GottaCry.exe
Windows Exe (x86-32)
Created at 2019-05-25T08:39:00
Remarks
(0x200000c): The maximum memory dump size was exceeded. Some dumps may be missing in the report.
Monitored Processes
Behavior Information - Sequential View
Process #1: gottacry.exe
1077
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\fd1hvy\desktop\gottacry.exe |
| Command Line | "C:\Users\FD1HVy\Desktop\GottaCry.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:00:32, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:32, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe94 |
| Parent PID | 0x860 (c:\windows\system32\werfault.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B10
0x
7EC
0x
FF4
0x
ED4
0x
39C
0x
F94
0x
838
0x
B60
0x
B0C
0x
EE4
0x
58
0x
FD4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9104B97D8, 0x7FF9105D9820, ... |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9105E6820, 0x7FF9104B97D8 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9104BE708 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9105E8B30, 0x7FF9104BE708 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9104B8EF0 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC7E760 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC80200 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC86000 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC7F000 |
|
|
|
| system.xml.ni.dll | 0x7FF90C3B0000 | 0x7FF90CC46FFF | Content Changed | - | 64-bit | 0x7FF90C4EF000 |
|
|
|
| system.xml.ni.dll | 0x7FF90C3B0000 | 0x7FF90CC46FFF | Content Changed | - | 64-bit | 0x7FF90C4F04C0 |
|
|
|
| system.xml.ni.dll | 0x7FF90C3B0000 | 0x7FF90CC46FFF | Content Changed | - | 64-bit | 0x7FF90C4F1960 |
|
|
|
| system.xml.ni.dll | 0x7FF90C3B0000 | 0x7FF90CC46FFF | Content Changed | - | 64-bit | 0x7FF90C4F4100 |
|
|
|
| system.xml.ni.dll | 0x7FF90C3B0000 | 0x7FF90CC46FFF | Content Changed | - | 64-bit | 0x7FF90C4F2A70 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC81B60 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC82010 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC8319F |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC84040 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC890E0 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC87000 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC989E0 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC88000 |
|
|
|
| system.configuration.ni.dll | 0x7FF90CC50000 | 0x7FF90CD71FFF | Content Changed | - | 64-bit | 0x7FF90CC8ABB0 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9104B8EF8 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9105E7160 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9104BCEE0 |
|
|
|
| microsoft.visualbasic.ni.dll | 0x7FF910470000 | 0x7FF910686FFF | Content Changed | - | 64-bit | 0x7FF9105DA0A0, 0x7FF9104BCEE0 |
|
|
|
Threads
Thread 0xb10
890
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_attributes |
|
2 | |
| File | Create | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = file_type |
|
2 | |
| File | Get Info | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 4096 |
|
8 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 3215 |
|
1 | |
| File | Read | filename = C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config, size = 4096, size_out = 0 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\GottaCry.exe.config, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x7ff90bef0000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x7ff931730000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = DefWindowProcW, address_out = 0x7ff931fe5090 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
18 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, class_name = .NET-BroadcastEventWindow.4.0.0.0.141b42a.0, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
17 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\GottaCry.exe.config, type = file_attributes |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
6 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
26 | |
| System | Get Cursor | x_out = 443, y_out = 363 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
1 | |
| System | Get Cursor | x_out = 443, y_out = 363 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.15063.413_none_0e0f5dcc67adff4e\comctl32.dll, base_address = 0x7ff90bef0000 |
|
43 | |
| Module | Get Handle | module_name = comctl32.dll, base_address = 0x0 |
|
1 | |
| Module | Load | module_name = comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get Cursor | x_out = 443, y_out = 363 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = GottaCry | Windows encryptor, class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7464176 |
|
2 | |
| System | Get Cursor | x_out = 443, y_out = 363 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | window_name = Unlock, class_name = WindowsForms10.BUTTON.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.EDIT.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
2 | |
| Window | Create | window_name = Unlock password:, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = All of your passwords were recovered into my servers, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = All your desktop files were moved to my server until payment is done, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = Contact only on discord!, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.EDIT.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = GottaCry | Windows Decryptor 2019 ©, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = discord link (click), class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = DISCORD: Russen#6061, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = All your files were encrypted , class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = 50$ bitcoin or 70$ paypal, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = If you turn off your computer, we will leak all your passwords and will delete your computer, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = Your computer has been encrypted, class_name = WindowsForms10.STATIC.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| Module | Get Handle | module_name = c:\users\fd1hvy\desktop\gottacry.exe, base_address = 0x350000 |
|
1 | |
| Window | Create | window_name = Copy, class_name = WindowsForms10.BUTTON.app.0.141b42a_r6_ad1, wndproc_parameter = 0 |
|
1 | |
| System | Get window text | window_text = 7462832 |
|
1 | |
| System | Get window text | window_text = 7462400 |
|
1 | |
| System | Get window text | window_text = 7462272 |
|
1 | |
| System | Get window text | window_text = 7462240 |
|
1 | |
| System | Get window text | window_text = 7462144 |
|
1 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| Process | Create | process_name = https://localbitcoins.com, show_window = SW_SHOWNORMAL |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
83 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = GottaCry, type = REG_NONE |
|
1 | |
| Registry | Write Value | reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = GottaCry, data = C:\Users\FD1HVy\Desktop\GottaCry.exe, size = 74, type = REG_SZ |
|
1 | |
| System | Get window text | window_text = 7462784 |
|
1 | |
| System | Get window text | window_text = 7462864 |
|
1 | |
| System | Get window text | window_text = 7460064 |
|
1 | |
| System | Get window text | window_text = 7459856 |
|
2 | |
| System | Get window text | window_text = 7460064 |
|
1 | |
| System | Get window text | window_text = 7459856 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7462560 |
|
1 | |
| System | Get window text | window_text = 7459424 |
|
1 | |
| System | Get window text | window_text = 7459216 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7462544 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462480 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462448 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462528 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462704 |
|
2 | |
| System | Get window text | window_text = 7462512 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462544 |
|
2 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings, value_name = Anchor Color, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings, value_name = Anchor Color, data = 0,0,255, type = REG_SZ |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main, value_name = Anchor Underline, data = 0, type = REG_SZ |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main, value_name = Anchor Underline, data = yes, type = REG_SZ |
|
1 | |
| System | Get window text | window_text = 7462544 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462512 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462528 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462400 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7462512 |
|
2 | |
| Module | Get Handle | module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.15063.483_none_26002d27e7c744a2\comctl32.dll, base_address = 0x7ff9270a0000 |
|
1 | |
| System | Get window text | window_text = 7459424 |
|
1 | |
| System | Get window text | window_text = 7459216 |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
13 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
3 | |
| System | Get window text | window_text = 7459424 |
|
1 | |
| System | Get window text | window_text = 7459216 |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
29 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
1 | |
| System | Get window text | window_text = 7459424 |
|
1 | |
| System | Get window text | window_text = 7459216 |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
14 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
16 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7459424 |
|
1 | |
| System | Get window text | window_text = 7459216 |
|
2 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
2 | |
| Keyboard | Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
25 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
27 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
26 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
26 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
27 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
27 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -127 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
26 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = -128 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get window text | window_text = 7457648 |
|
1 | |
| System | Get window text | window_text = 7457440 |
|
2 | |
| System | Get window text | window_text = 7462848 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
1 | |
| Keyboard | Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
6 |
Thread 0xed4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xfd4
118
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| File | Get Info | filename = C:\Users\DontFuckMe, type = file_attributes |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\--L05hp3fv9.png, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\--L05hp3fv9.png |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\1C43JvIy2z.avi, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\1C43JvIy2z.avi |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\6IBxX2LNqhJFYXVQYS0W.bmp, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\6IBxX2LNqhJFYXVQYS0W.bmp |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\9N1u2btn9yPvOjA.m4a, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\9N1u2btn9yPvOjA.m4a |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\9nfD.gif, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\9nfD.gif |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\CONgsjZCET.mp4, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\CONgsjZCET.mp4 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\desktop.ini, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\desktop.ini |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\GottaCry.exe, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\GottaCry.exe |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\HcPQ9aQ09Z3yq.mp4, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\HcPQ9aQ09Z3yq.mp4 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\JdOHkTwIW D- 2Su4U1X.flv, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\JdOHkTwIW D- 2Su4U1X.flv |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\jo51jZ-8ooS.jpg, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\jo51jZ-8ooS.jpg |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\JQUOsla.gif, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\JQUOsla.gif |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\kUyiUtgZT3aaZTCnGBG.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\kUyiUtgZT3aaZTCnGBG.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\LmFV6mZwywUte2Wx.mp3, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\LmFV6mZwywUte2Wx.mp3 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\LQ jOTd.mp3, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\LQ jOTd.mp3 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\LUepN7ov7Oz3L7J.mp3, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\LUepN7ov7Oz3L7J.mp3 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\m2XL.rtf, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\m2XL.rtf |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\nFaIgJNWTp4mMdZ.m4a, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\nFaIgJNWTp4mMdZ.m4a |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\NnSQ.mp3, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\NnSQ.mp3 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\O67RCTmouURcYS_.png, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\O67RCTmouURcYS_.png |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\r1t-hn57kceBTM0n.avi, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\r1t-hn57kceBTM0n.avi |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\rDiKAyzeX.pptx, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\rDiKAyzeX.pptx |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\rFDA42 soc19d.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\rFDA42 soc19d.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\rR1ynxjK.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\rR1ynxjK.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\S5R3CNV76ET.png, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\S5R3CNV76ET.png |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\sCti5J-zHdiT5J.pdf, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\sCti5J-zHdiT5J.pdf |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\SvZdTz5uu_dcureKFHD.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\SvZdTz5uu_dcureKFHD.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\tZdJbSC_BxXs_dGdDs.jpg, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\tZdJbSC_BxXs_dGdDs.jpg |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\U uNu4WFx4W Q.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\U uNu4WFx4W Q.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uludpfxqYRGHOoD hz.bmp, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\uludpfxqYRGHOoD hz.bmp |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\uoSLaSZ.ots, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\uoSLaSZ.ots |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\XwLYw.mp4, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\XwLYw.mp4 |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\YB67 4.wav, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\YB67 4.wav |
|
1 | |
| File | Get Info | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB, type = file_attributes |
|
2 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\5pFwrOduO_s_E.jpg |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\EKM1o2Ttc4D0Kn.flv |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\gR5j2UyK7PW3S5L2SqLl.mp4 |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\hnSVWIs8tNNZcPDxr.wav |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\ki7IKF9ARfC_nN.m4a |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\KpW aJ73U.gif |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\ne81c0f.jpg |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\PiOj6qcCI-47.doc |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\QynV.flv |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\SrQU6.bmp |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\t1fGlG4Fb3whav_0E_.jpg |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\VWcoZ4s.m4a |
|
1 | |
| File | Delete | filename = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB\W8 nshMTU_.m4a |
|
1 | |
| File | Delete Directory | directory = C:\Users\FD1HVy\Desktop\4hFqVTgno3jT_N5-sB |
|
1 |
Process #4: openwith.exe
6
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\WINDOWS\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:01:35, Reason: RPC Server |
| Unmonitor | End Time: 00:01:51, Reason: Self Terminated |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf08 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeDebugPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4A4
0x
9E0
0x
BFC
0x
7F0
0x
7A4
0x
CF0
0x
6D8
0x
FD0
0x
D38
0x
D74
0x
B64
0x
174
0x
ECC
0x
E80
0x
E84
0x
F04
0x
B6C
0x
6AC
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_idx.db | 113.77 KB |
MD5:
ef8f2a92b695a814a831823462993327
SHA1: b2525154aa9f539c5c6ec9c3276ba5fb488c335b SHA256: bb06660e07d9c6c11d8cbc5877a298998554abbc2f78319c39f9b18d393a79a2 SSDeep: 384:Sns0cn3yWhXKXx2QuLD/z35OqXp1OKPo7Ep+erXofe/co37qwLDeYf7Wm:SnXOakzLrz30MYWxvXofc7q8T |
|
|
| c:\users\fd1hvy\appdata\local\microsoft\windows\explorer\iconcache_32.db | 3.00 MB |
MD5:
d42da5feab76d156eed14386b3ba0fc9
SHA1: e075d399a08c2a365a0f5204df10907884da7585 SHA256: 1771938a553949a51bcd766c9626947e65a3c3b4329cc0c2dd9fa9f2b6b043b7 SSDeep: 24576:EVZt4VPVJ02LPknyS5iz7ZTYqjYKqsdN7OQ:EVZt0PVu2LgiPZTYoXqsd |
|
|
Threads
Thread 0x7a4
6
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| COM | Create | interface = CE149B23-5941-4079-9223-52C0A991EC48, cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Mutex | Create | mutex_name = Local\SM0:3848:120:WilError_01, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Mutex | Release | mutex_name = Local\SM0:3848:120:WilError_01 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ff931f40000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\ntdll.dll, function = RtlDllShutdownInProgress, address_out = 0x7ff931f7cea0 |
|
1 | |
| Mutex | Release | - |
|
1 |
