Tweaked script:
import re
import sys
import pefile
import struct
import binascii
data = open(sys.argv[1], 'rb').read()
pe = pefile.PE(data=data)
base = pe.OPTIONAL_HEADER.ImageBase
memdata = pe.get_memory_mapped_image()
t = re.findall('''8d05......0089442404c7442408......00e8....e.ff8b44240c.{10,100}89.42404c7442408......00e8''', str(binascii.hexlify(data)))
all = []
for val in t:
off1 = struct.unpack_from('<I', binascii.unhexlify(val)[2:])[0] - base
l = struct.unpack_from('<I', binascii.unhexlify(val)[14:])[0]
off2 = struct.unpack_from('<I', binascii.unhexlify(val)[-17:])[0] - base
d1 = bytearray(memdata[off1:off1+l])
d2 = bytearray(memdata[off2:off2+l])
out = []
for i in range(len(d1)):
out.append(((d1[i] + (2 * i)) ^ d2[i]) % 256)
out_string = ''.join(chr(x) for x in out)
all.append(out_string)
print(hex(base + off1), ' ', out_string)Strings:
0x61e0c3 kernel32.dll
0x61cee7 CreateMutexW
0x626843 Decrypt-Your-Files.txt
0x62f98f abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
0x617df6 EKANS
0x62a0a5 could not access service: %v
0x62a7b1 could not send control=%d: %v
0x62eb09 timeout waiting for service to go to state=%d
0x62cf64 could not retrieve service status: %v
0x6254e3 Acronis VSS Provider
0x6285dc Enterprise Client Service
0x61ec87 Sophos Agent
0x6288fc Sophos AutoUpdate Service
0x624f07 Sophos Clean Service
0x62ad3e Sophos Device Control Service
0x629e23 Sophos File Scanner Service
0x62625d Sophos Health Service
0x626050 Sophos Message Router
0x628045 Sophos Safestore Service
0x62ba1f Sophos System Protection Service
0x62955d Sophos Web Control Service
0x626ad7 SQLsafe Backup Service
0x626c8f SQLsafe Filter Service
0x627ead Symantec System Recovery
0x62bf00 Veeam Backup Catalog Data Service
0x61e0db AcronisAgent
0x619ece AcrSch2Svc
0x6197db Antivirus
0x617cdc ARSM
0x6291cf BackupExecAgentAccelerator
0x626bdf BackupExecAgentBrowser
0x62a1bd BackupExecDeviceMediaService
0x629e3e BackupExecManagementService
0x625303 BackupExecRPCService
0x62607a BackupExecVSSProvider
0x617d6a bedbg
0x6187d5 DCAgent
0x61c16e EsgShKernel
0x61ccd7 FA_Scheduler
0x618de8 IISAdmin
0x618da0 IMAP4Svc
0x619190 macmnsvc
0x617fbd masvc
0x61b944 MBAMService
0x62aded McAfeeFrameworkMcAfeeFramework
0x618ef0 McShield
0x61832a mfemms
0x6183c6 mfevtp
0x61c961 MsDtsServer
0x61e777 MSExchangeES
0x61ef93 MSExchangeIS
0x61d91f MSExchangeSA
0x61ac66 MSOLAP$TPS
0x61d70f MSSQL$ECWDB2
0x6261ca MSSQL$PROFXENGAGEMENT
0x619d06 MSSQL$TPS
0x61e1d7 MSSQL$TPSAMA
0x625ae7 MSSQL$VEEAMSQL2008R2
0x62b881 MSSQLFDLauncher$PROFXENGAGEMENT
0x62a808 MSSQLFDLauncher$SBSMONITORING
0x628e8f MSSQLFDLauncher$SHAREPOINT
0x627fcd MSSQLFDLauncher$SQL_2008
0x629251 MSSQLFDLauncher$SYSTEM_BGC
0x626b03 MSSQLFDLauncher$TPSAMA
0x61b76b MSSQLSERVER
0x626b45 MSSQLServerADHelper100
0x6266f9 MSSQLServerOLAPService
0x618703 MySQL57
0x618d70 ntrtscan
0x61e85b PDVFSService
0x6188ae POP3Svc
0x61dcf7 ReportServer
0x6261a0 ReportServer$SQL_2008
0x6276c2 ReportServer$SYSTEM_BGC
0x617ee6 RESvc
0x618348 sacsvr
0x617fdb SamSs
0x61aa36 SAVService
0x61833c SDRSVC
0x6199d3 ShMonitor
0x618a05 Smcinst
0x619fc8 SmcService
0x618a52 SMTPSvc
0x617ad4 SNAC
0x61b1d5 SntpService
0x619313 sophossps
0x6263d7 SQLAgent$PRACTTICEBGC
0x625cb4 SQLAgent$PRACTTICEMGT
0x627f25 SQLAgent$PROFXENGAGEMENT
0x626b19 SQLAgent$SBSMONITORING
0x61de53 SQLAgent$TPS
0x62760a SQLAgent$VEEAMSQL2008R2
0x6260e3 SQLAgent$VEEAMSQL2012
0x61a824 SQLBrowser
0x61de5f SQLTELEMETRY
0x619abd SQLWriter
0x618788 SstpSvc
0x61a4a0 swi_filter
0x61bf1c swi_service
0x618312 TmCCSF
0x618e18 tmlisten
0x6185cf TrueKey
0x624f7f TrueKeyServiceHelper
0x61979c UI0Detect
0x626c0b VeeamDeploymentService
0x628578 VeeamEnterpriseManagerSvc
0x61b5a8 VeeamNFSSvc
0x61e33f VeeamRESTSvc
0x617f63 W3Svc
0x618e40 wbengine
0x617f31 WRSVC
0x62614c VeeamHvIntegrationSvc
0x61b0a8 swi_update
0x6287d0 SQLAgent$CITRIX_METAFRAME
0x61c75c SQL Backups
0x61ac2a MSSQL$PROD
0x619028 EhttpSrv
0x6179a4 ekrn
0x618742 ESHASRV
0x61d763 MSSQL$SOPHOS
0x619060 klnagent
0x6191a8 kavfsslp
0x6188b5 KAVFSGT
0x617f0e KAVFS
0x6187a4 mfefire
0x6182d0 aswBcc
0x62f036 Avast Business Console Client Antivirus Service
0x617f27 mfewc
0x618ed8 WdNisSvc
0x619c1c WinDefend
0x62537b MCAFEEEVENTPARSERSRV
0x625f15 MSSQLFDLauncher$ITRIS
0x61c158 MSSQL$ITRIS
0x6256d7 MSSQLLaunchpad$ITRIS
0x61799c BITS
0x6254bb BrokerInfrastructure
0x617b48 epag
0x625137 EPIntegrationService
0x619cbe epredline
0x617fae TmPfw
0x625bf7 SentinelHelperService
0x625407 SentinelStaticEngine
0x625457 DB2GOVERNOR_DB2COPY1
0x625b79 DB2REMOTECMD_DB2COPY1
0x6191c8 DB2DAS00
0x6180a3 DB2-0
0x619098 DB2INST2
0x6266b7 MSSQL$CITRIX_METAFRAME
0x61be56 RumorServer
0x618d28 myAgtSvc
0x62cf89 McAfee SiteAdvisor Enterprise Service
0x618750 Alerter
0x617d83 ERSvc
0x618e68 Eventlog
0x61de23 ImapiService
0x6182e2 NetDDE
0x61881b NtLmSsp
0x61854a NtmsSvc
0x61812c odserv
0x6184be TlntSvr
0x6187ab VMTools
0x618330 VMware
0x619928 WebClient
0x618830 WinVNC4
0x618b80 Cissesrv
0x618f68 CpqRcmc3
0x6186d2 gupdate
0x618f20 gupdatem
0x625493 NimbusWatcherService
0x61baf1 SDD_Service
0x618814 sysdown
0x618354 System
0x629f1d GoogleChromeElevationService
0x61a248 bcrservice
0x618b40 ccEvtMgr
0x619020 ccSetMgr
0x6186cb CSAdmin
0x6182d6 CSAuth
0x618d60 CSDbSync
0x617ed7 CSLog
0x61804e CSMon
0x618c30 CSRadius
0x618cf8 CSTacacs
0x618af0 Symantec
0x626b5b vmware-converter-agent
0x627666 vmware-converter-server
0x6271a3 vmware-converter-worker
0x618af8 avbackup
0x61a2a2 MSSQL$NET2
0x61828e NetSvc
0x61bca9 TPVCGateway
0x628e29 VMwareCAFCommAmqpListener
0x62a249 VMwareCAFManagementAgentHost
0x618a0c RSCDsvc
0x618853 LRSDRVX
0x6195f5 msvsmon90
0x618f78 IDriverT
0x617a04 MSMQ
0x6178cf MMS
0x62b51d MSSQLFDLauncher$PROFXENGAGEMENT
0x61ae32 SQLBrowser
0x61790e AVP
0x628898 VeeamEnterpriseManagerSvc
0x61875e MySQL80
0x61c607 CAARCAppSvc
0x61b044 ASLogWatch
0x626b71 FireEye Endpoint Agent
0x617edc nxlog
0x6177f7 SAP
0x617e78 MSSQL
0x617e46 MySQL
0x617e7d mssql
0x6182c4 Sophos
0x617efa Veeam
0x618773 Cylance
0x61783f %v
0x6178e1 %v
0x6178c9 %v
0x617902 %v
0x61780f %v
0x6178fc %v
0x6284c9 worker %s started job %s
0x628802 error encrypting %v : %v
0x617638 \
0x61765c \
0x626bb3 There can be only one
0x63113a -----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAt1GCKUHXITsiWc1d8V0vo1Y9Jm18RDZEmMS6OkHI7pZT0RHAThlR
BFITZY9bXrl6RFdUwmIX0WYn5ZqIlhLAEe1cqd8RpJ/KK2OeiTn0CJ1CGmOOJvfm
5rFa8whVAU9cnh/iVCcf+aEHJVcHhzB5tTtiT3lBIdfzaLL6GR5EmytbQ3V3O1Uk
Y4FCKxYOMVoPzPtRG3vo3688uUWpZIKBV7e6dht/mAhuCEIlRGcdpAEf6f4zUUYf
dtHcDafMVEA4Sy/DDsd76wAyBIM0XKLv1+vH476TN1K1tIRBrR98QFl5mlXkgqz6
h+Wpb/5KYWWvG0ZLZcu6eWOCGmLEmorvWQIDAQAB
-----END RSA PUBLIC KEY-----
0x618f10 bad pem
0x6178db %v
0x62b9df WbemScripting.SWbemNamedValueSet
0x617905 Add
0x626cfd __ProviderArchitecture
0x629133 CallMethod architecture%v
0x6296c9 WbemScripting.SWbemLocator
0x61b008 root\cimv2
0x62a5ad CallMethod ConnectServer %v
0x619a12 ExecQuery
0x62b027 SELECT * FROM Win32_ShadowCopy
0x617f77 Count
0x625f7e GetProperty Count %v
0x6193ac ItemIndex
0x617705 ID
0x618a28 Delete_
0x631871 --------------------------------------------
| What happened to your files?
--------------------------------------------
We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more -
all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry!
You can still get those files back and be up and running again in no time.
---------------------------------------------
| How to contact us to get your files back?
---------------------------------------------
The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.
Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with
better cyber security in mind. If you are interested in purchasing the decryption tool contact us at %s
-------------------------------------------------------
| How can you be certain we have the decryption tool?
-------------------------------------------------------
In your mail to us attach up to 3 non critical files (up to 3MB, no databases or spreadsheets).
We will send them back to you decrypted.
-------------------------------------------------------
0x61831e public
0x61c8e8 systemdrive
0x619c6d \Desktop\
0x61765b \
0x62884d [email protected]
0x6189c6 Global\
0x617f68 netsh
0x61b894 advfirewall
0x61777f set
0x61b7d9 allprofiles
0x62926b blockinbound,blockoutbound
0x618099 netsh
0x61b519 advfirewall
0x61792f set
0x61ba41 allprofiles
0x617f4f state
0x617721 on
0x617ec3 netsh
0x61c276 advfirewall
0x617782 set
0x61c9fb allprofiles
0x617f7c state
0x6177bb off
0x62e721 select DomainRole FROM Win32_ComputerSystem
0x61b524 ccflic0.exe
0x61b20c ccflic4.exe
0x61a78e nimbus.exe
0x62764f certificateprovider.exe
0x629b9b proficypublisherservice.exe
0x61a356 erlsrv.exe
0x61decb vmtoolsd.exe
0x62777a managementagenthost.exe
0x618dd0 epmd.exe
0x61bb75 hasplmv.exe
0x61b34b spooler.exe
0x618a2f hdb.exe
0x617eeb n.exe
0x628834 proficy administrator.exe
0x61999d ntevl.exe
0x619b9e prrds.exe
0x61df4f prrouter.exe
0x62541b prcalculationmgr.exe
0x61cb3f prreader.exe
0x61ed3b prwriter.exe
0x618471 cdm.exe
0x625fe7 musnotificationux.exe
0x61e153 client64.exe
0x61ad60 keysvc.exe
0x6268f3 config_api_service.exe
0x627735 fnplicensingservice.exe
0x62569b workflowresttest.exe
0x61e97b vmacthlp.exe
0x61e033 sqlservr.exe
0x61b27a msmdsrv.exe
0x62a06d reportingservicesservice.exe
0x61c33c dsmcsvc.exe
0x61c486 winvnc4.exe
0x619f46 client.exe
0x61cd97 collwrap.exe
0x627c0f bluestripecollector.exe
0x61a7ca dsmcad.exe
0x618876 smc.exe
0x61a07c dbsrv9.exe
0x61bfe2 rtvscan.exe
0x61b8cb csadmin.exe
0x61ec9f csdbsync.exe
0x619b56 csmon.exe
0x61afb8 csauth.exe
0x61987d cslog.exe
0x61d9df csradius.exe
0x61d53b cstacacs.exe
0x626b9d vmware-converter-a.exe
0x6257c7 vmware-converter.exe
0x61b6bb avagent.exe
0x62a8f0 paxton.net2.clientservice.exe
0x62c627 paxton.net2.commsserverservice.exe
0x6198e9 avscc.exe
0x61bb07 prunsrv.exe
0x626c63 googlecrashhandler.exe
0x627f85 googlecrashhandler64.exe
0x61a978 nd2svc.exe
0x61c423 tnslsnr.exe
0x61db53 omtsreco.exe
0x619e7e oracle.exe
0x61b1ca rscdsvc.exe
0x618f18 rscd.exe
0x61b26f firefox.exe
0x61a9dc chrome.exe
0x6195ad pcsws.exe
0x6198f2 pcscm.exe
0x61e663 cwbunnav.exe
0x61aaf4 rdrcef.exe
0x619ab4 ndrvx.exe
0x619931 ndrvs.exe
0x62551f dr_serviceengine.exe
0x626b2f teamviewer_service.exe
0x61d3bb sqlagent.exe
0x61a770 dwrcst.exe
0x619b83 zoolz.exe
0x61b45e agntsvc.exe
0x61c37e dbeng50.exe
0x61a0a4 dbsnmp.exe
0x61a5fe encsvc.exe
0x6196d6 excel.exe
0x61e5f7 infopath.exe
0x61cbe7 msaccess.exe
0x61cf8f msftesql.exe
0x619979 mspub.exe
0x6258df mydesktopservice.exe
0x619ea6 mysqld.exe
0x619a09 ocomm.exe
0x619cf4 ocssd.exe
0x61c418 onenote.exe
0x61ca11 outlook.exe
0x61e357 powerpnt.exe
0x619715 steam.exe
0x61ef03 synctime.exe
0x61a6e4 thebat.exe
0x61ee37 thebat64.exe
0x619cfd visio.exe
0x61c822 winword.exe
0x61c0ea wordpad.exe
0x61dc13 tmlisten.exe
0x61dca3 pccntmon.exe
0x61d313 ntrtscan.exe
0x61e543 mbamtray.exe
0x61a6a8 avgsvc.exe
0x61986b avgui.exe
0x619ef6 v3lite.exe
0x61a5b8 v3main.exe
0x618df0 v3sp.exe
0x61b1a9 avastui.exe
0x61cc23 avastsvc.exe
0x61b8b5 avguard.exe
0x61eba3 avshadow.exe
0x619a00 avgnt.exe
0x6262f0 avira.servicehost.exe
0x61b566 bdagent.exe
0x618ef8 bdss.exe
0x6277d6 bullguardbhvscanner.exe
0x624fa7 bullguardscanner.exe
0x61e0cf cmdagent.exe
0x61bb80 cistray.exe
0x6187ce cis.exe
0x61d98b dwengine.exe
0x627216 a2guard.exe.a2start.exe
0x618b28 egui.exe
0x619040 ekrn.exe
0x626248 fortisslvpndaemon.exe
0x61c767 fortiwf.exe
0x61c8bc fcappdb.exe
0x61b259 fcdblog.exe
0x618964 avp.exe
0x619a6c avpui.exe
0x61d5cb mcsacore.exe
0x61b217 mcapexe.exe
0x61d62b mcshield.exe
0x61d2bf mcsvhost.exe
0x61ccb3 psuamain.exe
0x61daff psanhost.exe
0x61884c ssp.exe
0x61cf23 ccsvchst.exe
0x61add8 smcgui.exe
0x625aab coreserviceshell.exe
0x625ffc coreframeworkhost.exe
0x61e093 uiseagnt.exe
0x61b831 paamsrv.exe
0x61b78c psh_svc.exe
0x61b8c0 aupdrun.exe
0x61943c acaas.exe
0x61e94b acaegmgr.exe
0x619acf acaif.exe
0x619766 acais.exe
0x619c7f ahnsd.exe
0x61c50a ahnsdsv.exe
0x61a310 autoup.exe
0x61ea23 v3clnsrv.exe
0x61b66e v3medic.exe
0x6196f1 v3svc.exe
0x61c137 aflogvw.exe
0x61ac5c ahnrpt.exe
0x61de6b atwsctsk.exe
0x61a892 v3exec.exe
0x61bf74 v3imscn.exe
0x61d65b monsvcnt.exe
0x61e1cb monsysnt.exe
0x61a522 aexsvc.exe
0x61eed3 atrshost.exe
0x61dc43 aclntusr.exe
0x61d7c3 pxemtftp.exe
0x61b923 aclient.exe
0x61a194 starta.exe
0x61967c stopa.exe
0x61954a anvir.exe
0x61d613 csrss_tc.exe
0x61d37f ashavast.exe
0x61a3b0 ashbug.exe
0x61d28f ashchest.exe
0x61a856 ashcmd.exe
0x61be61 ashdisp.exe
0x61da1b ashenhcd.exe
0x61c70f ashlogv.exe
0x61d83b ashmaisv.exe
0x61e813 ashpopwz.exe
0x61ce9f ashquick.exe
0x61b1e0 ashserv.exe
0x61eb2b ashsimp2.exe
0x61d6f7 ashsimpl.exe
0x61d8b3 ashskpcc.exe
0x61e2eb ashskpck.exe
0x61ad10 ashupd.exe
0x61ddb7 ashwebsv.exe
0x61c1d1 aswdisp.exe
0x61c087 aswserv.exe
0x61e2bb aswupdsv.exe
0x61cec3 aswwebsv.exe
0x61e183 avengine.exe
0x61b805 afwserv.exe
0x61df2b unsecapp.exe
0x61ed83 avgamsvr.exe
0x61983e avgas.exe
0x61b8e1 avgcc32.exe
0x6199c1 avgcc.exe
0x61be2a avgctrl.exe
0x61bc9e avgdiag.exe
0x61aa0e avgemc.exe
0x61bc93 avgfws8.exe
0x61dfaf avgfwsrv.exe
0x61c184 avginet.exe
0x61c788 avgmsvr.exe
0x61e453 avgrssvc.exe
0x61cfb3 avgscanx.exe
0x61cdc7 avgserv9.exe
0x61c98d avgserv.exe
0x61aa5e avgupd.exe
0x61dc67 avgupdln.exe
0x61da57 avgupsvc.exe
0x6192b9 avgvv.exe
0x619dc3 avgwb.dat
0x618e98 avgw.exe
0x61e003 avgwizfw.exe
0x619271 guard.exe
0x61d97f avgcsrvx.exe
0x61e3ab avgidsui.exe
0x6195e3 avgam.exe
0x61a702 avgnsx.exe
0x61bc72 avgfws9.exe
0x61a81a avgrsx.exe
0x61c024 avgtray.exe
0x61d55f avgwdsvc.exe
0x61bfcc sidebar.exe
0x61edb3 avgchsvx.exe
0x61c914 avgcmgr.exe
0x61ba57 avgemcx.exe
0x61a5c2 avgfws.exe
0x61e19b avgmfapx.exe
0x61e55b avgcsrva.exe
0x61ba4c avgemca.exe
0x61a982 avgnsa.exe
0x61a932 avgrsa.exe
0x61d59b avgregcl.exe
0x61d10f avgsystx.exe
0x619b29 vprot.exe
0x61d6bb avcenter.exe
0x61cd73 avconfig.exe
0x61b030 avesvc.exe
0x61ba78 avmailc.exe
0x61c817 avmcdlg.exe
0x61ece7 avnotify.exe
0x61abee avscan.exe
0x61d2ef guardgui.exe
0x61bdc7 avadmin.exe
0x61b427 avfwsvc.exe
0x61e40b avwebgrd.exe
0x61a0cc fwinst.exe
0x61bd38 bavtray.exe
0x61e34b bhipssvc.exe
0x618b60 bmrt.exe
0x61bc88 gziface.exe
0x61ab08 gzserv.exe
0x618463 bdc.exe
0x61a7c0 bdlite.exe
0x61a572 bdmcon.exe
0x61d20b bdsubmit.exe
0x61b760 livesrv.exe
0x61abd0 vsserv.exe
0x61e49b xcommsvr.exe
0x618933 bka.exe
0x6250fb bkavsystemserver.exe
0x61a9b4 blupro.exe
0x61a19e blackd.exe
0x61d82f blackice.exe
0x61c7a9 proutil.exe
0x61a996 rapapp.exe
0x61b9e9 basfipm.exe
0x6196a0 isafe.exe
0x61a9a0 cavrid.exe
0x61a806 vetmsg.exe
0x618e08 amswmagt
0x6184cc caf.exe
0x618917 capmuam
0x618424 agt.exe
0x61ebbb ccsmagtd.exe
0x61c9a3 cfsmsmd.exe
0x619b71 alert.exe
0x61d733 igateway.exe
0x61b340 inotask.exe
0x619090 caav.exe
0x619050 cafw.exe
0x61b47f capfaem.exe
0x61c071 capfsem.exe
0x627ec5 cappactiveprotection.exe
0x6255bf casecuritycenter.exe
0x61a20c caunst.exe
0x61a964 cavrep.exe
0x619ffa cctray.exe
0x61e45f ccupdate.exe
0x61e30f isafinst.exe
0x62a185 itmrt_supportdiagnostics.exe
0x61d793 itmrtsvc.exe
0x61b97b ppclean.exe
0x61e07b umxagent.exe
0x61ae6e umxcfg.exe
0x61e5df umxfwhlp.exe
0x61acb6 umxpol.exe
0x61bd4e unvet32.exe
0x61e79b capfasem.exe
0x61e7d7 ccprovsp.exe
0x618e78 casc.exe
0x61e9f3 inonmsrv.exe
0x61a888 inoweb.exe
0x61cc17 krbcc32s.exe
0x618a59 pep.exe
0x61be09 realmon.exe
0x61ec63 repmgr64.exe
0x61e06f okclient.exe
0x61d463 clamscan.exe
0x61cbb7 clamtray.exe
0x61bae6 clamwin.exe
0x61e61b ccemflsv.exe
0x61bd2d cssauth.exe
0x61c35d cavscan.exe
0x618f50 clps.exe
0x61aa68 clpsla.exe
0x61a838 clpsls.exe
0x61892c cfp.exe
0x61d9a3 cfplogvw.exe
0x61cd5b cfpsbmit.exe
0x61cbdb cfpupdat.exe
0x61cfd7 crashrep.exe
0x618607 cpf.exe
0x61d29b cfpconfg.exe
0x61dcc7 cramtray.exe
0x61a928 crssvc.exe
0x619cac amsvc.exe
0x61e6c3 drwagnui.exe
0x61bd43 drweb32.exe
0x61ef3f drweb32w.exe
0x61e483 drweb386.exe
0x61d34f drwebcgp.exe
0x61b9a7 drwebdc.exe
0x6196df drweb.exe
0x61da6f drwebmng.exe
0x61dd87 drwebscd.exe
0x61ddab drwebupw.exe
0x61dfdf drwebwcl.exe
0x61eb37 drwebwin.exe
0x61c14d drwinst.exe
0x61e063 spiderml.exe
0x61dddb spidernt.exe
0x61d8d7 spiderui.exe
0x61ce0f drwagntd.exe
0x61dac3 drwebcom.exe
0x61da03 eeyeevnt.exe
0x61c49c a2guard.exe
0x61c3ec a2start.exe
0x61d13f usergate.exe
0x61ceb7 esmagent.exe
0x618972 era.exe
0x62711d ppmcativedetection.exe
0x61b9d3 vettray.exe
0x61b2dd cavtray.exe
0x61a112 inorpc.exe
0x619c37 inort.exe
0x618240 ca.exe
0x61bc67 caissdt.exe
0x61c00e etagent.exe
0x61ce03 evtarmgr.exe
0x61a0c2 evtmgr.exe
0x61d937 etcorrel.exe
0x625a97 evtprocessecfile.exe
0x62808d nslocollectorservice.exe
0x618b30 fmon.exe
0x61befb fortifw.exe
0x61bf32 fameh32.exe
0x61995e fspex.exe
0x618c98 fsaa.exe
0x618e10 bwgo0000
0x619a48 fch32.exe
0x6197d2 fih32.exe
0x61978a fsaua.exe
0x61a482 fsav32.exe
0x61a4e6 fscuif.exe
0x61adc4 fsdfwd.exe
0x61a25c fsgk32.exe
0x61dd7b fsgk32st.exe
0x61e477 fsguidll.exe
0x61e4bf fsguiexe.exe
0x61ef4b fshdll32.exe
0x619862 fsm32.exe
0x61a5e0 fsma32.exe
0x61aa4a fsmb32.exe
0x61ab26 fsorsp.exe
0x618d40 fspc.exe
0x618c40 fsqh.exe
0x61abbc fssm32.exe
0x61ba20 tnbutil.exe
0x61c40d fsavgui.exe
0x61a7d4 gdscan.exe
0x61dadb avkproxy.exe
0x61b7ef avktray.exe
0x61c977 avkwctl.exe
0x61b734 gdfwsvc.exe
0x625263 endpointsecurity.exe
0x626767 gfireporterservice.exe
0x61dcbb rcsvcmon.exe
0x61cf9b loggetor.exe
0x61db8f pthosttr.exe
0x61dd03 hpqwmiex.exe
0x626305 privacyiconclient.exe
0x61d727 rapuisvc.exe
0x61a518 vpatch.exe
0x61beda tclproc.exe
0x61a392 isscsf.exe
0x61cf3b kvdetech.exe
0x61c21e kvmonxp.kxp
0x61e297 kvolself.exe
0x61c94b kvsrvxp.exe
0x618e58 kvxp.kxp
0x6193fd avpcc.exe
0x61bfb6 avpexec.exe
0x618e70 avpm.exe
0x61acde avpncc.exe
0x618de0 avps.exe
0x61ac7a avpupd.exe
0x61868c kav.exe
0x61e1e3 kavisarv.exe
0x61925f kavmm.exe
0x6199b8 kavss.exe
0x61a568 kavsvc.exe
0x6186d9 kis.exe
0x61e693 klnagent.exe
0x619c76 klswd.exe
0x61ed6b klwtblfs.exe
0x61c6a1 kwsprod.exe
0x61c3aa up2date.exe
0x61cd43 klserver.exe
0x61ba2b kavfsgt.exe
0x61e16b kavfsrcn.exe
0x619619 kavfs.exe
0x61b6f2 kavfswp.exe
0x61dc07 kavshell.exe
0x61e0b7 avpdtagt.exe
0x619f28 netcfg.exe
0x61e6cf kavfsscs.exe
0x61bddd kavtray.exe
0x61a31a persfw.exe
0x61d7b7 avserver.exe
0x61ce33 winroute.exe
0x61b0e4 wrctrl.exe
0x61b5be kaccore.exe
0x61b3ae kastray.exe
0x61b495 kislive.exe
0x61d80b kmailmon.exe
0x61b939 kxeserv.exe
0x61a086 uplive.exe
0x61c1dc kansgui.exe
0x61a32e kansvr.exe
0x61d71b kavstart.exe
0x61c8f3 kpfwsvc.exe
0x61a5ae kwatch.exe
0x6199e5 kav32.exe
0x61af2c kissvc.exe
0x61a270 kpfw32.exe
0x61a69e system.exe
0x61df7f wssfcmai.exe
0x6197a5 nlsvc.exe
0x61a680 mfeann.exe
0x61d11b nailgpip.exe
0x61bcd5 rpcserv.exe
0x61ad1a srvmon.exe
0x61c4a7 mcagent.exe
0x61cf83 mfemactl.exe
0x61ec4b macmnsvc.exe
0x619d9f masvc.exe
0x61d38b masalert.exe
0x61ad06 msssrv.exe
0x61ac16 massrv.exe
0x61b062 msscli.exe
0x61e687 mcshld9x.exe
0x61e78f mgavrtcl.exe
0x61dfd3 mcappins.exe
0x61b6a5 mcvsrte.exe
0x61c02f mfefire.exe
0x61c6e3 dao_log.exe
0x61be35 firesvc.exe
0x61d5d7 firetray.exe
0x61a52c mfeesp.exe
0x61eb97 naprdmgr.exe
0x6187dc cpd.exe
0x619c01 mfefw.exe
0x61cc53 cmgrdian.exe
0x61c649 mcshell.exe
0x61a644 mfehcs.exe
0x619e9c mcinfo.exe
0x619a99 hwapi.exe
0x625637 mcafeedatabackup.exe
0x61ce87 mcmscsvc.exe
0x61c2e4 mcnasvc.exe
0x6199a6 mcods.exe
0x61e9db mcpromgr.exe
0x61b621 mcproxy.exe
0x61c54c mcuimgr.exe
0x61a4fa mpfsrv.exe
0x61a1d0 mpsevh.exe
0x61847f mps.exe
0x61e1b3 msksrver.exe
0x61d9d3 redirsvc.exe
0x61c1b0 siteadv.exe
0x61aa86 mfemms.exe
0x61edd7 neotrace.exe
0x61e993 vshwin32.exe
0x61e5c7 mpfagent.exe
0x618845 mpf.exe
0x61c52b mpftray.exe
0x61e63f mscifapp.exe
0x61c9c4 mfevtps.exe
0x61a9d2 qclean.exe
0x61d9bb mcregwiz.exe
0x61ce57 rssensor.exe
0x61d307 ncdaemon.exe
0x61a716 mcdash.exe
0x61d073 mcdetect.exe
0x61df73 mskdetct.exe
0x61c536 msksrvr.exe
0x61e327 mskagent.exe
0x61c310 stinger.exe
0x61de47 mcsysmon.exe
0x61e873 mctskshd.exe
0x619cd0 mfetp.exe
0x61dd4b myagttry.exe
0x61cb4b mcupdmgr.exe
0x61da0f rulaunch.exe
0x61cdd3 mcvsshld.exe
0x619b20 tbmon.exe
0x61cfbf alogserv.exe
0x61e7bf mcmnhdlr.exe
0x61a82e mghtml.exe
0x6199dc edisk.exe
0x61a8b0 scan32.exe
0x6258f3 frameworkservice.exe
0x61dd1b mcconsol.exe
0x61a6da mctray.exe
0x61e52b mcupdate.exe
0x61a11c shstat.exe
0x61e24f udaterui.exe
0x61a9c8 mcepoc.exe
0x61df67 mcepocfg.exe
0x61e897 mcwcecfg.exe
0x61928c mcwce.exe
0x61a39c vsmain.exe
0x61c0be oasclnt.exe
0x61a86a vsstat.exe
0x61d0a3 mcvsftsn.exe
0x61d7f3 avconsol.exe
0x61ee67 avsynmgr.exe
0x61d1ab vstskmgr.exe
0x61e7ef webscanx.exe
0x619943 mfewc.exe
0x61a914 mfewch.exe
0x628015 giantantispywaremain.exe
0x629a8d giantantispywareupdater.exe
0x625eeb gcasinstallhelper.exe
0x61d35b gcasserv.exe
0x61990d fcsms.exe
0x61a5cc fcssas.exe
0x61a5f4 nissrv.exe
0x619dd5 dpmra.exe
0x61b2e8 msseces.exe
0x61bbcd wscntfy.exe
0x62646a aesecurityservice.exe
0x61b918 nerosvc.exe
0x61d3eb nlclient.exe
0x618e90 crdm.exe
0x61bf95 nmagent.exe
0x61e5d3 ehttpsrv.exe
0x6197e4 nod32.exe
0x61ea77 nod32krn.exe
0x61e48f nod32kui.exe
0x61964f cclaw.exe
0x61bfed elogsvc.exe
0x61887d nip.exe
0x61b09e nipsvc.exe
0x61c121 njeeves.exe
0x61b361 npfmsg2.exe
0x61ab94 npfmsg.exe
0x61ea9b npfsvice.exe
0x61d7ff nrmenctb.exe
0x61a59a nvcoas.exe
0x61ce4b nvcsched.exe
0x6195ec nymse.exe
0x6192d4 zanda.exe
0x618909 zlh.exe
0x61cecf ixaptsvc.exe
0x61bbf9 ixavsvc.exe
0x61c352 ixfwsvc.exe
0x61e8d3 emlproui.exe
0x61e7a7 emlproxy.exe
0x61975d mpsvc.exe
0x61dbef onlinent.exe
0x61bc04 onlnsvc.exe
0x61b684 scanmsg.exe
0x61eeaf scanwscs.exe
0x61c0b3 tsansrf.exe
0x61b41c tsatisy.exe
0x61e3ff tscutynt.exe
0x61ac52 tsmpnt.exe
0x61ac84 upschd.exe
0x61b616 xfilter.exe
0x61850b aps.exe
0x6188a7 aus.exe
0x61baa4 outpost.exe
0x619e74 avtask.exe
0x61d1c3 clshield.exe
0x61c2c3 console.exe
0x61c541 cpntsrv.exe
0x61b2a6 padfsvr.exe
0x61ca97 pavfnsvr.exe
0x61a8f6 pavkre.exe
0x61c583 pavprot.exe
0x619fe6 pnmsrv.exe
0x61bb5f psimsvc.exe
0x61ab76 pavupg.exe
0x61a57c remupd.exe
0x6197c9 iface.exe
0x61e8a3 pavfires.exe
0x61bd90 pavmail.exe
0x61dfeb pavprsrv.exe
0x61d92b pavsched.exe
0x61cd37 pavsrv50.exe
0x61d4c3 pavsrv51.exe
0x61d5fb pavsrv52.exe
0x61b38d prevsrv.exe
0x619646 tpsrv.exe
0x61a630 pagent.exe
0x61da63 pagentwd.exe
0x61c3d6 psctris.exe
0x61cfa7 apvxdwin.exe
0x61a9e6 inicio.exe
0x61ecc3 pavbckpt.exe
0x61c44f pavjobs.exe
0x61c3cb psctrls.exe
0x61ab58 pshost.exe
0x61caa3 psimreal.exe
0x61ee7f pskmssvc.exe
0x61b970 srvload.exe
0x61d373 webproxy.exe
0x61e753 avltmain.exe
0x61bbb7 pviewer.exe
0x6197f6 pview.exe
0x618ec8 pmon.exe
0x6184b0 fws.exe
0x61be4b ccenter.exe
0x619793 ravxp.exe
0x61dbcb rfwproxy.exe
0x61bbee rfwstub.exe
0x61ce63 knownsvr.exe
0x6187ff ras.exe
0x619f64 rasupd.exe
0x61a072 upfile.exe
0x61ac34 rstray.exe
0x61eb07 ravalert.exe
0x618a36 rav.exe
0x61bf48 ravmond.exe
0x61a0ae ravmon.exe
0x61b8d6 ravstub.exe
0x61b264 ravtask.exe
0x61b965 ravtray.exe
0x61da7b rnreport.exe
0x61dbfb rsnetsvr.exe
0x61b550 scanfrm.exe
0x61b382 rfwmain.exe
0x61ac98 rfwsrv.exe
0x61aec8 winlog.exe
0x61c9ae snhwsrv.exe
0x61ae82 snicon.exe
0x6197ff snsrv.exe
0x6191d0 smsx.exe
0x61d2a7 svcharge.exe
0x61d6a3 svdealer.exe
0x61bef0 svframe.exe
0x61a5a4 svtray.exe
0x619661 sschk.exe
0x61b755 trjscan.exe
0x6192dd trupd.exe
0x62538f ssecuritymanager.exe
0x61a450 dltray.exe
0x619835 almon.exe
0x6191c0 lmon.exe
0x61d25f sweepsrv.sys
0x61ed8f swnetsup.exe
0x619d18 alsvc.exe
0x61e8df alupdate.exe
0x61bbc2 savmain.exe
0x61deb3 sav32cli.exe
0x62c06b certificationmanagerservicent.exe
0x626d81 emlibupdateagentnt.exe
0x625c75 managementagentnt.exe
0x61becf mgntsvc.exe
0x61ebaf routernt.exe
0x61dae7 schdsrvc.exe
0x61c47b scftray.exe
0x6196b2 sgbhp.exe
0x61da93 pctsauxs.exe
0x61c2d9 pctsgui.exe
0x61c73b pctssvc.exe
0x61df1f pctstray.exe
0x61c0d4 regmech.exe
0x61e603 svcntaux.exe
0x61a4aa swdsvc.exe
0x619742 swnxt.exe
0x61d40f execstat.exe
0x61b474 seestat.exe
0x61e01b swserver.exe
0x61ab6c slee81.exe
0x61c470 kpf4gui.exe
0x61a46e kpf4ss.exe
0x61ba6d acctmgr.exe
0x61e783 alertsvc.exe
0x61d577 appsvc32.exe
0x618ad8 ccap.exe
0x619859 ccapp.exe
0x61ccef ccevtmgr.exe
0x61bc51 ccproxy.exe
0x61e37b ccpxysvc.exe
0x61d817 ccsetmgr.exe
0x61c725 checkup.exe
0x6189b8 cka.exe
0x61c4de comhost.exe
0x61b201 cpdclnt.exe
0x61e267 csinject.exe
0x61ed9b csinsm32.exe
0x61e9e7 csinsmnt.exe
0x61ab4e dbserv.exe
0x61e027 defwatch.exe
0x618ea0 defwatch
0x61c0a8 diskmon.exe
0x61d607 djsnetcn.exe
0x61a586 doscan.exe
0x61db9b dwhwizrd.exe
0x61935b fwcfg.exe
0x61bd22 ghost_2.exe
0x61c1e7 icepack.exe
0x61b2d2 idsinst.exe
0x61df8b ispwdsvc.exe
0x619349 issvc.exe
0x61982c isuac.exe
0x6199f7 luall.exe
0x61e0f3 lucoms~1.exe
0x61a130 lucoms.exe
0x61b0d0 mcui32.exe
0x61e3cf navapsvc.exe
0x61e537 navapw32.exe
0x61dc4f navectrl.exe
0x61c940 navelog.exe
0x61a950 navesp.exe
0x61de9b navshcom.exe
0x61a90a navw32.exe
0x61a126 navwnt.exe
0x61bb8b ndetect.exe
0x61bf5e ngctw32.exe
0x61e6ab ngserver.exe
0x61e6db nisoptui.exe
0x61bee5 nisserv.exe
0x619c88 nisum.exe
0x6195c8 nmain.exe
0x61ddf3 npfmntor.exe
0x61ec1b nprotect.exe
0x61e75f npscheck.exe
0x61ab44 npssvc.exe
0x61e147 nscsrvce.exe
0x619f5a nsctop.exe
0x61a6d0 nsmdtr.exe
0x61e03f olfsnt40.exe
0x61acca opscan.exe
0x61c2ce poproxy.exe
0x61e6f3 pqv2isvc.exe
0x61a752 qdcsfs.exe
0x61be8d qserver.exe
0x6191b0 rnav.exe
0x61c3b5 savroam.exe
0x61c4bd savscan.exe
0x619577 savui.exe
0x61ac70 sbserv.exe
0x617c14 scan
0x61dcd3 explicit.exe
0x619fd2 semsvc.exe
0x61ae0a sesclu.exe
0x61c4f4 sevinst.exe
0x61dd93 smsectrl.exe
0x61bea3 smselog.exe
0x61c003 smsesjm.exe
0x61a504 smsesp.exe
0x61b679 smsesrv.exe
0x61ef33 smsetask.exe
0x61a72a smseui.exe
0x6187f8 sms.exe
0x61a7b6 sndmon.exe
0x61c2ad sndsrvc.exe
0x61e087 spbbcsvc.exe
0x61db47 symlcsvc.exe
0x61d5bf symsport.exe
0x61c208 symtray.exe
0x61b03a symwsc.exe
0x61edbf sysdoc32.exe
0x61d47b updtnv28.exe
0x61d7e7 urllstck.exe
0x61de3b usrprmpt.exe
0x61968e vpc32.exe
0x61bd0c vpdn_lu.exe
0x61c7f6 vprosvc.exe
0x61e84f wfxctl32.exe
0x61d097 wfxmod32.exe
0x61e36f wfxsnt40.exe
0x629820 savfmsespamstatsmanager.exe
0x618b78 snac.exe
0x61876c ssm.exe
0x61a162 vptray.exe
0x61c5a4 procexp.exe
0x61a37e tdimon.exe
0x618f90 tfun.exe
0x619b17 tfgui.exe
0x61a8a6 tftray.exe
0x61de0b tiaspn~1.exe
0x61e39f traflnsp.exe
0x61d56b asupport.exe
0x61e21f isntsmtp.exe
0x61bad0 nsmdemf.exe
0x61c82d nsmdmon.exe
0x61dd0f nsmdreal.exe
0x61c998 nsmdsch.exe
0x61ae64 ofcdog.exe
0x6196cd pccnt.exe
0x61ee13 pccntupd.exe
0x61d8cb pcctlcom.exe
0x61defb pcscnsrv.exe
0x61a9fa schupd.exe
0x61c18f tmntsrv.exe
0x619d4e tmpfw.exe
0x61b810 tmproxy.exe
0x618ff0 tmas.exe
0x61a6ee aphost.exe
0x618749 mrf.exe
0x619b3b dwwin.exe
0x61927a patch.exe
0x61e807 pccguide.exe
0x61ea8f pcclient.exe
0x61a018 pccpfw.exe
0x61a3a6 pcscan.exe
0x61e9cf pntiomon.exe
0x61e717 pop3pack.exe
0x61dea7 pop3trap.exe
0x61b356 spntsvc.exe
0x61981a stopp.exe
0x61efc3 usbguard.exe
0x61be40 sbamsvc.exe
0x61c7e0 vrvmail.exe
0x61a158 vrvmon.exe
0x61a77a vrvnet.exe
0x618806 vrv.exe
0x618fe0 wrsa.exe
0x62936f websensecontrolservice.exe
0x61e3b7 mpcmdrun.exe
0x61c58e msascui.exe
0x61b92e msmpeng.exe
0x61cd7f mspmspsv.exe
0x61dd6f kb891711.exe
0x61a66c zavaux.exe
0x61c71a zavcore.exe
0x61a004 zillya.exe
0x61e837 zlclient.exe
0x619823 vsmon.exe
0x61a93c iswmgr.exe
0x619a7e zapro.exe
0x61ede3 mantispm.exe
0x618f28 xagt.exe
0x6293f1 faild to get process list
0x617917 %v
0x629731 cant kill process %v : %v
0x617fb8 \temp
0x617de2 .docx
0x6182ac .accdb
0x618306 .accde
0x6182ee .accdr
0x6180ea .accdt
0x617b64 .asp
0x617ed2 .aspx
0x617d74 .back
0x618902 .backup
0x6196c4 .backupdb
0x617b2c .bak
0x617cf8 .mdb
0x617b90 .mdc
0x617cd8 .mdf
0x617b98 .war
0x617b24 .xls
0x617e9b .xlsx
0x617f22 .xlsm
0x617cf4 .xlr
0x617ab0 .zip
0x617b74 .rar
0x619325 .sqlitedb
0x617bb8 .sql
0x6177eb .py
0x617f86 .ppam
0x617b7c .pps
0x617d65 .ppsm
0x617f81 .ppsx
0x617b14 .ppt
0x617b78 pptm
0x617d7e .pptx
0x6179a0 .hpp
0x618094 .java
0x617c6c .jsp
0x617ab4 .php
0x617b3c .doc
0x617eff .docm
0x617c4c .pst
0x617a08 .psd
0x617b10 .dot
0x617a70 dotm
0x617ab8 .cpp
0x61791a .cs
0x617b70 .csv
0x617aec .bkp
0x6178f6 .db
0x61c9b9 .db-journal
0x61878f .csproj
0x617c40 .sln
0x6178d5 .md
0x6178d8 .pl
0x617908 .js
0x617d15 .html
0x617b8c .htm
0x617b30 .dbf
0x617afc .rdo
0x617b4c .arc
0x617af8 .vhd
0x617f13 .vmdk
0x617bb4 .vdi
0x617eaa .vhdx
0x617ce8 .edb
0x617727 .c
0x61772f .h
0x617b94 .dll
0x617a5c .exe
0x617b28 .sys
0x6179dc .mui
0x617bd4 .tmp
0x617b38 .lnk
0x6185a5 .config
0x6195fe .manifest
0x617a4c .tlb
0x617ac8 .olb
0x617b6c .blf
0x617ae0 .ico
0x61d74b .regtrans-ms
0x617a10 .bat
0x617a0c .cmd
0x617b40 .ps1
0x61bfab desktop.ini
0x61d283 iconcache.db
0x61a496 ntuser.dat
0x61a04a ntuser.ini
0x61e573 usrclass.dat
0x6187b2 bootmgr
0x61871f bootnxt
0x6181c8 windir
0x61b74a SystemDrive
0x61826a :\Boot
0x6299eb :\System Volume Information
0x61a036 :\Recovery
0x6195bf \AppData\
0x61802b ntldr
0x61e507 NTDETECT.COM
0x618e20 boot.ini
0x61cc6b bootfont.bin
0x61d0eb bootsect.bak
0x61c09d desktop.ini
0x61ae28 ctfmon.exe
0x61cdaf iconcache.db
0x61b06c ntuser.dat
0x61a054 ntuser.ini
0x6192a7 thumbs.db
0x630aa8 .+\\Microsoft\\(User Account Pictures|Windows\\(Explorer|Caches)|Device Stage\\Device|Windows)\\
0x6177e2 %v