1da3bb217a3d771d357edfc401ac3835c29066e5d0a795e12aabd4b888bd15e3 (SHA256)
Godsomware.exe
Windows Exe (x86-32)
Created at 2018-10-06 16:50:00
Notifications (1/1)
The operating system was rebooted during the analysis.
Monitored Processes
Behavior Information - Sequential View
Process #1: godsomware.exe
1554
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\godsomware.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:29, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:39, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfd4 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD8
0x
FDC
0x
FE0
0x
FE4
0x
FE8
0x
FF8
0x
FFC
0x
84
0x
A70
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| godsomware.exe | 0x005d0000 | 0x00801fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000810000 | 0x00810000 | 0x0081ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x00823fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00830fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x009d0000 | 0x00a8dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00acffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00ad0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00ae0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00c2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c30000 | 0x00c30000 | 0x00d2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d30000 | 0x00d30000 | 0x00d3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d40000 | 0x00d40000 | 0x00d4ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d50000 | 0x00d50000 | 0x00d5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000d60000 | 0x00d60000 | 0x00d60fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d70000 | 0x00d70000 | 0x00d70fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000db0000 | 0x00db0000 | 0x00deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00e2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e30000 | 0x00e30000 | 0x00e3ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000e40000 | 0x00e40000 | 0x00e4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x00e6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e70000 | 0x00e70000 | 0x00ff7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001000000 | 0x01000000 | 0x01180fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001190000 | 0x01190000 | 0x0258ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002590000 | 0x02590000 | 0x0268ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002690000 | 0x02690000 | 0x0468ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004690000 | 0x04690000 | 0x0472ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004730000 | 0x04730000 | 0x0482ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x04830000 | 0x04b66fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04b9ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04baffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004bb0000 | 0x04bb0000 | 0x04bbffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004bc0000 | 0x04bc0000 | 0x04bcffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004bd0000 | 0x04bd0000 | 0x04bdffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004be0000 | 0x04be0000 | 0x04beffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000004bf0000 | 0x04bf0000 | 0x04bf3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004c00000 | 0x04c00000 | 0x04c03fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c10000 | 0x04c10000 | 0x04c1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c2ffff | Private Memory | rw |
|
|
|
- |
| accessibility.dll | 0x04c20000 | 0x04c29fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000004c30000 | 0x04c30000 | 0x04c3ffff | Private Memory | rw |
|
|
|
- |
| microsoft.visualbasic.dll | 0x04c40000 | 0x04cdbfff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x04ce0000 | 0x04d6efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04ceffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004d00000 | 0x04d00000 | 0x04d0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004d00000 | 0x04d00000 | 0x04d01fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004d10000 | 0x04d10000 | 0x04d1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004d30000 | 0x04d30000 | 0x04d6ffff | Private Memory | rw |
|
|
|
- |
| system.drawing.dll | 0x04d70000 | 0x04dfffff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000004e00000 | 0x04e00000 | 0x04eb7fff | Pagefile Backed Memory | r |
|
|
|
- |
| system.runtime.remoting.dll | 0x04ec0000 | 0x04f13fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f23fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f30000 | 0x04f30000 | 0x04f33fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f50000 | 0x04f50000 | 0x04f5ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000004f80000 | 0x04f80000 | 0x04f8ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004f90000 | 0x04f90000 | 0x0508ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x05090000 | 0x05105fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000005110000 | 0x05110000 | 0x0514ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005160000 | 0x05160000 | 0x0516ffff | Private Memory | rw |
|
|
|
- |
| system.windows.forms.dll | 0x05180000 | 0x05617fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x057fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005620000 | 0x05620000 | 0x0571ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005720000 | 0x05720000 | 0x0575ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000005760000 | 0x05760000 | 0x0579ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000057f0000 | 0x057f0000 | 0x057fffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x05800000 | 0x067fffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000006800000 | 0x06800000 | 0x068fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000006900000 | 0x06900000 | 0x06df1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| staticcache.dat | 0x06e00000 | 0x07e3ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000007e40000 | 0x07e40000 | 0x07f3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007f40000 | 0x07f40000 | 0x0803ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008040000 | 0x08040000 | 0x0813ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000008140000 | 0x08140000 | 0x081bffff | Private Memory | rw |
|
|
|
- |
| mscorlib.ni.dll | 0x71e00000 | 0x7302afff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x731b0000 | 0x731defff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x731e0000 | 0x731fafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x73200000 | 0x73212fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x73220000 | 0x7340ffff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x73410000 | 0x7357afff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x73580000 | 0x73611fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x73620000 | 0x73fccfff | Memory Mapped File | rwx |
|
|
|
- |
| clrjit.dll | 0x73fd0000 | 0x7404cfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr120_clr0400.dll | 0x74050000 | 0x74144fff | Memory Mapped File | rwx |
|
|
|
- |
| clr.dll | 0x74150000 | 0x747f7fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74800000 | 0x74807fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74810000 | 0x74887fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x74890000 | 0x748e8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x748f0000 | 0x7490cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74910000 | 0x74984fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffff | Private Memory | - |
|
|
|
- |
| private_0x0000000080000000 | 0x80000000 | 0x8000ffff | Private Memory | - |
|
|
|
- |
| private_0x00000000fe9bd000 | 0xfe9bd000 | 0xfe9bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fe9c0000 | 0xfe9c0000 | 0xfe9cffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000fe9d0000 | 0xfe9d0000 | 0xfea1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000fea27000 | 0xfea27000 | 0xfea29fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fea2a000 | 0xfea2a000 | 0xfea2cfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fea2d000 | 0xfea2d000 | 0xfea2ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000fea30000 | 0xfea30000 | 0xfeb2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000feb30000 | 0xfeb30000 | 0xfeb52fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000feb55000 | 0xfeb55000 | 0xfeb57fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000feb58000 | 0xfeb58000 | 0xfeb58fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000feb5b000 | 0xfeb5b000 | 0xfeb5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000feb5d000 | 0xfeb5d000 | 0xfeb5ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
|
For performance reasons, the remaining 186 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Threads
Thread 0xfd8
1172
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x73580000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\syswow64\user32.dll, base_address = 0x74ad0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x77a0caa0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83363366 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, base_address = 0x73580000 |
|
32 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe.config, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, base_address = 0x73580000 |
|
156 | |
| System | Get Cursor | x_out = 824, y_out = 478 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, base_address = 0x73580000 |
|
1 | |
| System | Get Cursor | x_out = 824, y_out = 478 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_49c02355cf03478c\comctl32.dll, base_address = 0x73580000 |
|
22 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 824, y_out = 478 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365238 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365318 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 458798 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 458798 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 824, y_out = 478 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 |
|
1 | |
| Window | Set Attribute | window_name = God Crypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | window_name = Contact Us, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Contact Us, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Contact Us, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365398 |
|
1 | |
| Window | Set Attribute | window_name = Contact Us, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 589882 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = How to buy bitcoins?, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = How to buy bitcoins?, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = How to buy bitcoins?, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365438 |
|
1 | |
| Window | Set Attribute | window_name = How to buy bitcoins?, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 458886 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = About bitcoin, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = About bitcoin, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = About bitcoin, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365478 |
|
1 | |
| Window | Set Attribute | window_name = About bitcoin, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 852008 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | window_name = &Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = &Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 |
|
1 | |
| Window | Set Attribute | window_name = &Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365558 |
|
1 | |
| Window | Set Attribute | window_name = &Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 393528 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Check Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Check Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 |
|
1 | |
| Window | Set Attribute | window_name = Check Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365598 |
|
1 | |
| Window | Set Attribute | window_name = Check Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131638 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365638 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131640 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Copy, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Copy, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 |
|
1 | |
| Window | Set Attribute | window_name = Copy, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83365678 |
|
1 | |
| Window | Set Attribute | window_name = Copy, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131626 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Send $100 worth of bitcoin to this address:, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Send $100 worth of bitcoin to this address:, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Send $100 worth of bitcoin to this address:, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83362998 |
|
1 | |
| Window | Set Attribute | window_name = Send $100 worth of bitcoin to this address:, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131628 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | window_name = 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891357200 |
|
1 | |
| Window | Set Attribute | window_name = 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378518 |
|
1 | |
| Window | Set Attribute | window_name = 1M7jsxLEC3jsfWen1FP1N9uvTs19kkffj4, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131622 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378238 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131624 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378318 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131618 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378598 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131620 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377918 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131614 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Date 2, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Date 2, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Date 2, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378278 |
|
1 | |
| Window | Set Attribute | window_name = Date 2, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131616 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378118 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131610 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Your files will be lost on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Your files will be lost on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Your files will be lost on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378038 |
|
1 | |
| Window | Set Attribute | window_name = Your files will be lost on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131612 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378638 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131606 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378158 |
|
1 | |
| Window | Set Attribute | window_name = Time Left, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131608 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Date 1, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Date 1, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Date 1, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378718 |
|
1 | |
| Window | Set Attribute | window_name = Date 1, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 524624 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Payment will be raised on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Payment will be raised on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Payment will be raised on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378758 |
|
1 | |
| Window | Set Attribute | window_name = Payment will be raised on, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 655754 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377838 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131644 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377878 |
|
1 | |
| Window | Set Attribute | window_name = 00:00:00:00, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 197166 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Ooops, your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Ooops, your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891127440 |
|
1 | |
| Window | Set Attribute | window_name = Ooops, your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83377958 |
|
1 | |
| Window | Set Attribute | window_name = Ooops, your files have been encrypted!, class_name = WindowsForms10.STATIC.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 131632 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551612, new_long = 83377998 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551604, new_long = 131634 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
2 | |
| Window | Create | window_name = International, class_name = WindowsForms10.COMBOBOX.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551612, new_long = 1891044640 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551612, new_long = 83378438 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551604, new_long = 131636 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible beacuse they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. Can I Recover My Files? Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time. You can decrypt some of your files for free. Try now by clicking <Decrypt>. But if you want to decrypt all your files, you need to pay. You only have 3 days to submit the payment. After that the price will be doubled. Also, if you don't oay in 7 days,you won't be able to recover your files forever. We will have free events for users who are so poor that they couldn't pay in 6 months. How Do I Pay? Payment is accepted in Bitcoin only. Fore more information, Click <About bitcoin>. Please check the current price of Bitcoin and buy some bitcoins. For more information, click <How to buy bitcoins>. And send the correct amount to the address specified in this window. After your payment, click <Check Payment>. Best time to check 9:00am - 11:00am GMT from Monday to Friday. Once the payment is checked, you can start decrypting your files immediate. Contact If you need our assistance, send a massage by clicking <Contact Us>. We Strongly recommend you to not remove this software, and disable you for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will no be able to recover your files even if you pay!, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551612, new_long = 1891357200 |
|
1 | |
| Window | Set Attribute | index = 18446744073709551604, new_long = 66110 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = Godsomware v1.0, type = REG_NONE |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = Godsomware v1.0, data = C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe, size = 90, type = REG_SZ |
|
1 | |
| COM | Get Class ID | cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell |
|
1 | |
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System, value_name = DisableTaskMgr, data = 1, size = 4, type = REG_DWORD |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| Registry | Create Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, value_name = DisableCMD, type = REG_NONE |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, value_name = DisableCMD, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, value_name = DisableRegedit, type = REG_NONE |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, value_name = DisableRegedit, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = TZI, type = REG_BINARY |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = 2007, type = REG_BINARY |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST, value_name = 2008, type = REG_BINARY |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time, value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 | |
| Module | Load | module_name = C:\Windows\system32\en-US\tzres.dll.mui, base_address = 0x8c40001 |
|
3 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
10 | |
| System | Get Cursor | x_out = 142, y_out = 758 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 142, y_out = 758 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 142, y_out = 758 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
3 | |
| System | Get Cursor | x_out = 142, y_out = 758 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378398 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
2 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378478 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66114 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66114 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 142, y_out = 758 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 50397184 |
|
1 | |
| Window | Set Attribute | window_name = System, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65536 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
2 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83378558 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66122 |
|
1 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
13 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
4 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
8 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
3 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380822 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380782 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 393814 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 393814 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 |
|
1 | |
| Window | Set Attribute | window_name = LOL, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380982 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 393812 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380342 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
8 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
3 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380622 |
|
1 | |
| Window | Set Attribute | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 0 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Window | Set Attribute | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 |
|
1 | |
| Window | Set Attribute | window_name = LMAO, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 327680 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380302 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66138 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83381102 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
8 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
3 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380422 |
|
1 | |
| Window | Set Attribute | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 0 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 755, y_out = 515 |
|
1 | |
| Window | Set Attribute | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46333952 |
|
1 | |
| Window | Set Attribute | window_name = Meme Virus v1.0 by NinjaGhost, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 327680 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83381142 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66144 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380222 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
6 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
13 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551489 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
27 | |
| System | Get Cursor | x_out = 1064, y_out = 756 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 1064, y_out = 756 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
5 | |
| System | Get Cursor | x_out = 1064, y_out = 756 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380902 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.0.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380262 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66150 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551608, new_long = 66150 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| System | Get Cursor | x_out = 1064, y_out = 756 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551600, new_long = 46661632 |
|
1 | |
| Window | Set Attribute | window_name = God Decrypt v1.0, class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551596, new_long = 65537 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380702 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66152 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 2007026336 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380182 |
|
1 | |
| Window | Set Attribute | class_name = WindowsForms10.Window.8.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66154 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Enter Code, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Enter Code, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891357200 |
|
1 | |
| Window | Set Attribute | window_name = Enter Code, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380742 |
|
1 | |
| Window | Set Attribute | window_name = Enter Code, class_name = WindowsForms10.EDIT.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66156 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Check Code Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Check Code Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 |
|
1 | |
| Window | Set Attribute | window_name = Check Code Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380382 |
|
1 | |
| Window | Set Attribute | window_name = Check Code Payment, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66158 |
|
1 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x70b40000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\ciihmnxmn6ps\desktop\godsomware.exe, base_address = 0x5d0000 |
|
1 | |
| Window | Create | window_name = Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, wndproc_parameter = 0 |
|
1 | |
| Window | Set Attribute | window_name = Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 1891361472 |
|
1 | |
| Window | Set Attribute | window_name = Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551612, new_long = 83380462 |
|
1 | |
| Window | Set Attribute | window_name = Decrypt, class_name = WindowsForms10.BUTTON.app.0.141b42a_r12_ad1, index = 18446744073709551604, new_long = 66160 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
3 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Module | Get Handle | module_name = shell32.dll, base_address = 0x752c0000 |
|
1 | |
| Window | Create | - |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551488 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551488 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551488 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe, type = file_attributes |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\NinjaGhost\Godsomware v1.0\1.0.0.0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 |
Thread 0xfe4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xa70
29
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Sleep | duration = 50 milliseconds (0.050 seconds) |
|
251 |
Process #2: godsomware.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\users\ciihmnxmn6ps\desktop\godsomware.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Godsomware.exe" |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:57, Reason: Autostart |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x930 |
| Parent PID | 0x5e4 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
938
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| godsomware.exe | 0x005d0000 | 0x00801fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00831fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00853fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x0099ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x009a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| ntdll.dll | 0x770e0000 | 0x77258fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000000ff380000 | 0xff380000 | 0xff3a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000ff3a8000 | 0xff3a8000 | 0xff3a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff3ac000 | 0xff3ac000 | 0xff3aefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ff3af000 | 0xff3af000 | 0xff3affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7fff960affff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7fff960b0000 | 0x7fff96271fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007fff96272000 | 0x7fff96272000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
