec1edef8cac33 SHA-512 : 4482473f06c8e2e667b95c5991950e8d5edb8ef2cf048e6e1a485a6f1241b6ad0715e0ccd09ac22dd864ce71afc45cb9047b273715c3bafb049e6139670b3693 Size : 141.8 Kilobytes.
C:\Users\user\AppData\Local\Temp\data\sdet.jdat	Type : ASCII text, with very long lines, with no line terminators MD5 : 666b67bbd0b282adac02b445973eeaa9 SHA-1 : 0da22085ac4f3871a726004e9607b8e92b0a9bd1 SHA-256 : 13292458b40416ff7da735aa5b48878c5ae34e28acbfb030c8b071ada48c0b96 SHA-512 : d57edaf1d5e420c75a11f9c247ae4892c691f01e254f3fdd3b02cf2c58315473a1d642f64ef36c1b6ce1d6dd3daceb45707c45ef5539817da2b04ce3a8cccc67 Size : 0.4 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aeexp.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : f86f0e04965f2d4b24f9bfaf7d0caf29 SHA-1 : 67f4768e337183ac8cc758a0d3e52b3e212ab0bf SHA-256 : e4878da4a1e284b7b3146a0375cc5b7b63110a70b6188734e355427af65c9237 SHA-512 : b63c91febe64476c465c9cbea59ed400af6e06759f6ebbd246798a1ab4c7c64c96eaa2632365e53d436c058ca55dd7fbeb12ccbba1b9dd14b50f7a9de284f843 Size : 399.464 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aevdf.datmjrzychs.v4o.PendingOverwrite	Type : ASCII text, with very long lines MD5 : 8689417dde8e65ef8acb51bb2e0d20a3 SHA-1 : ec9b5f17e3193825b72254b935802cafad23ca2a SHA-256 : 6865193443363fbf4005880222910015b639a7b53318f782c9f078b9c5216a39 SHA-512 : cec55fa8166b5ecf86c140b28c32f8904981e1bbed0386fc7adc80440dbdb1fbb19af5314e0d163f27323bae8c35f5515ba00ad144a9a5b7f1e6a5c7c83f871f Size : 5.484 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\utils\on-access-drivers-post.cmd	Type : ASCII text, with CRLF line terminators MD5 : 20df71f8a8628840063b627705eebdbe SHA-1 : ae13d32e8b6e0559d44b10a1a109b0fbbf6a2c80 SHA-256 : 293b013dccd92272457636a1b81388a90c064eb93540a77d081d2300a720995d SHA-512 : eaab41b693e718ab758d0236c9bc0e61f752a1e1e36d4fc212bbab052dd0cce494bc4b76cd3c87ad7b824264226429905baf908a51ce701accb87ffe1b1b78e6 Size : 3.835 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aepack.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : c5a13c082775631c1afe9b9c1d79dccd SHA-1 : 2523e0a0dd569a252da3ecf9fb08b6db353b8e88 SHA-256 : f7f37dbff085331ee6dd1ebf271b1af0d034f584d70355358f08b1d9335284ba SHA-512 : bd5f694cd9cf0807ac91fd8b5baa6840669bfb57802111d59831eb08a15421119a924952637bd43f2107632da2a351947acd011b845b74532f502b420e34797c Size : 835.856 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\productname.dat	Type : ASCII text, with no line terminators MD5 : 0e1802d2bd4a0046729c6c6e45fa9862 SHA-1 : eea616975fb17754300d25c025f3d2a962295382 SHA-256 : 55bea11ba99bbf0272c70ce7a8c1845ba934f0ab882cfc0cf2ed61beb1c2d52f SHA-512 : ff58fc6837cb51ba4f0ce65fb96630c4abad09373723bc4e7fbdf297bb6a58a9c6cf40b609c66c181e3562959c2f6e8e3242bbcb7e6bca3a15f33d1a2c9fc7dc Size : 0.017 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DE0101390D8E4B74E3DD39ACA5B00000_BCA65E535E79DBF987FC1C7A3D60D995	Type : data MD5 : c272f34aa84c2e0e4bfed7b90cd12d9c SHA-1 : 537d2d2c44ba26661c000b0de43c1eb1252f7fb8 SHA-256 : 183d2c8df84b24a0521ffbf7f9ec4d1cb50b0af48ac330ff2251c213b9ba15dc SHA-512 : fbd5ba4979c0fc606676af9660f43ab93b65cd9d2a86f935185f6fa54c84a4c33a53eb18e6ef2cb160a23a9459671890ba15718ea09f1badb3298b9d9938ac19 Size : 0.471 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\vdfupd.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : f35c6f578d1cb2c4796aa7282c5ae47e SHA-1 : a228d0d28a66c5a3cbdeb515aa8ee691ee326503 SHA-256 : a323f83d87d8aee61ba11fc5de6d5b0ee7ef433879785512338caf7d09fbbd93 SHA-512 : 9b0e5d919e18d9a64afe9196f1c04124e88a52ced2dd99fc0d6a797567e4b9b729137ed649899f04b937b479b5299b42b67c5e8539cd1e429a6b0dc9379221b9 Size : 102.48 Kilobytes.
C:\Users\user\AppData\Local\Temp\TarDEDD.tmp	Type : data MD5 : fe1c6ccc98d43c2bbed20e1780b66386 SHA-1 : b6ff695038e6ecd5d1011a40718359c74ca3a641 SHA-256 : 6f8d70366d59d5c50d62d0e9b1a01321647f48bfb1329cd04ffceb34d63cd458 SHA-512 : 3dc51e96645fad49926e32bb71d2221a289dc8a968725478adda8808d0c884ada133a8e85d880ca45b6839bc01d6ff42a099b894281f42d58d392d0bdedb1b46 Size : 129.865 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aescript.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : f54b9813a49a74265338f7dcdfcf1272 SHA-1 : 06ae685968b5085ec26af756aacaca5a2ed1a23d SHA-256 : 1d7ca8e699d6cb4bad22e39426d1d3064aff31ce0a9025156d2ebdc7a7b2ec61 SHA-512 : e810e307be71c3c318a1cd6e5d75d4488b4c9146071bdcd73e0152b4d511a07b8017acba743cff8349030d572abc7bbde1c1bf9dc0439eaf25c179dfe84ec6b7 Size : 989.624 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aelibinf.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 0fc5c8a5ff713a93b9131839c0ea3a65 SHA-1 : 6d4fcb47ba58fc5bc64a662e4e9f31f1f5576031 SHA-256 : 43b38d8e9d0233a280cf794eb1f82e67d1209532ba1e6f5c378fae2c48afe1a4 SHA-512 : 9454c709330f8243af788344a43016b42d7bac76d450f86535f7474718874165d94a96fe23f0ae1e671bb7aa74fde609f3e92185901458df320f61954f7a857e Size : 79.464 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aebb.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : ca7497dfec41ae39c2aba49df489716c SHA-1 : 045b53ae730dedb2af65095d611237646ecd6719 SHA-256 : be84ca71660188e04c3a777e19019412e280af4bf6be9e14ca2d54ea2ec47b17 SHA-512 : 95501aa07a12cf407e7243fb54240f8f53b7d24656e67c9b4d4c22dd45a22835c3705a51737fc0f07c12a554840c8f643b5e48c492839c95403a78cdbd538b1a Size : 71.144 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aeoffice.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 19e0f29836a72f6a89f02ba39afe1066 SHA-1 : 36da86f0ae7ee4214318ee2e61cc00c1a5b6b076 SHA-256 : 0783b56c5cf1ad6b5391966e93954cc076d3808bdc6bc4ee770e51ff3fb282b3 SHA-512 : 4ce7ca23a4bde2451a32a53d9953ba06264b58eead655dc5a94537876821698d9f7a31cbaa9c0c621f1b2a265260e749af75c79832895c2b88b577090a3e5168 Size : 677.928 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aescn.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 4c97c892c0c4d7543a8881717c48c189 SHA-1 : 7f3030e9325ae180ab7840a2a7882023bdc9a11c SHA-256 : b78803653e5761983562bae965d8ce7a8dd288554352276b8764256f5c5838b5 SHA-512 : d619bc82f5146383e0e1912b2f3d3e26b5f5cd86f6d1081528cde68c16b19c83dd79d1b60ded77df5e2166052ea8d68c8be89a112d6e77d2a4158e1e28dc9e0a Size : 158.416 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aeheur.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 625f5c5e9e71bc7b27c716f9269ec206 SHA-1 : 219f970c48deec21e1c92168dca9fe30bf5a10ad SHA-256 : 10424489b9c24cfb5d110673ee66dba9fe66549bf7b700b545885c0f2c263ff8 SHA-512 : a007ac9294b819b9c7db5702ce06b40912de368cca3a42b15666a21261f83136e9b36eeab4f8461a99fd4b2e0cfc934fa87dd57b769ef593a88f87942270ab4a Size : 11703.832 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avipbb.inf	Type : ASCII text, with CRLF line terminators MD5 : baa52399f090754b28fd5ab390cce1ae SHA-1 : f8886063e4e052e6e16d0e2de68bfa3677364e3c SHA-256 : 5cb8233117695a563c9a484197da50631044903cbae70ad84dde5fadc78f3899 SHA-512 : c5279bfcb109536ce2f5ebfc2e8405cdad7832a069eaf334cf78b92632c74bc5c81ed961548cabd413f45d12558bf762805068f10debe524bad38ab8b64dc00d Size : 1.962 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aelidb.dat	Type : data MD5 : b613ccdc414d5b2fd69e7269b7173dd1 SHA-1 : 8b60c9aadac2a12c66d8ef97c803f150665276f7 SHA-256 : 1ac108d4da3cf23607dc4714f68f6d5ec35ee7330262415fb61639ee8813086d SHA-512 : 682e098b63f18d07f57f0460f60ddd1e852286342d9807fa2d4eee52c4999878f7a9021e7f72c3e7fb8b17163f45525dbf0e1128f6d8faf9423e664ead96d874 Size : 88.15 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avipbb.cat	Type : empty MD5 : d41d8cd98f00b204e9800998ecf8427e SHA-1 : da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA-256 : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SHA-512 : cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e Size : 0.0 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aeset.dat	Type : ASCII text, with very long lines MD5 : 2c36f2266318f34d27966ad9e010a272 SHA-1 : 9afc4b697b88aa450d15470fac1f0169a545dfa5 SHA-256 : 2a85d4f7674b43b2017c412e49259a3281258a64cb445e831fd4c852d3dc9ebb SHA-512 : 6a1c1322be75741a58f3b480a7474d329095fc341246633881187265c0e2ddb30d5484bc3270478abb9230bf42efd646db36a40a98d7e71a1f0ade61ee27ce61 Size : 3.042 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aemobile.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 022689df63f0e1d54011638b761c4def SHA-1 : b229036d47a383c72f65bb1896cd8312a0108ec9 SHA-256 : 6a9c3004cc6a106e0501be07d383df9c564712fa78eec3f61b8be4bb914e8ef1 SHA-512 : 3178c2430ad497e353382ce9e01eef09ce7d765986778310efca00c9d5dc53524797626af4a611f08eb412c6d3b5789ddce1938af12a9c2157331bc4036e6537 Size : 362.072 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\on-access-drivers-install.cmd	Type : ASCII text, with CRLF line terminators MD5 : 188fa7298e772f9dcf3912bdf1ffc2a2 SHA-1 : 29367a9ed2c0ddb62f25228204b12cdc72da0ea9 SHA-256 : a1fb989e87906a4e5f06ed61d2aaf2203c2a95c60622479fb33829cc3bd577c0 SHA-512 : 70fcda1ce21a7b8d68b5221f2b0e4cb2c8000eff3efe232f36571f497866f4ec17eec86fc5454ac13f1b28fbf8196524a7bbe0b2805b03d289b1094b454a0a57 Size : 5.831 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aerdl.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : f94e67a96db01268382f84017a1c956a SHA-1 : 1fcf434fa03e6568dde35052612b62d9078ee043 SHA-256 : 0979821d13aec02aa5e32fcc814a3bec11d114bf82bf9458b1fd6d69e7b6ab1b SHA-512 : b4796fb6646f997e03a2f97a8682990f7aca745b2afdba0b138a7cba89eba0ebfc14e14213f1ea7852bc0548d363053e835d0d977ffb7e7e4fc2d0abb0a8bd34 Size : 1263.912 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aesbx.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : dc4a1bd86008a08e55a8c161d06939a2 SHA-1 : 4626130048d0f754d86dc2bf189f9702fbd77d0f SHA-256 : 1c55867f96a12e759871a4ddab4d3c4b82c4caf07c6c7c284acbf1d2efa2b76b SHA-512 : 1e25ff70b5eb7d2f19af8d5f6e5043ca084d7b51b9a6efe9eaf129c3ac3998a6e3ca4389164afff566211f65e44c2772a041acc3e7012fc8222e63774c34b66e Size : 1667.056 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\apcfile.dll	Type : PE32 executable (DLL) (console) Intel 80386, for MS Windows MD5 : 2b82f7bae600676a10143dc6b3caddb1 SHA-1 : 046148a8852416f2f53ef79dfb5cfa78233c08e1 SHA-256 : da67392efbf41609e374fb36b54a74cce0a4198ff7f7ee4d68443f8ab931aae2 SHA-512 : fd205c79a9bab63dad695f36ba3fa4309d10d9bf7c176b91859d7fda244190860854a97bc9d0eda774bd37b79022d8460f5c8ebb2a49ade259c38c107e57626d Size : 1698.744 Kilobytes.
C:\Users\user\AppData\Roaming\TotalAV\3.0.0\avira32redist.zip	Type : Zip archive data, at least v2.0 to extract MD5 : b993054aa6a9ac6ffd5547a8dd6791d0 SHA-1 : 982a923a4e3a126d957215c74dcc4e8264041c02 SHA-256 : 75994abdbeb14ec38257735e86596b540ca1e3b0a44949093e744b13e6514836 SHA-512 : 9775dae3e1764a64440f1b6d7ed13f0ae416bfa65e41ed563b64e1f35e48c8f5e60e0f76664929870ab0c23369adc1a017334b887b761adc3569eea46b43fb2f Size : 16538.155 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\on-access-drivers-uninstall.cmd	Type : ASCII text, with CRLF line terminators MD5 : 84d649fe05e145a29f6a326667c40a51 SHA-1 : 4154ba19cfa0180ee67916259bcb09a4040a932f SHA-256 : 06349b1cfb7db167018ad76bc0fd887cdfcf791ed451324647c4e6e89d44f96e SHA-512 : b45d3427752258078b16583dc4e14183e62d7f7ae91cb39ba298170c89d23031c6bf5a02748ea2e4cb4d62b7d040ba0b16d6afb53eda077fbae24b28c7d2827e Size : 7.356 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\avupdate_msg.avr	Type : data MD5 : 206259be74a0d86d2f2e351ddaae873b SHA-1 : 62b94eb7f71df4e6c20b3bba3001616f54642c18 SHA-256 : a0ae2033908dac1d9fb2b3b42ecb5ddd89a76f03e7755f0263f0bc00d218d2a8 SHA-512 : ddf6bbb6030a5071629e4974a4eff9658cecbf4d286b91d07f9b3725f3bccc68ba03adc095bdfa5941ebe98d6d4e81636fca2ac3bcd5f1b368d3c2831b076f57 Size : 6.392 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\avupdate.exe	Type : PE32 executable (console) Intel 80386, for MS Windows MD5 : b4e681c7a94989c585e20e94a6d190e2 SHA-1 : 0135a34c15b292c1ddd76680de61d80903b1ecc0 SHA-256 : b5c5a11a2c79dd9ec21389c74c7c3fbb60c12db8b368433735918d4c027e4734 SHA-512 : 0ba3e17085690eed7cc2dc14b838befb7fab73a490d03471d6d4fd8f072426cf1fc4b7bc369ee1d769a8cbe58f9c08bb4f8839062e48c6207ba28dac3c76e09b Size : 1967.224 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\savapi.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 57ca420885edc30750e29f0f545e5c94 SHA-1 : bcc4002e5a48c9189360dd51a0d757138437df25 SHA-256 : 5e6d0116152707f0e648f5e0a780510b80af04cec8520aceb4f21055c49cb50e SHA-512 : d3f42c181cdef20dc24e99048a1ac29ff3883bda0faadd6c96005072c2adcdd5a20d6592cc41d81c51e4d201273e8164924c15dd9a64b6d077bb85189e6a5a2b Size : 1804.68 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\README	Type : ASCII text, with CRLF line terminators MD5 : 6a30abbfd119dc7b330a0d5aaff4c8f8 SHA-1 : d2d5d0be8fa67cfc4886def0009aafcfa67f82c7 SHA-256 : a7d68c07f77d97b06368d97ec4a52593931505a316734214d628f236cd69fa43 SHA-512 : 92ac1a849bd028a309680cb597dd93579c834b78beb9e780dfcf8f8ffe410d377e279dd9316585546c93c8bf7e4c41cbda11d5cbbceef99906223b4edc294b2c Size : 0.386 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Type : data MD5 : 894b6ded18e8718e3f5c75575ba7afcc SHA-1 : b344e9831b6d54d1e2aa45d6006fc2914ca00276 SHA-256 : 7ab4a46665ba87c09250bef8addee377b05c0abad9c1ad9dfd9f339133fea6f3 SHA-512 : 03570b19e71c395281d3152ace85d197a91c883d75d8210ca289c8b8d1929b9370680f93be173fa1be8950a3f526b4e36ef8131b79285ac27f51b0a244461a5c Size : 0.342 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aeemu.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : c147954ad962c8845b3d545a01300e6e SHA-1 : 1d08ffa9d17b2b4131be1cc0c9534534ae248779 SHA-256 : b716dfbf6b92d4e38ac4a1a46a962e411ee89535b7615dfa4cad9082dbd6aa82 SHA-512 : 3224f39cbc14d6cad300ffca59b31669fce46d3f7fcf08578205a9461d28e1d8737a51c9b3e68e15d136338545ae3ee7f7d1be466137b79726215ca32379b8d3 Size : 420.248 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aecore.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 75d070b39149c915fab7e7eb5f492332 SHA-1 : c65499a625709c24ac890363a0d51820f433945a SHA-256 : 9acc2fe8a78545431c2f7f6e8438b7f4077c40dd5128400e3f66fefa51ae71d2 SHA-512 : 1f88fd3212b9e89e19b992f291d068be7c09e9f94720bee6623fe0a079ff6b4df66e3e5af135ab6b5887853a4ef92e549cd88c3528eae3d5edae86c9ac435fba Size : 266.48 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avipbb.sys	Type : PE32 executable (native) Intel 80386, for MS Windows MD5 : cc2fa54e156c009163bf8e797e2f882f SHA-1 : 04c77b2d5a79490139c1321d74d9473fcdbb72d5 SHA-256 : 95aa6277ac95b077541a2287a662d539ec3da448d555ba643b0e29affff1dff0 SHA-512 : cd5ba971701308c3d0d4fd21078e7c3d895a9b404bf373dec31c8bb46772bef666aedb7b9709e514f2abf376f0205c564c0c4db418be13f6ba7a85c8a22b6e05 Size : 156.088 Kilobytes.
C:\Users\user\AppData\Local\Temp\CabDEDC.tmp C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Type : Microsoft Cabinet archive data, 53830 bytes, 1 file MD5 : 1e7ee2d082541f087a725ac2803dc927 SHA-1 : d2a18b0a6599d280998a7fc94037becf64c597e9 SHA-256 : 0a43fb2fe8f01af0409ddb8dba9fd4529edb44d26b3bd721e419481bca046bd9 SHA-512 : efcde3ef128d14c4a44c7a3a4b7783f5ffa6956c713dff900d48a8de0eec0000f3b22841225c65aca721e3e1f52520c7a03712fbcf5bed35d04611274c465684 Size : 53.83 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DE0101390D8E4B74E3DD39ACA5B00000_BCA65E535E79DBF987FC1C7A3D60D995	Type : data MD5 : 199e8b405fa2b4152f112a13dbbd3f4a SHA-1 : d88a8c686b39221e4c82a3770d1a0a7d6a4d735e SHA-256 : 97750d9e319949548ab96069c8e8b56643733587877cb3a229ef8963e86cfd52 SHA-512 : c229469021bf0379a0bf015e923e20ed17fb593f1e53008307a2047a51a2488731a7420fa8c8df308784da8f64f358584f11bb111ce5c41539e9f1340a4b5c40 Size : 0.426 Kilobytes.
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_B95A585585762F8B2D72E152F328449A	Type : data MD5 : 7651ec7c50322901f193a0cecdb4399d SHA-1 : 9988dc69ad92f9725da360bcd16b64c5778d98e4 SHA-256 : 974ab187bdf159d7e350a297dea64137b9eb911897a035d84bfc52a3f5452185 SHA-512 : 77946438d57d5fb209ca0badae1617e4adf9b98980c2b84d2ef5dd99c300b1b7a0e968df57837714490783a5cfa88790ceb0b761ec9d27ec1a64a206bcc42503 Size : 0.471 Kilobytes.
C:\Users\user\AppData\Local\Temp\installoptions.jdat	Type : ASCII text, with no line terminators MD5 : 1674fb1f9aa6d15b4633146fa59e9d10 SHA-1 : ef400d05f7dfce5207d6b79efef32e60a160293d SHA-256 : d208065b8751532cd4581c56cb59bb1088dfe44799e63264b9e8480e499ebde7 SHA-512 : 72a21cf7e7b50f82f7ecafd28ff800b90d80f8df50f2ebd934f879230cf30c11e67aadca62c5449283858934862c4f85a0d674bb7c92192f3b2897f1572b5520 Size : 0.28 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgio.dll C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgio.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 34422e1f23ed76278b1aa384c89f91b4 SHA-1 : 90bb3198aea8e07f925be0bcf629ac8ff575c58f SHA-256 : 3f35b2236d3e5b72867b7ca3c7de631496cf889c1cad8c3bf2a721b4471ce270 SHA-512 : 85c44d1a48348491446abd4f7b4960cc40778aa4ff9d5905570a5f4eca14d3d42755bfbe029191066d2befa007a818c7562f6e3f8756e83fb19c21ff234a1987 Size : 61.872 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avkmgr.inf	Type : ASCII text, with CRLF line terminators MD5 : 8e3186c24c98b5dac17e16b47c1f9e5e SHA-1 : 88459b1607eb2265d02d607251f53ed63df7d092 SHA-256 : 9bf53be587bf77d602189f9a125e0f72fafc3792c09fd237bae94600124dd202 SHA-512 : 84cfac0cebbd40d7b8887c2bdd7fb8f0352c9f8e75971597778d15298c696d65132e7d3d11cfa6190b83faf26367cd39e48e6ef67cf5789e3448b25617df8a28 Size : 1.888 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.cat	Type : data MD5 : 3c409d00694b76be7b6252bab303fbf0 SHA-1 : ddc34a91fc94e2f59e6aeccc42f4db08466fbb98 SHA-256 : 23b8dd9f1a8de76dc8202ea385163c4ea1b78542394ac172ff668010987dca08 SHA-512 : cb058bed634a8c36ba1098696d3798a4f45e96c30c2300b6409fdb56cc1029a53655565596e1afa33aa1064698105a1a1eed54c129485131a6a7ede84a68f6a6 Size : 0.679 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aevdf.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : 5d11a07597b4f21061a3e5528637e4a2 SHA-1 : dad1d9b61381d5539e856e8bd43803b15e6c7c5d SHA-256 : 7b9047bb4778ed8b5e696617e5e542e3d846b63a131701d6c0284b5a6e169c30 SHA-512 : 41b03a7f6d0bd5ddd5987063b6fad6e61cba1d695972d277b2d8558fe5ef6f834ffcafd0be4cd258daed2e4d52c124be8878b7f2cd8820c7b71b1ae6d0664567 Size : 154.264 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\avupdate-savapilib-engine.conf	Type : ASCII text, with CRLF line terminators MD5 : fb1148d236eeb45c0d4959ef6aa23f35 SHA-1 : a014016cc6d764dafad7a0e1b16ee5c6a248e153 SHA-256 : 6573f1b8300d6021c94ad95526c4794a22d8a1a5fd9e8edd4fd4bb905f5dbea4 SHA-512 : 6146a79fc42d8293320c37a19082e25c429853e9a4a1b2914d45ce39d9d90cf218b46d769635adb52bba76e44448c60a54ff6c44cbea04d7569f8e6d68769603 Size : 0.439 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avgntflt.inf C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\win7\avgntflt.inf	Type : ASCII text, with CRLF line terminators MD5 : 426afad8ddd9684b69343b6ace8ccf42 SHA-1 : 9d27a659baa6d568095f718338b0cebc0884222c SHA-256 : fb73541bcd549ce91979add972a9d449b6237b6e135e1a4c7b594b535d16876f SHA-512 : e5a2a33afea572f628ff5fcbe755c146b7c1ed30cd726478a46b79027611cf6eba86e70d8b6f00a7b59bd5a593b9cb305928dc75bdf31b80d34aed9a4b034c72 Size : 2.463 Kilobytes.
C:\Users\user\AppData\Local\Temp\data\prefs.jdat	Type : ASCII text, with very long lines, with no line terminators MD5 : b501edf9453a8bbc1f5a11d52d181c57 SHA-1 : ec3b101ee8508283d39cd554fe51307f675a57d6 SHA-256 : ba9ef5be6aa4f02a532cd670897dffbfc261a9d53871bbc9a7def0b5b0d6b893 SHA-512 : 6e03c22e85ab756d7852918a4cfb92bd3ae3d11c5dc54986b1bdd7537f945ade23ab5023096dabc20a0f476eaf2619187713b93138c6788bced142726dc830c1 Size : 1.135 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\msvcp120.dll	Type : PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 : fd5cabbe52272bd76007b68186ebaf00 SHA-1 : efd1e306c1092c17f6944cc6bf9a1bfad4d14613 SHA-256 : 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608 SHA-512 : 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5 Size : 455.328 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\aemvdb.dat	Type : data MD5 : b61b1e20d17b6062f8edc1428bf2223f SHA-1 : 6ccbdd36ce0cfeef36ab85a899b88b7f0a34e940 SHA-256 : 30389b79614655252fb847a07f7fadc872378390417d894240b1d0aaa198e572 SHA-512 : 5634655f5e4f429b535748d3a081d5f4ca35fcacae1fb9b55b45b277d4c1dc2462fe9bbb21dec8b9227603c038f29fc65b5ef00ad8edfce6748bfb0ea83c145e Size : 1.793 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\win32\vista\avkmgr.sys	Type : PE32 executable (native) Intel 80386, for MS Windows MD5 : 185cb049fa670298e2948ca3141d7ac1 SHA-1 : ebc875c3064c5c8b49f14f63727cd593412f3e27 SHA-256 : dccd32487e6b227c21ce55df2136adc657f138ae672a3c98aa8021c57c36b007 SHA-512 : 70c8d03f4dac37b17eee887f722798f01fc82838ab91b41270d79f068131ce4935ef04cac8acba9551a5769f6ea1979b0d2d73f96081eccad9b381d8163d2d3a Size : 35.84 Kilobytes.
C:\Users\user\AppData\Local\Temp\SAVAPI\on_access\utils\on-access-drivers-pre.cmd	Type : ASCII text, with CRLF line terminators MD5 : aed5c61ed2b8180ef67b33309e5058f3 SHA-1 : bed94b2e42fe7989351bd1ac205be01a70b906e1 SHA-256 : cb26d0fd7d24078f42be753ffa4acc19bdc385a6992dd9b6d0a2bc8965428882 SHA-512 : 0bb2cbad22c63a21251ce731545ddee235c68ae2782cf42b989407d64dfb10f92698accc2ca84c2d7307a4c9eff56141f2a70392bd84a822ecd1b8d46d350a34 Size : 4.641 Kilobytes.

MATCH YARA RULES

Match Rules

STATIC FILE INFO

File Name:	67eb0a16282599d3ead2977d264598fa31dd83f0
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
SHA1:	67eb0a16282599d3ead2977d264598fa31dd83f0
MD5:	ecebc09fec5652d173f5287faafb9c57
First Seen Date:	2018-06-22 06:16:03.690516 ( 7 years ago )
Number of Clients Seen:	3
Last Analysis Date:	2018-06-22 06:16:03.690516 ( 7 years ago )
Human Expert Analysis Date:	2019-01-23 03:23:53.889743 ( 6 years ago )
Human Expert Analysis Result:	Malware

PE Headers

Property	Value
magic literal enum	3
file type enum	6
debug artifacts	[]
number of sections	3
trid	[[64.6, u'Win64 Executable (generic)'], [15.4, u'Win32 Dynamic Link Library (generic)'], [10.5, u'Win32 Executable (generic)'], [4.6, u'Generic Win/DOS Executable'], [4.6, u'DOS Executable Generic']]
compilation time stamp	0x5B213D32 [Wed Jun 13 15:50:10 2018 UTC]
LegalCopyright	Copyright \xa9 2017
Assembly Version	4.8.12.0
InternalName	TotalAV.exe
FileVersion	4.8.12.0
CompanyName	TotalAV
LegalTrademarks
Comments
ProductName	TotalAV Ultimate Antivirus
ProductVersion	4.8.12.0
FileDescription	TotalAV Ultimate Antivirus User Interface
OriginalFilename	TotalAV.exe
Translation	0x0000 0x04b0
entry point	0xa3410e (.text)
machine type	Intel 386 or later - 32Bit
file size	9440936
ssdeep	196608:qf8p2DUd6HYvcu65om09o6Q2F6aTegF/L:qCuUd66k5op
sha256	4bd67897d472c928a374aefdc87af07dfab51a9bb2cffcc47be1283e29344c9c
exifinfo	[{u'EXE:FileSubtype': 0, u'File:FilePermissions': u'rw-r--r--', u'SourceFile': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/6/7/e/b/67eb0a16282599d3ead2977d264598fa31dd83f0', u'EXE:OriginalFileName': u'TotalAV.exe', u'EXE:ProductName': u'TotalAV Ultimate Antivirus', u'EXE:InternalName': u'TotalAV.exe', u'File:MIMEType': u'application/octet-stream', u'File:FileAccessDate': u'2018:06:22 06:13:10+00:00', u'EXE:InitializedDataSize': 2790400, u'File:FileModifyDate': u'2018:06:22 06:13:09+00:00', u'EXE:AssemblyVersion': u'4.8.12.0', u'EXE:FileVersionNumber': u'4.8.12.0', u'EXE:FileVersion': u'4.8.12.0', u'File:FileSize': u'9.0 MB', u'EXE:CharacterSet': u'Unicode', u'EXE:MachineType': u'Intel 386 or later, and compatibles', u'EXE:FileOS': u'Windows NT 32-bit', u'EXE:LegalTrademarks': u'', u'EXE:ProductVersion': u'4.8.12.0', u'EXE:ObjectFileType': u'Executable application', u'File:FileType': u'Win32 EXE', u'EXE:CompanyName': u'TotalAV', u'File:FileName': u'67eb0a16282599d3ead2977d264598fa31dd83f0', u'EXE:ImageVersion': 0.0, u'File:FileTypeExtension': u'exe', u'EXE:OSVersion': 4.0, u'EXE:PEType': u'PE32', u'EXE:TimeStamp': u'2018:06:13 15:50:10+00:00', u'EXE:FileFlagsMask': u'0x003f', u'EXE:LegalCopyright': u'Copyright \xa9 2017', u'EXE:LinkerVersion': 8.0, u'EXE:FileFlags': u'(none)', u'EXE:Subsystem': u'Windows GUI', u'File:Directory': u'/nfs/fvs/valkyrie_shared/core/valkyrie_files/6/7/e/b', u'EXE:FileDescription': u'TotalAV Ultimate Antivirus User Interface', u'EXE:EntryPoint': u'0x63410e', u'EXE:SubsystemVersion': 4.0, u'EXE:CodeSize': 6496768, u'EXE:Comments': u'', u'File:FileInodeChangeDate': u'2018:06:22 06:13:09+00:00', u'EXE:UninitializedDataSize': 0, u'EXE:LanguageCode': u'Neutral', u'ExifTool:ExifToolVersion': 10.1, u'EXE:ProductVersionNumber': u'4.8.12.0'}]
mime type	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	MD5
.text	0x2000	0x632114	0x632200	6.34606548956	65795fd3d987a402c05cfb18963f9512
.rsrc	0x636000	0x2a91ac	0x2a9200	6.08055099799	4af01ee069508e2d2ff8d93c84c445af
.reloc	0x8e0000	0xc	0x200	0.101910425663	a2751cc536fc27dc66458308dab2e5ea

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6513644, u'sha256': u'33b7491354f12bac92f2bea5b5c8b9264ec36835ff49eefeb36b5566cb714791', u'type': u'dBase III DBT, version number 0, next free block index 40', u'size': 1640}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6515284, u'sha256': u'0c15334841ec1bde9305a70dce30db5de5e2d385109b4bb723f23d5f4748cb7a', u'type': u'data', u'size': 744}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6516028, u'sha256': u'9d243bd50af2bbd043d2b388f11dfdf3ef2dfd30ab11726fa15cfed00e70e68b', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 296}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6516324, u'sha256': u'3a2dabb489238bae99449c23340da615663474e09bf641fdcee4acb647b60947', u'type': u'dBase III DBT, version number 0, next free block index 40', u'size': 74792}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6591116, u'sha256': u'44476bc0d01de527f6bb93d01594a5585e3cbf90245955f3bd5632b1c72c9ee3', u'type': u'dBase III DBT, version number 0, next free block index 40', u'size': 3752}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6594868, u'sha256': u'6869ed72781fe16431ad4b268ba82a951d6acaec46da5dd50e983f21b088a045', u'type': u'dBase III DBT, version number 0, next free block index 40', u'size': 2216}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6597084, u'sha256': u'6ac6557d25978a5b206095094381e4d87b9ccc62a79b4e63bf94d476f00ecfc2', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1384}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6598468, u'sha256': u'9a5d2dcc85ffdf224752a44a12d3e4423317214038741612537028aa91ee1fba', u'type': u'data', u'size': 9640}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6608108, u'sha256': u'89c09838cb633ed5101788d3b81576be15c488ac14502e98a0ecd09a141fe39a', u'type': u'data', u'size': 4264}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_ICON', u'offset': 6612372, u'sha256': u'b5eb69e11fb3455b6884645ac0c668017637d58ae3efa4a2cca271d425b0f02b', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1128}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_RCDATA', u'offset': 6613500, u'sha256': u'133986a26f9bb96836c9b1c578909e724f704450142aa1673af1cd611edda536', u'type': u'ASCII text, with no line terminators', u'size': 43}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_RCDATA', u'offset': 6613544, u'sha256': u'b59043a36e406564e1187609711c3f7137bb2fc63768e305f0e73e3654d78db5', u'type': u'ASCII text, with CRLF line terminators', u'size': 857}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_RCDATA', u'offset': 6614404, u'sha256': u'47e4703552931bb814d4ef2c57a42360b7059ba8da15b2afd96f17d8fe8acf1e', u'type': u'ASCII text, with very long lines, with no line terminators', u'size': 2683559}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_GROUP_ICON', u'offset': 9297964, u'sha256': u'ff04be4a7bb195c3c8e75dd51720c0b6f660732b70dadbb0219ca43b85974779', u'type': u'MS Windows icon resource - 10 icons, 48x48, 16 colors', u'size': 146}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_VERSION', u'offset': 9298112, u'sha256': u'3f469bf9891a0895283c000e140a1ba9a741e80feeeb3763d8de7f580e8ec274', u'type': u'data', u'size': 932}

{u'lang': u'LANG_NEUTRAL', u'name': u'RT_MANIFEST', u'offset': 9299044, u'sha256': u'1e106f6a6ee8c49ce90fcf6721818d4ceeef3796ef3037576c1cba32a711f6b6', u'type': u'XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators', u'size': 3398}

CERTIFICATE VALIDATION

- Success

[+] Protected Antivirus Limited

Status	NoError
Start Date	2018-02-02 02:00:00
End Date	2019-12-31 02:00:00
Sha256	7b89ffe1ea5674ac8587de4e1a4050c216fe46cfc8567699e10abfac7efff625
Serial	0F03A447407371DB5338A3931F638AB7
Subject Key Identifier	62 9c 16 b2 92 94 1b 4b f4 d8 05 88 a4 13 82 7a f5 dd 6e 45
Issuer Name	DigiCert EV Code Signing CA
Issuer Key Identifier	ad 69 06 70 fc 80 1b 16 b3 a9 18 94 6b 94 02 86 5e f7 27 8c
Crl link	http://crl3.digicert.com/EVCodeSigning-g1.crl,http://crl4.digicert.com/EVCodeSigning-g1.crl
Key Usage	Digital Signature (80)
Extended Usage	Code Signing (1.3.6.1.5.5.7.3.3)

[+] DigiCert EV Code Signing CA

Status	NoError
Start Date	2012-04-18 03:00:00
End Date	2027-04-18 03:00:00
Sha256	90fd3ff1106fb03910c1772abc31faf3cbebb3270e61282baf37c7327e918d50
Serial	0DD0E3374AC95BDBFA6B434B2A48EC06
Subject Key Identifier	ad 69 06 70 fc 80 1b 16 b3 a9 18 94 6b 94 02 86 5e f7 27 8c
Issuer Name	DigiCert High Assurance EV Root CA
Issuer Key Identifier	b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3
Crl link	http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl,http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Key Usage	Digital Signature,Certificate Signing,Off-line CRL Signing,CRL Signing (86)
Extended Usage	Code Signing (1.3.6.1.5.5.7.3.3)

[+] DigiCert High Assurance EV Root CA

Status	NoError
Start Date	2006-11-10 02:00:00
End Date	2031-11-10 02:00:00
Sha256	ed960860d0e06c89fa3ff7723437b6812c6d7e1ad370c7885b1251d2e1c2a938
Serial	02AC5C266A0B409B8F0B79F2AE462577
Subject Key Identifier	b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3
Issuer Name	DigiCert High Assurance EV Root CA
Issuer Key Identifier	b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3
Crl link	undefined
Key Usage	Digital Signature,Certificate Signing,Off-line CRL Signing,CRL Signing (86)
Extended Usage	undefined

[+] DigiCert High Assurance EV Root CA

Status	RevocationStatusUnknown
Start Date	2011-04-15 10:45:33
End Date	2021-04-15 10:55:33
Sha256	a0507ad7c69b099b1471457945155838bb2a3cd40e7a4e32b38b9e4582e8bd30
Serial	61204DB4000000000027
Subject Key Identifier	b1 3e c3 69 03 f8 bf 47 01 d4 98 26 1a 08 02 ef 63 64 2b c3
Issuer Name	Microsoft Code Verification Root
Issuer Key Identifier	62 fb 0a 21 5b 7f 43 6e 11 da 09 54 50 6b f5 d2 96 71 f1 9e
Crl link	http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl
Key Usage	Digital Signature,Certificate Signing,Off-line CRL Signing,CRL Signing (86)
Extended Usage	undefined

File Name: 67eb0a16282599d3ead2977d264598fa31dd83f0

File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

SHA1: 67eb0a16282599d3ead2977d264598fa31dd83f0

MD5: ecebc09fec5652d173f5287faafb9c57

CREATED / DROPPED FILES

MATCH YARA RULES

STATIC FILE INFO

ADDITIONAL FILE INFORMATION

PE Headers

PE Sections

PE Imports

PE Resources

CERTIFICATE VALIDATION

[+] Protected Antivirus Limited

[+] DigiCert EV Code Signing CA

[+] DigiCert High Assurance EV Root CA

[+] DigiCert High Assurance EV Root CA