Joe Sandbox - Report 17980

General Information

Start time:	09:57:02
Start date:	15/08/2012
Overall analysis duration:	0h 3m 18s
Sample file name:	Hermes_.exe
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Errors:	Too many NtProtectVirtualMemory calls (excessive behavior) Too many NtAllocateVirtualMemory calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Printf formatting strings found in memory and binary data
Urls found in memory or binary data
Program does not show much activity (idle)

Startup

system is xp Hermes_.exe (PID: 2724 MD5: 20BE4F07F9A12C35463361A7212CA5FF) cleanup

system is xp

Hermes_.exe (PID: 2724 MD5: 20BE4F07F9A12C35463361A7212CA5FF)

cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name:	Hermes_.exe
File size:	407040
MD5:	20be4f07f9a12c35463361a7212ca5ff
SHA1:	07b2a4af66c5de5f69a1efd175de3bff9d48ba8e
SHA256:	f42e71f3e5121412e2c82d7ac982e5036f63d39c1c6591c3630f6b3fd8a48180
SHA512:	7adef3f325acda1c8babe9d5f1e03d36ee4fbd8fe2d6698fa8f70a301483ca34fe7fc62afce52e05a1615c77d4ae285e7378b259cfea6dfa1a9b5055a52c21bb

Static PE Info

General
Entrypoint:	0x401000
Entrypoint Section:
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x27E2A2D4 [Sat Mar 16 22:57:24 1991 UTC]
TLS Callbacks:

Resources

Name	RVA	Size	Type
RT_ICON	0x18d478	0x10a8	data
RT_GROUP_ICON	0x18e520	0x14	MS Windows icon resource - 1 icon
RT_VERSION	0x18e534	0x384	data
RT_VERSION	0x18e8b8	0x384	data
RT_VERSION	0x18ec3c	0x384	data
RT_VERSION	0x18efc0	0x384	data
RT_VERSION	0x18f344	0x384	data
RT_VERSION	0x18f6c8	0x384	data
RT_VERSION	0x18fa4c	0x384	data
RT_VERSION	0x18fdd0	0x384	data
RT_VERSION	0x190154	0x384	data
RT_VERSION	0x1904d8	0x384	data
RT_VERSION	0x19085c	0x384	data
RT_VERSION	0x190be0	0x384	data
RT_VERSION	0x190f64	0x384	data
RT_VERSION	0x1912e8	0x384	data
RT_VERSION	0x19166c	0x384	data
RT_VERSION	0x1919f0	0x384	data
RT_VERSION	0x191d74	0x384	data
RT_VERSION	0x1920f8	0x384	data
RT_VERSION	0x19247c	0x384	data
RT_VERSION	0x192800	0x384	data

Imports

DLL	Import
kernel32.dll	GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll	GetForegroundWindow
ntprint.dll	PSetupSelectDeviceButtons
version.dll	VerQueryValueA
gdi32.dll	UnrealizeObject
comctl32.dll	ImageList_SetIconSize
oleaut32.dll	VariantChangeTypeEx
kernel32.dll	RaiseException

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
	0x1000	0x153000	0x4600	7.98945756036
	0x154000	0x1000	0x400	7.83865363724
	0x155000	0x1000	0x200	7.58564983137
	0x156000	0x37000	0x36800	7.99918501105
.rsrc	0x18d000	0x6000	0x5c00	3.93367409359
.data	0x193000	0x59000	0x22000	7.82172434208
.adata	0x1ec000	0x1000	0x0	0.0

Version Infos

Description	Data
LegalCopyright	(c) 2000-2010 Martin Prikryl
InternalName	winscp
FileVersion	4.2.9.938
CompanyName	Martin Prikryl
ReleaseType	stable
LegalTrademarks
WWW	http://winscp.net/
ProductName	WinSCP
ProductVersion	4.2.9.0
FileDescription	WinSCP: SFTP, FTP and SCP client
OriginalFilename	winscp.exe
OriginalFilename	winscp.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map

String Analysis

Formattings for printf style functions

String value	Source
%SystemRoot%\System32\mswsock.dll	Hermes_.exe
Ebp: %x	Hermes_.exe
\|i %u#)	Hermes_.exe
Esp: %x	Hermes_.exe
\|%SystemRoot%\system32\rsvpsp.dll	Hermes_.exe
Code = [%d]	Hermes_.exe
Pw%n[w	Hermes_.exe
Ebx: %x	Hermes_.exe
%n Options\Hermes	Hermes_.exe
- [%s]	Hermes_.exe
%d.%d.%d.%d	Hermes_.exe
NT 3.%u	Hermes_.exe
Ecx: %x	Hermes_.exe
NT 4.%u	Hermes_.exe
%Ph[7]	Hermes_.exe
The procedure entry point %s could not be located in the dynamic link library %s	Hermes_.exe
Assertion failed: %s, file %s, line %d	Hermes_.exe
Eip: %x	Hermes_.exe
~\|s%p^	Hermes_.exe
Edi: %x	Hermes_.exe
Edx: %x	Hermes_.exe
DragDrop%lx	Hermes_.exe
675%Et	Hermes_.exe
Esi: %x	Hermes_.exe
P6 (Model %d)	Hermes_.exe
lhaplpkbq%eiuw	Hermes_.exe
TcJ%X~G	Hermes_.exe
)9%i@I	Hermes_.exe
Eax: %x	Hermes_.exe
The ordinal %u could not be located in the dynamic link library %s	Hermes_.exe
%SystemRoot%\system32\rsvpsp.dll	Hermes_.exe
%SystemRoot%\System32\winrnr.dll	Hermes_.exe
%SystemRoot%\system32\mswsock.dll	Hermes_.exe

URLs

String value	Source
http://winscp.net/	Hermes_.exe

Network Behavior

No network behavior found

Code Manipulation Behavior

System Behavior

Analysis File: Hermes_.exe PID: 2724 Parent PID: 1760

General

Start time:	09:39:46
Start date:	24/01/2012
Path:	C:\Hermes_.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	407040 bytes
MD5 hash:	20BE4F07F9A12C35463361A7212CA5FF

File Activites

File Opened

File Path	Access	Options	Content overwritten	Completion	Count	Source Address	Symbol
C:\	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\ntprint.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SETUPAPI.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\WINSPOOL.DRV	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\mscms.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\CRYPT32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\MSASN1.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\IMM32.DLL	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	3	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\SHELL32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202	execute or traverse and synchronize	directory file and synchronous io non alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Manifest	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	2	7C90E457	KiUserApcDispatcher
C:\WINDOWS\WindowsShell.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\Hermes_.exe	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\Hermes_.exe.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Manifest	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\comctl32.dll.124.Config	read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize	synchronous io non alert and non directory file	false	object name not found	1	7C90E457	KiUserApcDispatcher
\Device\KsecDD	read data or list directory and synchronize	synchronous io alert	false	success or wait	1	7C90E457	KiUserApcDispatcher
C:\WINDOWS\system32\wsock32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	5E84B7	LoadLibraryA
C:\WINDOWS\system32\WS2_32.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	5E84B7	LoadLibraryA
C:\WINDOWS\system32\WS2HELP.dll	execute or traverse and synchronize	synchronous io non alert and non directory file	false	success or wait	1	5E84B7	LoadLibraryA
C:\WINDOWS\WindowsShell.Manifest	read attributes and synchronize and generic read	synchronous io non alert and non directory file		success or wait	1	7C90E457	KiUserApcDispatcher
Scsi0:	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	true	success or wait	1	5C70D8	CreateFileA

File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address	Symbol
C:\	90028	NU LL		success or wait	1	7C90E457	KiUserApcDispatcher

Section Activites

Section loaded by Windows

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
unknown	query and write and read and execute and extend size	reserve	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	320000	24576	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\NLS\NlsSectionSortkey00000409	read	unknown	unknown	unknown	unknown	unknown	object name not found	1
\KnownDlls\user32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ntprint.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\ntprint.dll	query and write and read and execute	image	5F180000	98304	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\SETUPAPI.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
\KnownDlls\WINSPOOL.DRV	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\winspool.drv	query and write and read and execute	image	73000000	155648	own pid	read write	success or wait	1
\KnownDlls\mscms.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\mscms.dll	query and write and read and execute	image	73B30000	86016	own pid	read write	success or wait	1
\KnownDlls\CRYPT32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1
\KnownDlls\MSASN1.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
\KnownDlls\oleaut32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1302528	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	5F0000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	5F0000	110592	own pid	execute	success or wait	1
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	A30000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	A40000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	A40000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	A40000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	A40000	4096	own pid	readonly	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	read	commit	A40000	4096	own pid	readonly	success or wait	1
C:\Hermes_.exe	read	commit	A60000	409600	own pid	readonly	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	A80000	618496	own pid	readonly	success or wait	1

Section loaded by Program

File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\wsock32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1	5E84B7
C:\WINDOWS\system32\wsock32.dll	query and write and read and execute	image	71AD0000	36864	own pid	read write	success or wait	1	5E84B7
\KnownDlls\WS2_32.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1	5E84B7
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1	5E84B7
\KnownDlls\WS2HELP.dll	write and read and execute	unknown	unknown	unknown	unknown	unknown	object name not found	1	5E84B7
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1	5E84B7

Registry Activites

Key Path	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key	success or wait	1	5C18AC	unknown

Key Value Modified

Key Path	Name	Type	Old Data	New Data	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key	NULL	unicode			success or wait	1	5BF5D5	RegSetValueA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key		unicode		regfile	success or wait	1	5BF636	RegSetValueExA

Key Path	Name	Completion	Count	Source Address	Symbol
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CWDIllegalInDLLSearch	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSAppCompat	success or wait	3	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	SafeDllSearchMode	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize	DisableMetaFiles	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server	TSUserEnabled	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	LeakTrack	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	EnableBalloonTips	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemSetupInProgress	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP	seed	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	OsLoaderPath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\Setup	SystemPartition	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	SourcePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackSourcePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	ServicePackCachePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	DriverCachePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	DevicePath	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogLevel	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup	LogPath	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName	ComputerName	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Hostname	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Domain	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_USERS\Control Panel\Desktop	SmoothScroll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager	CriticalSectionTimeout	success or wait	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole	RWLockResourceTimeOut	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface	InterfaceHelperDisableTypeLib	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAll	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}	InterfaceHelperDisableAllForOle32	object name not found	1	7C90E457	KiUserApcDispatcher
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters	WinSock_Registry_Version	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters	WinSock_Registry_Version	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	buffer overflow	2	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	AddressFamily	object name not found	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	AddressFamily	object name not found	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	AddressFamily	object name not found	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	success or wait	1	5D895B5B	unknown
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters	Ws2_32NumHandleBuckets	object name not found	1	5D895B5B	unknown

Mutex Activites

Name	Completion	Count	Source Address	Symbol
unknown	success or wait	3	7C90E457	KiUserApcDispatcher

Process Activites

PID	Process info class	Completion	Count	Source Address	Symbol
2724	Cookie	success or wait	3	7C90E457	KiUserApcDispatcher
2724	ImageInformation	success or wait	1	7C90E457	KiUserApcDispatcher
2724	Wow64Information	success or wait	2	7C90E457	KiUserApcDispatcher
2724	SessionInformation	success or wait	1	7C90E457	KiUserApcDispatcher
2724	DeviceMap	success or wait	1	5C76A2	GetDriveTypeA

Thread Activites

Thread Delayed

TID	Delay	Completion	Count	Source Address	Symbol
2728	0s	success or wait	1131	4016A7	Sleep

Memory Activites

Memory Allocated

PID	Filepath	Base	Length	Protection	Completion	Count	Source Address	Symbol
2724	C:\Hermes_.exe	140000	12FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	140000	12FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	240000	12FB14	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	240000	12FB18	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	250000	12F340	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	251000	12F168	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A20000	12F91C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A20000	12F920	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A21000	12F5FC	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A23000	12F6B8	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A40000	12F968	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A40000	12F96C	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A41000	12F648	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A60000	12F974	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A60000	12F978	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A61000	12F654	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A70000	12F904	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A70000	12F908	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A71000	12F5E4	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A73000	12F698	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	A80000	12FF80	page execute and read and write	success or wait	1	593186	VirtualAlloc
2724	C:\Hermes_.exe	A80000	12FF48	page read and write	success or wait	5	5E80CA	VirtualAlloc
2724	C:\Hermes_.exe	B30000	12FE08	page no access	success or wait	1	5B63FC	VirtualAlloc
2724	C:\Hermes_.exe	B30000	12FDF8	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	B34000	12FE8C	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	A80000	12FEB4	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	A90000	12FEB4	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	AA0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	B3C000	12FE24	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	AB0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	AC0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	AD0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	AE0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	B40000	12FE24	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	AF0000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	B00000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	B10000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C30000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C40000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C50000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C60000	12FEE0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C70000	12FF2C	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F1DC	page execute and read and write	success or wait	2	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F0BC	page execute and read and write	success or wait	5	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	B44000	12FD68	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	B44000	12FD58	page read and write	success or wait	1	5B65CE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F1F0	page execute and read and write	success or wait	1	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F1CC	page execute and read and write	success or wait	21	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F1D8	page execute and read and write	success or wait	4	5D49DE	VirtualAlloc
2724	C:\Hermes_.exe	C80000	12F1BC	page execute and read and write	success or wait	3	5D49DE	VirtualAlloc

PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address	Symbol
2724	C:\Hermes_.exe	7C801000	1000	page read and write	page execute read	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	7C801000	1000	page execute read	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	593000	59000	page read and write	page execute and write copy	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	593000	59000	page execute and write copy	page read and write	success or wait	1	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77F11000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77F11000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	7E411000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	7E411000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	593000	59000	page read and write	page execute and read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	593000	59000	page execute and read and write	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77C11000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77C11000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	5F181000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	5F181000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77DD1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77DD1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77E71000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77E71000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77FE1000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77FE1000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	7C9C1000	2000	page read and write	page execute read	success or wait	8	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	7C9C1000	2000	page execute read	page read and write	success or wait	8	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77F61000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77F61000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77921000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77921000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	73001000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	73001000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	73B31000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	73B31000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77A81000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77A81000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77B21000	1000	page read and write	page execute read	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77B21000	1000	page execute read	page read and write	success or wait	3	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77C01000	1000	page read and write	page execute read	success or wait	2	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77C01000	1000	page execute read	page read and write	success or wait	2	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	5D091000	1000	page read and write	page execute read	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	5D091000	1000	page execute read	page read and write	success or wait	5	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77121000	1000	page read and write	page execute read	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	77121000	1000	page execute read	page read and write	success or wait	6	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	774E1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	774E1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	76391000	1000	page read and write	page execute read	success or wait	4	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	76391000	1000	page execute read	page read and write	success or wait	4	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	773D1000	1000	page read and write	page execute read	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	773D1000	1000	page execute read	page read and write	success or wait	7	7C90E457	KiUserApcDispatcher
2724	C:\Hermes_.exe	71AD1000	1000	page read and write	page execute read	success or wait	1	5E84B7	LoadLibraryA
2724	C:\Hermes_.exe	71AD1000	1000	page execute read	page read and write	success or wait	1	5E84B7	LoadLibraryA
2724	C:\Hermes_.exe	71AB1000	1000	page read and write	page execute read	success or wait	4	5E84B7	LoadLibraryA
2724	C:\Hermes_.exe	71AB1000	1000	page execute read	page read and write	success or wait	4	5E84B7	LoadLibraryA

Memory Usage Statistics

Time	Private Usage (mb)	Workingset (mb)	Page File Usage (mb)
09:39:47	2	4	2
09:39:48	2	4	2

System Activites

System info class	Completion	Count	Source Address	Symbol
BasicInformation	success or wait	15	7C90E457	KiUserApcDispatcher
RangeStartInformation	success or wait	1	7C90E457	KiUserApcDispatcher
ProcessorInformation	success or wait	5	7C90E457	KiUserApcDispatcher

Windows UI Activites

Information about Foreground Window Queried

HWND	Completion	Count	Source Address	Symbol
10084	success	1131	40167D	NtUserGetForegroundWindow

Chronological Activities

Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch	object name not found	526097361
System info queried	Type: BasicInformation	success or wait	526100572
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 140000 Length: 12FB14 Allocation Type: unknown Protection: page read and write	success or wait	526101429
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 140000 Length: 12FB18 Allocation Type: unknown Protection: page read and write	success or wait	526101688
System info queried	Type: BasicInformation	success or wait	526102766
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 240000 Length: 12FB14 Allocation Type: unknown Protection: page read and write	success or wait	526103051
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 240000 Length: 12FB18 Allocation Type: unknown Protection: page read and write	success or wait	526103301
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526105907
File control set	Path: C:\ Control Code: 90028 Input Buffer:	success or wait	526106835
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	526108255
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C801000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526109875
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C801000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526116091
Process information queried	PID: 2724 Info Class: Cookie	success or wait	526117717
System info queried	Type: RangeStartInformation	success or wait	526118009
System info queried	Type: BasicInformation	success or wait	526118250
Section loaded	Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	526119003
System info queried	Type: BasicInformation	success or wait	526123547
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 250000 Length: 12F340 Allocation Type: unknown Protection: page read and write	success or wait	526124084
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	526127312
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	526128813
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	526132572
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	526134496
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	526135911
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526139160
Section loaded	Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526139527
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: 251000 Length: 12F168 Allocation Type: unknown Protection: page read and write	success or wait	526139844
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and write copy	success or wait	526140756
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and write copy New Protection: page read and write	success or wait	526142007
Section loaded	Path: \KnownDlls\user32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	526143206
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	526144620
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526146855
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526147431
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526147797
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526148187
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526148574
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526149179
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526149537
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526150226
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526150549
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526150960
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526151278
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526151733
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526152021
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526152876
Section loaded	Path: \KnownDlls\ntprint.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526154081
File opened	Path: C:\WINDOWS\system32\ntprint.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526157065
Section loaded	Path: C:\WINDOWS\system32\ntprint.dll Access: query and write and read and execute Type: image Baseaddress: 5F180000 Size: 98304 Protection: read write Mapped to pid: own pid	success or wait	526158091
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled	success or wait	526160563
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	526164742
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526168512
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526169104
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526169455
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526169797
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526171885
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526174124
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526174549
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526174866
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	526175305
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	526176976
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526178585
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526179204
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526179584
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526180184
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	526180626
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526182289
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526183043
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526183883
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526184413
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526184824
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526185313
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	526185796
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526187633
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526188142
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526188677
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526189649
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526190097
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526190617
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526191020
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526191421
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526191788
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526192392
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526192732
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526193255
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526193603
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526193988
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526194332
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526194870
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526195218
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526195573
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526195916
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526196273
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526196616
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526197001
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	526197412
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526199049
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526199588
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526199965
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526200359
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526200732
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526201273
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526201648
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526202022
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526202394
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526202922
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526203349
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526203990
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read and write New Protection: page execute read	success or wait	526204338
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute read New Protection: page read and write	success or wait	526204959
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526205285
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526205729
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526206050
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526206473
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526206794
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526207122
Section loaded	Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526207505
File opened	Path: C:\WINDOWS\system32\SETUPAPI.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526208254
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	526209314
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526211346
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526211852
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526212202
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526212546
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526212894
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526213522
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526213876
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526214230
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526214575
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526214937
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526215324
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526215665
Section loaded	Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526216056
File opened	Path: C:\WINDOWS\system32\WINSPOOL.DRV Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526216793
Section loaded	Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	526217934
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526221349
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526221736
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526222568
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526222908
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526223257
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526223689
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526224036
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526224384
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526224727
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526225065
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526225457
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526225802
Section loaded	Path: \KnownDlls\mscms.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526226192
File opened	Path: C:\WINDOWS\system32\mscms.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526226927
Section loaded	Path: C:\WINDOWS\system32\mscms.dll Access: query and write and read and execute Type: image Baseaddress: 73B30000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	526227968
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526233054
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526233470
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526233817
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526234255
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526234600
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526234991
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526235333
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526235668
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526236009
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526236397
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526236805
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526237117
Section loaded	Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526237498
File opened	Path: C:\WINDOWS\system32\CRYPT32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526238230
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	526239275
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526242693
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526243280
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526243635
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526244077
Section loaded	Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526244491
File opened	Path: C:\WINDOWS\system32\MSASN1.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526245247
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	526246355
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526249857
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526250313
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526250690
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526251063
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526251434
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526251801
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526252151
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526252667
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526253012
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526253360
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526253744
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526254090
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	526254576
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526256249
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526256802
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526257151
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526257517
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526257806
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526258941
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526260166
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526261298
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526262434
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526263562
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	526264761
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526266252
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526266676
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526266992
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526267339
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526267652
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526268049
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526268363
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526268670
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526268981
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526269422
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526269752
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526270935
Section loaded	Path: \KnownDlls\oleaut32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	526272137
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526273537
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526274035
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526274453
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526275360
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526275724
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526276184
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526276502
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526276836
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	526277216
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526280642
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526281125
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526281472
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526281840
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526282227
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526282732
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526283078
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526283425
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526283767
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526284124
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526284466
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526284918
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526285264
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526285705
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526286020
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526286479
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526286796
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526287107
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526287401
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526288672
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read and write New Protection: page execute and read and write	success or wait	526289906
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute and read and write New Protection: page read and write	success or wait	526291134
Process information queried	PID: 2724 Info Class: ImageInformation	success or wait	526292701
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	526293544
System info queried	Type: BasicInformation	success or wait	526301815
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode	object name not found	526303058
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526317394
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 5F0000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	526319025
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526321163
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 5F0000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	526322175
File opened	Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526323857
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	526324871
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526326741
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526327204
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526327555
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526327951
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526328300
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526328708
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526329054
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526329424
System info queried	Type: BasicInformation	success or wait	526330121
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles	object name not found	526332132
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs	success or wait	526333596
System info queried	Type: BasicInformation	success or wait	526339870
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A20000 Length: 12F91C Allocation Type: unknown Protection: page read and write	success or wait	526340193
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A20000 Length: 12F920 Allocation Type: unknown Protection: page read and write	success or wait	526340473
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A21000 Length: 12F5FC Allocation Type: unknown Protection: page read and write	success or wait	526342247
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: A30000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	526343803
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A23000 Length: 12F6B8 Allocation Type: unknown Protection: page read and write	success or wait	526345846
Process information queried	PID: 2724 Info Class: Cookie	success or wait	526346952
Process information queried	PID: 2724 Info Class: Cookie	success or wait	526347863
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat	success or wait	526348738
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled	success or wait	526349501
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack	object name not found	526352540
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	526353731
File opened	Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526354605
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: A40000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	526355698
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526356582
File opened	Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526359420
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202 Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526400476
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526404873
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A40000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	526407431
File opened	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526410249
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	526412454
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526415834
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526416269
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526416651
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526417019
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526417396
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526417823
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526418249
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526418806
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526419226
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526419690
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526420072
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526420441
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526420816
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526421297
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526423442
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A40000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	526424627
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: null	success or wait	526427206
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	526428416
File opened	Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526430414
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A40000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	526431542
File opened	Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526432708
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	526467883
Key value queried	Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips	object name not found	526469703
File opened	Path: C:\Hermes_.exe Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526474982
Section loaded	Path: C:\Hermes_.exe Access: read Type: commit Baseaddress: A60000 Size: 409600 Protection: readonly Mapped to pid: own pid	success or wait	526475974
File opened	Path: C:\Hermes_.exe.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526477295
Process information queried	PID: 2724 Info Class: Wow64Information	success or wait	526480337
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress	success or wait	526480775
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed	success or wait	526481780
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	526482699
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath	success or wait	526483230
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	526484091
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition	success or wait	526484622
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	526485820
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath	success or wait	526486353
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	526487242
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath	success or wait	526487819
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	526490444
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath	success or wait	526490996
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	526491961
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath	success or wait	526492489
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath	success or wait	526493490
Mutant created	Name: unknown	success or wait	526494286
Mutant created	Name: unknown	success or wait	526494573
Mutant created	Name: unknown	success or wait	526494874
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	526495382
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel	success or wait	526495922
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath	object name not found	526496490
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName	success or wait	526499254
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname	success or wait	526500211
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain	success or wait	526501139
System info queried	Type: BasicInformation	success or wait	526502443
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A40000 Length: 12F968 Allocation Type: unknown Protection: page read and write	success or wait	526502761
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A40000 Length: 12F96C Allocation Type: unknown Protection: page read and write	success or wait	526503051
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A41000 Length: 12F648 Allocation Type: unknown Protection: page read and write	success or wait	526503942
System info queried	Type: BasicInformation	success or wait	526511130
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A60000 Length: 12F974 Allocation Type: unknown Protection: page read and write	success or wait	526511459
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A60000 Length: 12F978 Allocation Type: unknown Protection: page read and write	success or wait	526511751
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A61000 Length: 12F654 Allocation Type: unknown Protection: page read and write	success or wait	526512107
Process information queried	PID: 2724 Info Class: Wow64Information	success or wait	526515310
System info queried	Type: BasicInformation	success or wait	526515736
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A70000 Length: 12F904 Allocation Type: unknown Protection: page read and write	success or wait	526516054
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A70000 Length: 12F908 Allocation Type: unknown Protection: page read and write	success or wait	526516343
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A71000 Length: 12F5E4 Allocation Type: unknown Protection: page read and write	success or wait	526516731
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A73000 Length: 12F698 Allocation Type: unknown Protection: page read and write	success or wait	526517323
File opened	Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526518781
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: A80000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	526519841
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526520723
File opened	Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize Options: synchronous io non alert and non directory file Overwritten: false	object name not found	526521848
Process information queried	PID: 2724 Info Class: SessionInformation	success or wait	526528175
Key value queried	Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll	object name not found	526529591
File opened	Path: \Device\KsecDD Access: read data or list directory and synchronize Options: synchronous io alert Overwritten: false	success or wait	526531164
System info queried	Type: BasicInformation	success or wait	526537512
System info queried	Type: ProcessorInformation	success or wait	526537804
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout	success or wait	526538333
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut	object name not found	526539221
System info queried	Type: BasicInformation	success or wait	526539949
System info queried	Type: ProcessorInformation	success or wait	526540250
System info queried	Type: BasicInformation	success or wait	526540518
System info queried	Type: ProcessorInformation	success or wait	526540857
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll	object name not found	526541451
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32	object name not found	526541774
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib	object name not found	526542083
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll	object name not found	526542801
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32	object name not found	526543157
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF80 Allocation Type: unknown Protection: page execute and read and write	success or wait	526562091
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write	success or wait	526569134
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write	success or wait	526569643
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write	success or wait	526589189
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write	success or wait	526589676
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write	success or wait	526590338
Section loaded	Path: \KnownDlls\wsock32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526592313
File opened	Path: C:\WINDOWS\system32\wsock32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526593036
Section loaded	Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	526594056
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AD1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526595957
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AD1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526596385
Section loaded	Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526596766
File opened	Path: C:\WINDOWS\system32\WS2_32.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526597486
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	526598503
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526600465
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526600921
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526601266
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526601677
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526602014
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526602349
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read and write New Protection: page execute read	success or wait	526602683
Memory attributes changed	PID: 2724 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute read New Protection: page read and write	success or wait	526603091
Section loaded	Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown	object name not found	526603497
File opened	Path: C:\WINDOWS\system32\WS2HELP.dll Access: execute or traverse and synchronize Options: synchronous io non alert and non directory file Overwritten: false	success or wait	526604243
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	526605399
System info queried	Type: BasicInformation	success or wait	526610365
System info queried	Type: ProcessorInformation	success or wait	526610673
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B30000 Length: 12FE08 Allocation Type: unknown Protection: page no access	success or wait	526613248
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B30000 Length: 12FDF8 Allocation Type: unknown Protection: page read and write	success or wait	526614075
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: WinSock_Registry_Version	success or wait	526615560
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: WinSock_Registry_Version	success or wait	526616143
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Name: Serial_Access_Num	success or wait	526616865
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Name: Serial_Access_Num	success or wait	526617472
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Name: Next_Catalog_Entry_ID	success or wait	526618272
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 Name: Num_Catalog_Entries	success or wait	526619263
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: PackedCatalogItem	buffer overflow	526620127
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: PackedCatalogItem	buffer overflow	526620660
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: PackedCatalogItem	success or wait	526621184
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 Name: PackedCatalogItem	buffer overflow	526623048
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 Name: PackedCatalogItem	buffer overflow	526623577
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 Name: PackedCatalogItem	success or wait	526624097
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 Name: PackedCatalogItem	buffer overflow	526625956
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 Name: PackedCatalogItem	buffer overflow	526626481
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 Name: PackedCatalogItem	success or wait	526627042
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 Name: PackedCatalogItem	buffer overflow	526628904
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 Name: PackedCatalogItem	buffer overflow	526629429
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 Name: PackedCatalogItem	success or wait	526629951
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 Name: PackedCatalogItem	buffer overflow	526631802
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 Name: PackedCatalogItem	buffer overflow	526632328
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 Name: PackedCatalogItem	success or wait	526632968
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 Name: PackedCatalogItem	buffer overflow	526634833
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 Name: PackedCatalogItem	buffer overflow	526635359
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 Name: PackedCatalogItem	success or wait	526635878
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 Name: PackedCatalogItem	buffer overflow	526637773
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 Name: PackedCatalogItem	buffer overflow	526638299
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 Name: PackedCatalogItem	success or wait	526638817
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 Name: PackedCatalogItem	buffer overflow	526640633
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 Name: PackedCatalogItem	buffer overflow	526641161
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 Name: PackedCatalogItem	success or wait	526641855
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 Name: PackedCatalogItem	buffer overflow	526643680
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 Name: PackedCatalogItem	buffer overflow	526644206
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 Name: PackedCatalogItem	success or wait	526644723
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 Name: PackedCatalogItem	buffer overflow	526646586
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 Name: PackedCatalogItem	buffer overflow	526647199
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 Name: PackedCatalogItem	success or wait	526647724
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 Name: PackedCatalogItem	buffer overflow	526649627
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 Name: PackedCatalogItem	buffer overflow	526650199
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 Name: PackedCatalogItem	success or wait	526650718
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 Name: PackedCatalogItem	buffer overflow	526652577
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 Name: PackedCatalogItem	buffer overflow	526653100
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 Name: PackedCatalogItem	success or wait	526653700
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 Name: PackedCatalogItem	buffer overflow	526655559
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 Name: PackedCatalogItem	buffer overflow	526656083
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 Name: PackedCatalogItem	success or wait	526656599
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Name: Serial_Access_Num	success or wait	526658707
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Name: Serial_Access_Num	success or wait	526659289
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 Name: Num_Catalog_Entries	success or wait	526659830
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: LibraryPath	success or wait	526660545
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: LibraryPath	success or wait	526661161
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: DisplayString	success or wait	526662213
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: DisplayString	success or wait	526662726
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: DisplayString	success or wait	526663245
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: DisplayString	success or wait	526663764
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: ProviderId	success or wait	526664324
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: AddressFamily	object name not found	526664885
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: SupportedNameSpace	success or wait	526665413
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: Enabled	success or wait	526665932
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: Version	success or wait	526666450
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Name: StoresServiceClassInfo	success or wait	526666974
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: LibraryPath	success or wait	526667890
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: LibraryPath	success or wait	526668416
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: DisplayString	success or wait	526668931
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: DisplayString	success or wait	526672829
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: DisplayString	success or wait	526673417
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: DisplayString	success or wait	526673942
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: ProviderId	success or wait	526674464
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: AddressFamily	object name not found	526674986
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: SupportedNameSpace	success or wait	526675599
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: Enabled	success or wait	526676129
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: Version	success or wait	526676647
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Name: StoresServiceClassInfo	success or wait	526677169
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: LibraryPath	success or wait	526678150
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: LibraryPath	success or wait	526678716
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: DisplayString	success or wait	526679236
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: DisplayString	success or wait	526679753
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: DisplayString	success or wait	526680270
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: DisplayString	success or wait	526680805
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: ProviderId	success or wait	526681324
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: AddressFamily	object name not found	526681846
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: SupportedNameSpace	success or wait	526682373
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: Enabled	success or wait	526682894
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: Version	success or wait	526683413
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Name: StoresServiceClassInfo	success or wait	526683997
System info queried	Type: BasicInformation	success or wait	526685603
System info queried	Type: ProcessorInformation	success or wait	526685885
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Ws2_32NumHandleBuckets	object name not found	526686351
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B34000 Length: 12FE8C Allocation Type: unknown Protection: page read and write	success or wait	526688847
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A80000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write	success or wait	526742489
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: A90000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write	success or wait	526744364
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AA0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526745355
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B3C000 Length: 12FE24 Allocation Type: unknown Protection: page read and write	success or wait	526745852
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AB0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526746593
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AC0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526747573
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AD0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526748002
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AE0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526748474
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B40000 Length: 12FE24 Allocation Type: unknown Protection: page read and write	success or wait	526748880
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: AF0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526749350
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B00000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526749790
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B10000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526750176
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C30000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526750559
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C40000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526751007
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C50000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526751376
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C60000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526751741
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C70000 Length: 12FF2C Allocation Type: unknown Protection: page execute and read and write	success or wait	526752100
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write	success or wait	526752483
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526752889
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B44000 Length: 12FD68 Allocation Type: unknown Protection: page read and write	success or wait	526753222
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526756416
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526756980
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: B44000 Length: 12FD58 Allocation Type: unknown Protection: page read and write	success or wait	526757290
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526760492
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526760941
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1F0 Allocation Type: unknown Protection: page execute and read and write	success or wait	526761388
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526761763
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526762233
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526762579
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526762923
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526763307
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write	success or wait	526763654
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526765432
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526765777
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526766120
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526766460
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526766801
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write	success or wait	526767145
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526767616
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526767961
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526768303
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526768643
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526768983
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write	success or wait	526769327
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526769754
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526770098
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526770441
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526770783
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526771122
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write	success or wait	526771465
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write	success or wait	526788737
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write	success or wait	526790012
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526790834
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526796724
Memory allocated	PID: 2724 Path: C:\Hermes_.exe Base: C80000 Length: 12F1BC Allocation Type: unknown Protection: page execute and read and write	success or wait	526797351
File opened	Path: Scsi0: Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true	success or wait	526966741
Process information queried	PID: 2724 Info Class: DeviceMap	success or wait	526985267
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526986049
File opened	Path: C:\ Access: execute or traverse and synchronize Options: directory file and synchronous io non alert Overwritten: false	success or wait	526989215
Key created	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key	success or wait	527002907
Key value replaced with new	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: NULL Type: unicode Data: Old data:	success or wait	527013956
Key value replaced with new	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: Type: unicode Data: regfile Old data:	success or wait	527019289
Foreground Window Got	HWND: 10084	success	527046333
Thread delayed	Time: 0 TID: 2728	success or wait	527046851
Foreground Window Got	HWND: 10084	success	527396979
Thread delayed	Time: 0 TID: 2728	success or wait	527397226
Foreground Window Got	HWND: 10084	success	527788288
Thread delayed	Time: 0 TID: 2728	success or wait	527788654
Foreground Window Got	HWND: 10084	success	528179811
Thread delayed	Time: 0 TID: 2728	success or wait	528180995
Foreground Window Got	HWND: 10084	success	528571362
Thread delayed	Time: 0 TID: 2728	success or wait	528571605
Foreground Window Got	HWND: 10084	success	529007576
Thread delayed	Time: 0 TID: 2728	success or wait	529007920
Foreground Window Got	HWND: 10084	success	529354765
Thread delayed	Time: 0 TID: 2728	success or wait	529355013
Foreground Window Got	HWND: 10084	success	529746247
Thread delayed	Time: 0 TID: 2728	success or wait	529746497
Foreground Window Got	HWND: 10084	success	530137674
Thread delayed	Time: 0 TID: 2728	success or wait	530138004
Foreground Window Got	HWND: 10084	success	530532445
Thread delayed	Time: 0 TID: 2728	success or wait	530532803
Foreground Window Got	HWND: 10084	success	530923990
Thread delayed	Time: 0 TID: 2728	success or wait	530924235
Foreground Window Got	HWND: 10084	success	531312235
Thread delayed	Time: 0 TID: 2728	success or wait	531312483
Foreground Window Got	HWND: 10084	success	531707459
Thread delayed	Time: 0 TID: 2728	success or wait	531707704
Foreground Window Got	HWND: 10084	success	532097925
Thread delayed	Time: 0 TID: 2728	success or wait	532098183
Foreground Window Got	HWND: 10084	success	532486753
Thread delayed	Time: 0 TID: 2728	success or wait	532487215
Foreground Window Got	HWND: 10084	success	532878288
Thread delayed	Time: 0 TID: 2728	success or wait	532884940
Foreground Window Got	HWND: 10084	success	533269909
Thread delayed	Time: 0 TID: 2728	success or wait	533270154
Foreground Window Got	HWND: 10084	success	533661323
Thread delayed	Time: 0 TID: 2728	success or wait	533661569
Foreground Window Got	HWND: 10084	success	534056086
Thread delayed	Time: 0 TID: 2728	success or wait	534056330
Foreground Window Got	HWND: 10084	success	534444395
Thread delayed	Time: 0 TID: 2728	success or wait	534444644
Foreground Window Got	HWND: 10084	success	534835827
Thread delayed	Time: 0 TID: 2728	success or wait	534836157
Foreground Window Got	HWND: 10084	success	535227395
Thread delayed	Time: 0 TID: 2728	success or wait	535227758
Foreground Window Got	HWND: 10084	success	535618853
Thread delayed	Time: 0 TID: 2728	success or wait	535619099
Foreground Window Got	HWND: 10084	success	536010554
Thread delayed	Time: 0 TID: 2728	success or wait	536010801
Foreground Window Got	HWND: 10084	success	536402015
Thread delayed	Time: 0 TID: 2728	success or wait	536402339
Foreground Window Got	HWND: 10084	success	536793544
Thread delayed	Time: 0 TID: 2728	success or wait	536793793
Foreground Window Got	HWND: 10084	success	537185012
Thread delayed	Time: 0 TID: 2728	success or wait	537185875
Foreground Window Got	HWND: 10084	success	537576436
Thread delayed	Time: 0 TID: 2728	success or wait	537576762
Foreground Window Got	HWND: 10084	success	537968632
Thread delayed	Time: 0 TID: 2728	success or wait	537968877
Foreground Window Got	HWND: 10084	success	538359471
Thread delayed	Time: 0 TID: 2728	success or wait	538359715
Foreground Window Got	HWND: 10084	success	538751051
Thread delayed	Time: 0 TID: 2728	success or wait	538751296
Foreground Window Got	HWND: 10084	success	539142535
Thread delayed	Time: 0 TID: 2728	success or wait	539142784
Foreground Window Got	HWND: 10084	success	539534118
Thread delayed	Time: 0 TID: 2728	success or wait	539534448
Foreground Window Got	HWND: 10084	success	539925324
Thread delayed	Time: 0 TID: 2728	success or wait	539925833
Foreground Window Got	HWND: 10084	success	540316748
Thread delayed	Time: 0 TID: 2728	success or wait	540317003
Foreground Window Got	HWND: 10084	success	540708199
Thread delayed	Time: 0 TID: 2728	success or wait	540708443
Foreground Window Got	HWND: 10084	success	541102506
Thread delayed	Time: 0 TID: 2728	success or wait	541102748
Foreground Window Got	HWND: 10084	success	541491433
Thread delayed	Time: 0 TID: 2728	success or wait	541491673
Foreground Window Got	HWND: 10084	success	541886073
Thread delayed	Time: 0 TID: 2728	success or wait	541886498
Foreground Window Got	HWND: 10084	success	542274424
Thread delayed	Time: 0 TID: 2728	success or wait	542274751
Foreground Window Got	HWND: 10084	success	542666082
Thread delayed	Time: 0 TID: 2728	success or wait	542666328
Foreground Window Got	HWND: 10084	success	543060488
Thread delayed	Time: 0 TID: 2728	success or wait	543060699
Foreground Window Got	HWND: 10084	success	543449293
Thread delayed	Time: 0 TID: 2728	success or wait	543449555
Foreground Window Got	HWND: 10084	success	543841871
Thread delayed	Time: 0 TID: 2728	success or wait	543842632
Foreground Window Got	HWND: 10084	success	544232134
Thread delayed	Time: 0 TID: 2728	success or wait	544233138
Foreground Window Got	HWND: 10084	success	544623700
Thread delayed	Time: 0 TID: 2728	success or wait	544624059
Foreground Window Got	HWND: 10084	success	545017976
Thread delayed	Time: 0 TID: 2728	success or wait	545020193
Foreground Window Got	HWND: 10084	success	545409525
Thread delayed	Time: 0 TID: 2728	success or wait	545409777
Foreground Window Got	HWND: 10084	success	545799049
Thread delayed	Time: 0 TID: 2728	success or wait	545799295
Foreground Window Got	HWND: 10084	success	546193227
Thread delayed	Time: 0 TID: 2728	success or wait	546193476

General Information

Classification / Threat Score

Matching Signatures

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

String Analysis

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis File: Hermes_.exe PID: 2724 Parent PID: 1760

File Activites

Section Activites

Registry Activites

Mutex Activites

Process Activites

Thread Activites

Memory Activites

System Activites

Windows UI Activites