1da3bb21...15e3 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 96/100
Dynamic Analysis Report
Classification: Trojan

1da3bb217a3d771d357edfc401ac3835c29066e5d0a795e12aabd4b888bd15e3 (SHA256)

Godsomware.exe

Windows Exe (x86-32)

Created at 2018-10-06 16:50:00

...

Notifications (1/1)

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xfd4 Analysis Target High (Elevated) godsomware.exe "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe" -
#2 0x930 Autostart Medium godsomware.exe "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe" -

Behavior Information - Grouped by Category

Process #1: godsomware.exe
1554 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\godsomware.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:29, Reason: Analysis Target
Unmonitor End Time: 00:04:39, Reason: Terminated by Timeout
Monitor Duration 00:04:10
OS Process Information
»
Information Value
PID 0xfd4
Parent PID 0x820 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FD8
0x FDC
0x FE0
0x FE4
0x FE8
0x FF8
0x FFC
0x 84
0x A70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
godsomware.exe 0x005d0000 0x00801fff Memory Mapped File rwx True True False
...
private_0x0000000000810000 0x00810000 0x0082ffff Private Memory rw True False False -
pagefile_0x0000000000810000 0x00810000 0x0081ffff Pagefile Backed Memory rw True False False -
private_0x0000000000820000 0x00820000 0x00823fff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x00830fff Private Memory rw True False False -
pagefile_0x0000000000840000 0x00840000 0x00853fff Pagefile Backed Memory r True False False -
private_0x0000000000860000 0x00860000 0x0089ffff Private Memory rw True False False -
private_0x00000000008a0000 0x008a0000 0x0099ffff Private Memory rw True False False -
pagefile_0x00000000009a0000 0x009a0000 0x009a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory r True False False -
private_0x00000000009c0000 0x009c0000 0x009c1fff Private Memory rw True False False -
locale.nls 0x009d0000 0x00a8dfff Memory Mapped File r False False False -
private_0x0000000000a90000 0x00a90000 0x00acffff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00ad0fff Private Memory rw True False False -
pagefile_0x0000000000ae0000 0x00ae0000 0x00ae0fff Pagefile Backed Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00afffff Private Memory rw True False False -
pagefile_0x0000000000b00000 0x00b00000 0x00b0ffff Pagefile Backed Memory rw True False False -
private_0x0000000000b10000 0x00b10000 0x00b1ffff Private Memory - True False False -
private_0x0000000000b20000 0x00b20000 0x00b2ffff Private Memory - True False False -
private_0x0000000000b30000 0x00b30000 0x00c2ffff Private Memory rw True False False -
private_0x0000000000c30000 0x00c30000 0x00d2ffff Private Memory rw True False False -
private_0x0000000000d30000 0x00d30000 0x00d3ffff Private Memory - True False False -
private_0x0000000000d40000 0x00d40000 0x00d4ffff Private Memory - True False False -
private_0x0000000000d50000 0x00d50000 0x00d5ffff Private Memory - True False False -
private_0x0000000000d60000 0x00d60000 0x00d60fff Private Memory rw True False False -
private_0x0000000000d70000 0x00d70000 0x00d70fff Private Memory rw True False False -
private_0x0000000000d80000 0x00d80000 0x00d8ffff Private Memory rw True False False -
private_0x0000000000d90000 0x00d90000 0x00d9ffff Private Memory - True False False -
private_0x0000000000da0000 0x00da0000 0x00daffff Private Memory rwx True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory rw True False False -
private_0x0000000000df0000 0x00df0000 0x00e2ffff Private Memory rw True False False -
private_0x0000000000e30000 0x00e30000 0x00e3ffff Private Memory - True False False -
private_0x0000000000e40000 0x00e40000 0x00e4ffff Private Memory rw True False False -
private_0x0000000000e50000 0x00e50000 0x00e5ffff Private Memory rw True False False -
private_0x0000000000e60000 0x00e60000 0x00e6ffff Private Memory rw True False False -
pagefile_0x0000000000e70000 0x00e70000 0x00ff7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001000000 0x01000000 0x01180fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001190000 0x01190000 0x0258ffff Pagefile Backed Memory r True False False -
private_0x0000000002590000 0x02590000 0x0268ffff Private Memory rw True False False -
private_0x0000000002690000 0x02690000 0x0468ffff Private Memory rw True False False -
private_0x0000000004690000 0x04690000 0x0472ffff Private Memory rw True False False -
private_0x0000000004730000 0x04730000 0x0482ffff Private Memory rw True False False -
sortdefault.nls 0x04830000 0x04b66fff Memory Mapped File r False False False -
private_0x0000000004b70000 0x04b70000 0x04c3ffff Private Memory rw True False False -
private_0x0000000004b70000 0x04b70000 0x04b9ffff Private Memory - True False False -
private_0x0000000004ba0000 0x04ba0000 0x04baffff Private Memory - True False False -
private_0x0000000004bb0000 0x04bb0000 0x04bbffff Private Memory - True False False -
private_0x0000000004bc0000 0x04bc0000 0x04bcffff Private Memory - True False False -
private_0x0000000004bd0000 0x04bd0000 0x04bdffff Private Memory - True False False -
private_0x0000000004be0000 0x04be0000 0x04beffff Private Memory - True False False -
pagefile_0x0000000004bf0000 0x04bf0000 0x04bf0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004bf0000 0x04bf0000 0x04bf3fff Pagefile Backed Memory r True False False -
private_0x0000000004c00000 0x04c00000 0x04c03fff Private Memory rw True False False -
private_0x0000000004c10000 0x04c10000 0x04c1ffff Private Memory rw True False False -
private_0x0000000004c20000 0x04c20000 0x04c2ffff Private Memory rw True False False -
accessibility.dll 0x04c20000 0x04c29fff Memory Mapped File rwx True False False -
private_0x0000000004c30000 0x04c30000 0x04c3ffff Private Memory rw True False False -
microsoft.visualbasic.dll 0x04c40000 0x04cdbfff Memory Mapped File rwx True False False -
comctl32.dll 0x04ce0000 0x04d6efff Memory Mapped File r False False False -
private_0x0000000004ce0000 0x04ce0000 0x04ceffff Private Memory - True False False -
private_0x0000000004cf0000 0x04cf0000 0x04cfffff Private Memory rw True False False -
private_0x0000000004d00000 0x04d00000 0x04d0ffff Private Memory rw True False False -
pagefile_0x0000000004d00000 0x04d00000 0x04d01fff Pagefile Backed Memory r True False False -
private_0x0000000004d10000 0x04d10000 0x04d1ffff Private Memory - True False False -
private_0x0000000004d20000 0x04d20000 0x04d2ffff Private Memory - True False False -
private_0x0000000004d30000 0x04d30000 0x04d6ffff Private Memory rw True False False -
system.drawing.dll 0x04d70000 0x04dfffff Memory Mapped File rwx True False False -
pagefile_0x0000000004e00000 0x04e00000 0x04eb7fff Pagefile Backed Memory r True False False -
system.runtime.remoting.dll 0x04ec0000 0x04f13fff Memory Mapped File rwx True False False -
private_0x0000000004f20000 0x04f20000 0x04f23fff Private Memory rw True False False -
private_0x0000000004f30000 0x04f30000 0x04f33fff Private Memory rw True False False -
private_0x0000000004f40000 0x04f40000 0x04f4ffff Private Memory rw True False False -
private_0x0000000004f50000 0x04f50000 0x04f5ffff Private Memory - True False False -
private_0x0000000004f80000 0x04f80000 0x04f8ffff Private Memory rwx True False False -
private_0x0000000004f90000 0x04f90000 0x0516ffff Private Memory rw True False False -
private_0x0000000004f90000 0x04f90000 0x0508ffff Private Memory rw True False False -
~fontcache-system.dat 0x05090000 0x05105fff Memory Mapped File r False False False -
private_0x0000000005110000 0x05110000 0x0514ffff Private Memory rw True False False -
private_0x0000000005160000 0x05160000 0x0516ffff Private Memory rw True False False -
system.windows.forms.dll 0x05180000 0x05617fff Memory Mapped File rwx True False False -
private_0x0000000005620000 0x05620000 0x057fffff Private Memory rw True False False -
private_0x0000000005620000 0x05620000 0x0571ffff Private Memory rw True False False -
private_0x0000000005720000 0x05720000 0x0575ffff Private Memory rw True False False -
private_0x0000000005760000 0x05760000 0x0579ffff Private Memory rw True False False -
private_0x00000000057f0000 0x057f0000 0x057fffff Private Memory rw True False False -
~fontcache-fontface.dat 0x05800000 0x067fffff Memory Mapped File r False False False -
private_0x0000000006800000 0x06800000 0x068fffff Private Memory rw True False False -
pagefile_0x0000000006900000 0x06900000 0x06df1fff Pagefile Backed Memory rw True False False -
staticcache.dat 0x06e00000 0x07e3ffff Memory Mapped File r False False False -
private_0x0000000007e40000 0x07e40000 0x07f3ffff Private Memory rw True False False -
private_0x0000000007f40000 0x07f40000 0x0803ffff Private Memory rw True False False -
private_0x0000000008040000 0x08040000 0x0813ffff Private Memory rw True False False -
private_0x0000000008140000 0x08140000 0x081bffff Private Memory rw True False False -
mscorlib.ni.dll 0x71e00000 0x7302afff Memory Mapped File rwx True False False -
wow64cpu.dll 0x73030000 0x73037fff Memory Mapped File rwx False False False -
wow64.dll 0x73040000 0x7308efff Memory Mapped File rwx False False False -
wow64win.dll 0x73090000 0x73102fff Memory Mapped File rwx False False False -
rsaenh.dll 0x731b0000 0x731defff Memory Mapped File rwx False False False -
bcrypt.dll 0x731e0000 0x731fafff Memory Mapped File rwx False False False -
cryptsp.dll 0x73200000 0x73212fff Memory Mapped File rwx False False False -
dwrite.dll 0x73220000 0x7340ffff Memory Mapped File rwx False False False -
gdiplus.dll 0x73410000 0x7357afff Memory Mapped File rwx False False False -
comctl32.dll 0x73580000 0x73611fff Memory Mapped File rwx False False False -
system.ni.dll 0x73620000 0x73fccfff Memory Mapped File rwx True False False -
clrjit.dll 0x73fd0000 0x7404cfff Memory Mapped File rwx True False False -
msvcr120_clr0400.dll 0x74050000 0x74144fff Memory Mapped File rwx False False False -
clr.dll 0x74150000 0x747f7fff Memory Mapped File rwx True False False -
version.dll 0x74800000 0x74807fff Memory Mapped File rwx False False False -
mscoreei.dll 0x74810000 0x74887fff Memory Mapped File rwx True False False -
mscoree.dll 0x74890000 0x748e8fff Memory Mapped File rwx True False False -
dwmapi.dll 0x748f0000 0x7490cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x74910000 0x74984fff Memory Mapped File rwx False False False -
apphelp.dll 0x74990000 0x74a20fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74a30000 0x74a88fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74a90000 0x74a99fff Memory Mapped File rwx False False False -
sspicli.dll 0x74aa0000 0x74abdfff Memory Mapped File rwx False False False -
user32.dll 0x74ad0000 0x74c0ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x74c10000 0x74c53fff Memory Mapped File rwx False False False -
advapi32.dll 0x74c60000 0x74cdafff Memory Mapped File rwx False False False -
kernelbase.dll 0x74d30000 0x74ea5fff Memory Mapped File rwx False False False -
combase.dll 0x74f70000 0x75129fff Memory Mapped File rwx False False False -
kernel32.dll 0x75130000 0x7521ffff Memory Mapped File rwx False False False -
imm32.dll 0x75220000 0x7524afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x752b0000 0x752bbfff Memory Mapped File rwx False False False -
oleaut32.dll 0x76ce0000 0x76d71fff Memory Mapped File rwx False False False -
msctf.dll 0x76da0000 0x76ebffff Memory Mapped File rwx False False False -
ole32.dll 0x76f30000 0x77019fff Memory Mapped File rwx False False False -
sechost.dll 0x770b0000 0x770f2fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x772c0000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77370000 0x774bcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x778d0000 0x7798dfff Memory Mapped File rwx False False False -
ntdll.dll 0x77990000 0x77b08fff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffff Private Memory - True False False -
private_0x0000000080000000 0x80000000 0x8000ffff Private Memory - True False False -
private_0x00000000fe9bd000 0xfe9bd000 0xfe9bffff Private Memory rw True False False -
private_0x00000000fe9c0000 0xfe9c0000 0xfe9cffff Private Memory rwx True False False -
private_0x00000000fe9d0000 0xfe9d0000 0xfea1ffff Private Memory rwx True False False -
private_0x00000000fea27000 0xfea27000 0xfea29fff Private Memory rw True False False -
private_0x00000000fea2a000 0xfea2a000 0xfea2cfff Private Memory rw True False False -
private_0x00000000fea2d000 0xfea2d000 0xfea2ffff Private Memory rw True False False -
pagefile_0x00000000fea30000 0xfea30000 0xfeb2ffff Pagefile Backed Memory r True False False -
pagefile_0x00000000feb30000 0xfeb30000 0xfeb52fff Pagefile Backed Memory r True False False -
private_0x00000000feb55000 0xfeb55000 0xfeb57fff Private Memory rw True False False -
private_0x00000000feb58000 0xfeb58000 0xfeb58fff Private Memory rw True False False -
private_0x00000000feb5b000 0xfeb5b000 0xfeb5bfff Private Memory rw True False False -
private_0x00000000feb5d000 0xfeb5d000 0xfeb5ffff Private Memory rw True False False -
private_0x00000000fffe0000 0xfffe0000 0x7ffaf7a0ffff Private Memory r True False False -
ntdll.dll 0x7ffaf7a10000 0x7ffaf7bd1fff Memory Mapped File rwx False False False -
private_0x00007ffaf7bd2000 0x7ffaf7bd2000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 186 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (19)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe.config type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe type = file_attributes True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config size = 4096, size_out = 4096 True 8
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config size = 4096, size_out = 3215 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Registry (35)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\NinjaGhost\Godsomware v1.0\1.0.0.0 - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = Godsomware v1.0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System value_name = DisableCMD, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System value_name = DisableRegedit, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = TZI, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = 2007, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST value_name = 2008, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Display, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Std, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Dlt, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = Godsomware v1.0, data = C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe, size = 90, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System value_name = DisableTaskMgr, data = 1, size = 4, type = REG_DWORD True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System value_name = DisableCMD, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System value_name = DisableRegedit, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module (438)
»
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x73580000 True 1
Fn
Load comctl32.dll base_address = 0x70b40000 True 1
Fn
Load C:\Windows\system32\en-US\tzres.dll.mui base_address = 0x8c40001 True 3
Fn
Get Handle comctl32.dll base_address = 0x0 False 2
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74ad0000 True 1
Fn
Get Handle c:\users\ciihmnxmn6ps\desktop\godsomware.exe base_address = 0x5d0000 True 57
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll base_address = 0x73580000 True 211
Fn
Get Handle comctl32.dll base_address = 0x70b40000 True 155
Fn
Get Handle shell32.dll base_address = 0x752c0000 True 6
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77a0caa0 True 1
Fn
Window (210)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.4.0.0.0.141b42a.0 class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 True 1
Fn
Create God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Contact Us class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create How to buy bitcoins? class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create About bitcoin class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create &Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Check Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Copy class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Send $100 worth of bitcoin to this address: class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4 class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Date 2 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Your files will be lost on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Date 1 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Payment will be raised on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Ooops, your files have been encrypted! class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 False 1
Fn
Create International class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r12_ad1, wndproc_parameter = 0 False 1
Fn
Create What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible beacuse they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. Try now by clicking <Decrypt>. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't oay in 7 days,you won't be able to recover your files forever. We will have free events for users who are so poor that they couldn't pay in 6 months. How Do I Pay? Payment is accepted in Bitcoin only. Fore more information, Click <About bitcoin>. Please check the current price of Bitcoin and buy some bitcoins. For more information, click <How to buy bitcoins>. And send the correct amount to the address specified in this window. After your payment, click <Check Payment>. Best time to check 9:00am - 11:00am GMT from Monday to Friday. Once the payment is checked, you can start decrypting your files immediate. Contact If you need our assistance, send a massage by clicking <Contact Us>. We Strongly recommend you to not remove this software, and disable you for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will no be able to recover your files even if you pay! class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 False 1
Fn
Create System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - - True 1
Fn
Create - - True 1
Fn
Create - - True 1
Fn
Create - - True 1
Fn
Create - - True 1
Fn
Create LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Enter Code class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Check Code Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 True 1
Fn
Create - - False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83363366 True 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365238 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365318 True 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 458798 False 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 458798 True 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 True 1
Fn
Set Attribute God Crypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 True 1
Fn
Set Attribute Contact Us class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Contact Us class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365398 True 1
Fn
Set Attribute Contact Us class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 589882 False 1
Fn
Set Attribute How to buy bitcoins? class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute How to buy bitcoins? class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365438 True 1
Fn
Set Attribute How to buy bitcoins? class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 458886 False 1
Fn
Set Attribute About bitcoin class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute About bitcoin class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365478 True 1
Fn
Set Attribute About bitcoin class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 852008 False 1
Fn
Set Attribute &Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 True 1
Fn
Set Attribute &Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365558 True 1
Fn
Set Attribute &Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 393528 False 1
Fn
Set Attribute Check Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 True 1
Fn
Set Attribute Check Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365598 True 1
Fn
Set Attribute Check Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131638 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365638 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131640 False 1
Fn
Set Attribute Copy class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 True 1
Fn
Set Attribute Copy class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365678 True 1
Fn
Set Attribute Copy class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131626 False 1
Fn
Set Attribute Send $100 worth of bitcoin to this address: class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Send $100 worth of bitcoin to this address: class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83362998 True 1
Fn
Set Attribute Send $100 worth of bitcoin to this address: class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131628 False 1
Fn
Set Attribute 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4 class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891357200 True 1
Fn
Set Attribute 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4 class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378518 True 1
Fn
Set Attribute 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4 class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131622 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378238 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131624 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378318 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131618 False 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378598 True 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131620 False 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377918 True 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131614 False 1
Fn
Set Attribute Date 2 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Date 2 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378278 True 1
Fn
Set Attribute Date 2 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131616 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378118 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131610 False 1
Fn
Set Attribute Your files will be lost on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Your files will be lost on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378038 True 1
Fn
Set Attribute Your files will be lost on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131612 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378638 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131606 False 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378158 True 1
Fn
Set Attribute Time Left class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131608 False 1
Fn
Set Attribute Date 1 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Date 1 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378718 True 1
Fn
Set Attribute Date 1 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 524624 False 1
Fn
Set Attribute Payment will be raised on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Payment will be raised on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378758 True 1
Fn
Set Attribute Payment will be raised on class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 655754 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377838 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131644 False 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377878 True 1
Fn
Set Attribute 00:00:00:00 class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 197166 False 1
Fn
Set Attribute Ooops, your files have been encrypted! class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 True 1
Fn
Set Attribute Ooops, your files have been encrypted! class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377958 True 1
Fn
Set Attribute Ooops, your files have been encrypted! class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131632 False 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 83377998 True 1
Fn
Set Attribute - index = 18446744073709551604, new_long = 131634 False 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 1891044640 True 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 83378438 True 1
Fn
Set Attribute - index = 18446744073709551604, new_long = 131636 False 1
Fn
Set Attribute - index = 18446744073709551612, new_long = 1891357200 True 1
Fn
Set Attribute - index = 18446744073709551604, new_long = 66110 False 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378398 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378478 True 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66114 False 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66114 True 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 50397184 True 1
Fn
Set Attribute System class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65536 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378558 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66122 False 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380822 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380782 True 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 393814 False 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 393814 True 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 True 1
Fn
Set Attribute LOL class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380982 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 393812 False 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380342 True 1
Fn
Set Attribute LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380622 True 1
Fn
Set Attribute LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 0 False 1
Fn
Set Attribute LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 True 1
Fn
Set Attribute LMAO class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 327680 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380302 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66138 False 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83381102 True 1
Fn
Set Attribute Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380422 True 1
Fn
Set Attribute Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 0 False 1
Fn
Set Attribute Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 True 1
Fn
Set Attribute Meme Virus v1.0 by NinjaGhost class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 327680 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83381142 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66144 False 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute TimerNativeWindow class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380222 True 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380902 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380262 True 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66150 False 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66150 True 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46661632 True 1
Fn
Set Attribute God Decrypt v1.0 class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380702 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66152 False 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380182 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66154 False 1
Fn
Set Attribute Enter Code class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891357200 True 1
Fn
Set Attribute Enter Code class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380742 True 1
Fn
Set Attribute Enter Code class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66156 False 1
Fn
Set Attribute Check Code Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 True 1
Fn
Set Attribute Check Code Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380382 True 1
Fn
Set Attribute Check Code Payment class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66158 False 1
Fn
Set Attribute Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 True 1
Fn
Set Attribute Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380462 True 1
Fn
Set Attribute Decrypt class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66160 False 1
Fn
Keyboard (507)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 44
Fn
Read virtual_key_code = VK_RBUTTON, result_out = 0 True 91
Fn
Read virtual_key_code = VK_MBUTTON, result_out = 0 True 91
Fn
Read virtual_key_code = VK_XBUTTON1, result_out = 0 True 91
Fn
Read virtual_key_code = VK_XBUTTON2, result_out = 0 True 91
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 1 True 42
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_CONTROL, result_out = 0 True 3
Fn
Read virtual_key_code = VK_MENU, result_out = 18446744073709551489 True 3
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 0 True 42
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 18446744073709551489 True 3
Fn
Read virtual_key_code = VK_LBUTTON, result_out = 18446744073709551488 True 3
Fn
System (279)
»
Operation Additional Information Success Count Logfile
Get Cursor x_out = 824, y_out = 478 True 4
Fn
Get Cursor x_out = 142, y_out = 758 True 5
Fn
Get Cursor x_out = 755, y_out = 515 True 12
Fn
Get Cursor x_out = 1064, y_out = 756 True 4
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 3
Fn
Sleep duration = 50 milliseconds (0.050 seconds) True 251
Fn
Process #2: godsomware.exe
0 0
»
Information Value
ID #2
File Name c:\users\ciihmnxmn6ps\desktop\godsomware.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:57, Reason: Autostart
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x930
Parent PID 0x5e4 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 938
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
godsomware.exe 0x005d0000 0x00801fff Memory Mapped File rwx True True False
...
private_0x0000000000810000 0x00810000 0x0082ffff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x00831fff Private Memory rw True False False -
pagefile_0x0000000000840000 0x00840000 0x00853fff Pagefile Backed Memory r True False False -
private_0x0000000000860000 0x00860000 0x0089ffff Private Memory rw True False False -
private_0x00000000008a0000 0x008a0000 0x0099ffff Private Memory rw True False False -
pagefile_0x00000000009a0000 0x009a0000 0x009a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory r True False False -
ntdll.dll 0x770e0000 0x77258fff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x00000000ff380000 0xff380000 0xff3a2fff Pagefile Backed Memory r True False False -
private_0x00000000ff3a8000 0xff3a8000 0xff3a8fff Private Memory rw True False False -
private_0x00000000ff3ac000 0xff3ac000 0xff3aefff Private Memory rw True False False -
private_0x00000000ff3af000 0xff3af000 0xff3affff Private Memory rw True False False -
private_0x00000000fffe0000 0xfffe0000 0x7fff960affff Private Memory r True False False -
ntdll.dll 0x7fff960b0000 0x7fff96271fff Memory Mapped File rwx False False False -
private_0x00007fff96272000 0x7fff96272000 0x7ffffffeffff Private Memory r True False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image