5d4e22be...6c81 | Sequential Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Trojan

nqmdwcixbxs.exe

Windows Exe (x86-32)

Created at 2019-07-21T23:34:00

...

Remarks (1/1)

(0x2000010): The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x964 Analysis Target High (Elevated) nqmdwcixbxs.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe" -
#2 0xa14 Child Process High (Elevated) nqmdwcixbxs.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe" #1

Behavior Information - Sequential View

Process #1: nqmdwcixbxs.exe
330 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:00:36, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
0x 96C
0x 970
0x 980
0x 984
0x 988
0x A20
0x A2C
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EA6078, 0x73EBA5E0 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EBFEDC False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EBBB90, 0x73EB9940 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EB8690 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748B62B0, 0x7480CAB0 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748B11C4 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748BA025, 0x748B9DF8, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748BC078, 0x748CB090, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x7490A650, 0x748B29D1, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748CD000 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748D99AC, 0x748D8800 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x74937313, 0x748D61C4 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748C9B60 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x74936C58, 0x748D2EF4, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748D06C8, 0x748D56B0 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EB1FAC False False
...
Threads
Thread 0x968
329 0
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 3
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config, type = file_attributes False 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 0x76c579d4 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 0x7714fc70 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\ntdll.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Module Get Filename module_name = c:\windows\syswow64\kernel32.dll, process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 1
Fn
Thread 0x970
1 0
»
Category Operation Information Success Count Logfile
Module Unmap process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe True 1
Fn
Process #2: nqmdwcixbxs.exe
609 103
»
Information Value
ID #2
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:34, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:40
OS Process Information
»
Information Value
PID 0xa14
Parent PID 0x964 (c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A18
0x A28
0x A30
0x A38
0x A3C
0x A40
0x A44
0x A7C
0x A80
0x A84
0x A88
0x A8C
0x A94
0x A98
0x A9C
0x AA0
0x AAC
0x AC4
0x AC8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
custommarshalers.ni.dll 0x74710000 0x74749FFF Content Changed - 32-bit 0x74730E64 False False
...
custommarshalers.ni.dll 0x74710000 0x74749FFF Content Changed - 32-bit 0x74735920 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73B6F158, 0x73BD3F00, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C07874, 0x73BD4608, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCC558, 0x73BCFB2B, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD94F0, 0x73BD01D0 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD8E08, 0x73C04B38 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD2800, 0x73C0535C, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C0CDC4 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C0E000, 0x73C0D00D False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C19590 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCE2A0 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BDB320 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCC524 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73B6DA64 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BDB000, 0x73BDAF84, ... False False
...
buffer 0x006E0000 0x006E0FFF First Execution - 32-bit 0x006E0638, 0x006E09C4, ... False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A7D073 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A7E149 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A80050 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A81000 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A78650, 0x73A7A320, ... False False
...
system.xml.ni.dll 0x71100000 0x71635FFF Content Changed - 32-bit 0x711AF780 False False
...
system.xml.ni.dll 0x71100000 0x71635FFF Content Changed - 32-bit 0x7117E1A0, 0x71199290, ... False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe 440.00 KB MD5: ef234f23724dc00e693bdb1b1218c1e8
SHA1: 27f0ca2bf23aca5bf4c737480038f23c7eea5b96
SHA256: 5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81
SSDeep: 6144:gzxCyj385/GUCdxzGrGHqveLAS1aP4vAvKhAp081nNVjqKoe:gw8RxSle7AP4oy6nnjqKoe 		False
...
Threads
Thread 0xa18
272 103
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 2
Fn
System Get Info type = Operating System True 1
Fn
Environment Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config, type = file_attributes True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Impersonation Level, data = 3 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\advapi32.dll, base_address = 0x74d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x74d4ca24 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace, data = 114 True 1
Fn
COM Create interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER True 3
Fn
User Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
System Get Computer Name result_out = XDUWTFONO True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductId, type = REG_NONE False 1
Fn
Module Get Handle module_name = c:\windows\syswow64\user32.dll, base_address = 0x74f40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 2
Fn
Window Create class_name = WindowsForms10.Window.0.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 5182258 True 1
Fn
System Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x4f1652 True 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 3
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 237 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config, type = file_attributes False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = XDUWTFONO True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking False 1
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 9
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = www.vacanzaimmobiliare.it, address_out = 185.81.4.56 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
System Get Network Adapter Info - False 1
Fn
System Get Network Adapter Info - True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 310, size_out = 310 True 1
Fn
Data
Inet Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Inet Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Inet Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 157, Expect: 100-continue, Connection: Keep-Alive, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 458 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 458 True 1
Fn
Data
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = www.vacanzaimmobiliare.it, address_out = 185.81.4.56 True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 286, size_out = 286 True 1
Fn
Data
Inet Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Inet Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Inet Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 203, Expect: 100-continue, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 458 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 458 True 1
Fn
Data
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz, type = file_attributes True 1
Fn
File Get Info filename = C:\Users, type = file_attributes True 1
Fn
File Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, type = file_attributes False 1
Fn
File Copy source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = Load, type = REG_NONE False 1
Fn
Registry Write Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows, value_name = Load, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, size = 130, type = REG_SZ True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, type = file_attributes True 1
Fn
File Delete filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe:Zone.Identifier False 1
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 237 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ False 1
Fn
Module Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 256 True 1
Fn
File Move source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, destination_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\\tmpG554.tmp, flags = MOVEFILE_WRITE_THROUGH True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 286, size_out = 286 True 1
Fn
Data
Inet Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Inet Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Inet Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 201, Expect: 100-continue, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 458 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 458 True 1
Fn
Data
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = private_0x0000000000400000, base_address = 0x400000 True 2
Fn
Window Create class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 5183418 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read result_out = 1 True 1
Fn
System Get foreground window - True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 1120, result_out = 67699721 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 False 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 False 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 False 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_CAPITAL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read result_out = 1 True 1
Fn
System Get foreground window - True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 1120, result_out = 67699721 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 False 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 False 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = -127 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
System Get foreground window - True 1
Fn
System Get window text window_text = 3860044 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 1 True 1
Fn
Thread 0xa30
1 0
»
Category Operation Information Success Count Logfile
Thread 0xa7c
5 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 5
Fn
Thread 0xa80
52 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Module Load module_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll, base_address = 0x6a310000 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Get, address_out = 0x6a311b96 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Put, address_out = 0x6a311b7a True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Delete, address_out = 0x6a311bb5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Next, address_out = 0x6a311bf7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Thread 0xaac
160 0
»
Category Operation Information Success Count Logfile
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 3
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_type True 2
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 18432, size_out = 18432 True 1
Fn
Data
Environment Get Environment String name = APPDATA, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_type True 2
Fn
File Read filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 4096, size_out = 111 True 1
Fn
Data
File Read filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\logins.json, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config, type = file_attributes False 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 131
Fn
File Get Info filename = C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe, type = file_attributes False 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\logins.json, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Comodo\Dragon\User Data\Default\Login Data, type = file_attributes False 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\profiles.ini, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Environment Get Environment String name = PROGRAMFILES, result_out = C:\Program Files (x86) True 1
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\, type = file_attributes True 2
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Thunderbird\, type = file_attributes False 2
Fn
File Get Info filename = C:\Program Files (x86)\SeaMonkey\, type = file_attributes False 2
Fn
File Get Info filename = C:\Program Files (x86)\Flock\, type = file_attributes False 2
Fn
File Get Info filename = C:\Program Files (x86)\Mozilla Firefox\, type = file_attributes True 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\msvcr100.dll, base_address = 0x70370000 True 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\msvcp100.dll, base_address = 0x70300000 True 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\msvcr120.dll, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\msvcp120.dll, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\msvcp140.dll, base_address = 0x0 False 2
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\\vcruntime140.dll, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\mozglue.dll, base_address = 0x702d0000 True 1
Fn
Module Load module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x70110000 True 1
Fn
Module Get Address module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x701cd70b True 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\signons3.txt, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Chromium\User Data\Default\Login Data, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Registry Get Key Info reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = Email, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP Password, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Password, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Email, type = REG_BINARY True 2
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP Password, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = Email, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = IMAP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = POP3 Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = HTTP Password, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004, value_name = SMTP Password, type = REG_NONE False 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\profiles.ini, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\signons.sqlite, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Mail\Opera Mail\wand.dat, type = file_attributes False 1
Fn
Environment Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Pocomail\accounts.ini, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine False 2
Fn
Environment Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\The Bat!, type = file_attributes False 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\FileZilla\recentservers.xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Environment Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions False 1
Fn
Environment Get Environment String name = APPDATA, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
File Create filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CoreFTP\sites.idx, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites, value_name = Host, data = 2147942402 False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort, data = 2147942403 False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser, data = 2147942403 False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW, data = 2147942403 False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName, data = 2147942403 False 1
Fn
File Get Info filename = C:\ProgramData\DynDNS\Updater\config.dyndns, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Paltalk False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\, type = file_attributes False 1
Fn
COM Get Class ID cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander, value_name = UninstallString, data = 2147942402 False 1
Fn
File Get Info filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ftplist.txt, type = file_attributes False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC False 2
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC False 2
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\DownloadManager\Passwords False 1
Fn
File Get Info filename = C:\Program Files (x86)\jDownloader\config\database.script, type = file_attributes False 1
Fn
Thread 0xac4
17 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2019-07-21 23:35:26 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:27 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:28 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:29 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:30 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:31 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:32 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:33 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:34 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:35 (UTC) True 1
Fn
System Get Time type = System Time, time = 2019-07-21 23:35:36 (UTC) True 1
Fn
System Get Time type = System Time, time = 1602-08-21 03:50:32 (UTC) True 1
Fn
System Get Time type = System Time, time = 1602-08-21 03:50:33 (UTC) True 1
Fn
System Get Time type = System Time, time = 1627-02-28 13:28:30 (UTC) True 1
Fn
System Get Time type = System Time, time = 1627-02-28 13:28:31 (UTC) True 1
Fn
System Get Time type = System Time, time = 1627-02-28 13:28:32 (UTC) True 1
Fn
System Get Time type = System Time, time = 1627-02-28 13:28:34 (UTC) True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image