Joebox - Abstract Analysis File 5021
General information
Joebox version:4.2.5
Start time:19:55:26
Start date:05/09/2011
Overall analysis duration:0h 3m 12s
Target binary file name:morto.exe
Target script file name:default.jbs
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Errors:
    Summary
    • Printf formatting strings found in memory and binary data
    • Creates temporary files
    • Performs DNS lookups
    • Creates files inside the system directory
    • Creates windows services
    • Infects executable files (uses memory mapped files)
    		C:\WINDOWS\clb.dll
    Static File Information
    PE Information
    General
    Entrypoint:0x401884L.text
    Imagebase:0x400000L
    Time stamp:0x4E3A7B48 [Thu Aug 4 10:58:16 2011 UTC]
    Subsystem:windows gui
    TLS callbacks:
    Resources
    NameRVA addressSizeType
    Imports
    DLLImport
    MFC42.DLL
    MSVCRT.dll__getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp, _XcptFilter, _exit, _onexit, __dllonexit, _except_handler3, exit, __CxxFrameHandler, malloc, free, _wcsnicmp, _setmbcp, _acmdln
    KERNEL32.dllGetStartupInfoA, GetModuleHandleA
    Exports
    Sections
    NameVirtual addressVirtual sizeRaw sizeentropy
    .text0x1000L0xe00L0xe00L5.9942507354
    .rdata0x2000L0x600L0x600L4.44219224529
    .data0x3000L0x46cL0x200L5.93920521047
    Version Infos
    DescriptionData
    Possible Origin
    Language of compilation systemCountry where language is spokenMap
    String Analysis
    Formattings for printf style functions
    String valueSource
    %SystemRoot%\System32\mswsock.dllmorto.exe
    %s\%s\%s\%s\%smorto.exe
    AVIVideo!@%ldmorto.exe
    %f7A{[morto.exe
    |%SystemRoot%\system32\rsvpsp.dllmorto.exe
    setaudio volume to %d testmorto.exe
    Pw%n[wmorto.exe
    %d%d%X%Xmorto.exe
    %ls %lsmorto.exe
    play fullscreen reverse %smorto.exe
    bm]`\%Nmorto.exe
    Assertion failed: %s, file %s, line %dmorto.exe
    put source at %d %d %d %dmorto.exe
    %systemRoot%\system32\svchost.exe -k netsvcsmorto.exe
    set speed %d testmorto.exe
    %u%123morto.exe
    play from %ldmorto.exe
    wht%d.morto.exe
    open "%s" alias %d waitmorto.exe
    %s\%s\%s\%s\%s\%smorto.exe
    play fullscreen %smorto.exe
    %.2f_%smorto.exe
    Pn1%s*morto.exe
    setaudio volume to %dmorto.exe
    save "%s"morto.exe
    flt%d.qfsl.netmorto.exe
    %d %d %d %dmorto.exe
    %sm%d.plgmorto.exe
    %u%1234morto.exe
    set time format %smorto.exe
    %s~MTMP%X.exemorto.exe
    wht%d.qfsl.netmorto.exe
    put destination at %d %d %d %dmorto.exe
    %smotomorto.exe, ntshrui.dll.dr, clb.dll.dr
    open new type %s alias %d waitmorto.exe
    %d,%d,%d,%dmorto.exe
    e!e%e)e-e1e5e9e=eAeEeIeMeQeUeYe]eaeeemorto.exe
    eplay %smorto.exe
    %u%111111morto.exe
    open "%s" alias %d wait shareablemorto.exe
    set speed %dmorto.exe
    esetvideo palette handle to %dmorto.exe
    dostest%d.qfsl.netmorto.exe
    DragDrop%lxmorto.exe
    seek to %ldmorto.exe
    play reverse %smorto.exe
    status position track %dmorto.exe
    window handle %umorto.exe
    %SystemRoot%\system32\rsvpsp.dllmorto.exe
    %d-%02d-%02d %02d%02dmorto.exe
    %u%123456morto.exe
    %SystemRoot%\System32\winrnr.dllmorto.exe
    step by %ldmorto.exe
    play to %ldmorto.exe
    open "%s" alias %d wait type AVIVideomorto.exe
    %dx%dx%d(%s%u)morto.exe
    %SystemRoot%\system32\mswsock.dllmorto.exe
    Analysis Overview
    Startup
    • system is xp
    • morto.exe (PID: 1928 MD5: 2EEF4D8B88161BAF2525ABFB6C1BAC2B)
    • regedit.exe (PID: 520 MD5: 058710B720282CA82B909912D3EF28DB)
    • cleanup
    Dropped Files
    File PathMD5
    C:\WINDOWS\Temp\ntshrui.dll78B8273C59FEFB519ED78C9F1A7A6727
    C:\WINDOWS\clb.dllC28727798DF17158CC991F58E19037A7
    Global Network Data
    All TCP
    TimestampSource PortDest PortSource IPDest IP
    Sep 5, 2011 19:56:29.788566000 CEST112380192.168.0.1074.125.71.104
    Sep 5, 2011 19:56:29.788588000 CEST80112374.125.71.104192.168.0.10
    Sep 5, 2011 19:56:29.794486000 CEST112380192.168.0.1074.125.71.104
    Sep 5, 2011 19:56:29.794506000 CEST112380192.168.0.1074.125.71.104
    Sep 5, 2011 19:56:29.794799000 CEST80112374.125.71.104192.168.0.10
    Sep 5, 2011 19:56:29.797494000 CEST112380192.168.0.1074.125.71.104
    All UDP
    TimestampSource PortDest PortSource IPDest IP
    Sep 5, 2011 19:56:29.342585000 CEST5061253192.168.0.10156.154.71.1
    Sep 5, 2011 19:56:29.342657000 CEST5350612156.154.71.1192.168.0.10
    Sep 5, 2011 19:56:29.349919000 CEST6110053192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.349952000 CEST5361100195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.374484000 CEST5097953192.168.0.10203.236.43.5
    Sep 5, 2011 19:56:29.374519000 CEST5350979203.236.43.5192.168.0.10
    Sep 5, 2011 19:56:29.395789000 CEST5610953192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.395821000 CEST5356109195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.413404000 CEST6465853192.168.0.10205.171.3.65
    Sep 5, 2011 19:56:29.413438000 CEST5364658205.171.3.65192.168.0.10
    Sep 5, 2011 19:56:29.434131000 CEST5993253192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.434166000 CEST5359932195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.454766000 CEST5898753192.168.0.10165.87.13.129
    Sep 5, 2011 19:56:29.454800000 CEST5358987165.87.13.129192.168.0.10
    Sep 5, 2011 19:56:29.462321000 CEST5753153192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.462352000 CEST5357531195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.780414000 CEST4983753192.168.0.10211.234.229.23
    Sep 5, 2011 19:56:29.780448000 CEST5349837211.234.229.23192.168.0.10
    Sep 5, 2011 19:56:29.784498000 CEST5982853192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.784556000 CEST5359828195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.813436000 CEST6109553192.168.0.108.8.4.4
    Sep 5, 2011 19:56:29.813478000 CEST53610958.8.4.4192.168.0.10
    Sep 5, 2011 19:56:29.816941000 CEST6540753192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.816980000 CEST5365407195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.819638000 CEST5127453192.168.0.10202.27.184.3
    Sep 5, 2011 19:56:29.819677000 CEST5351274202.27.184.3192.168.0.10
    Sep 5, 2011 19:56:29.823320000 CEST4997553192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.823357000 CEST5349975195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.827491000 CEST5760853192.168.0.10203.236.43.5
    Sep 5, 2011 19:56:29.827524000 CEST5357608203.236.43.5192.168.0.10
    Sep 5, 2011 19:56:29.830274000 CEST6457553192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.830303000 CEST5364575195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.834747000 CEST5414153192.168.0.10156.154.70.1
    Sep 5, 2011 19:56:29.834775000 CEST5354141156.154.70.1192.168.0.10
    Sep 5, 2011 19:56:29.846241000 CEST6140153192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.846270000 CEST5361401195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.953942000 CEST5717653192.168.0.10208.67.222.222
    Sep 5, 2011 19:56:29.953973000 CEST5357176208.67.222.222192.168.0.10
    Sep 5, 2011 19:56:29.958782000 CEST6534853192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.958819000 CEST5365348195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.965696000 CEST5897753192.168.0.10203.248.252.2
    Sep 5, 2011 19:56:29.965725000 CEST5358977203.248.252.2192.168.0.10
    Sep 5, 2011 19:56:29.968731000 CEST6457653192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.968761000 CEST5364576195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:29.971372000 CEST5642153192.168.0.1046.19.140.194
    Sep 5, 2011 19:56:29.971400000 CEST535642146.19.140.194192.168.0.10
    Sep 5, 2011 19:56:29.978385000 CEST6457753192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:29.978415000 CEST5364577195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:44.979447000 CEST6457853192.168.0.10203.248.252.2
    Sep 5, 2011 19:56:44.979498000 CEST5364578203.248.252.2192.168.0.10
    Sep 5, 2011 19:56:44.986141000 CEST5714853192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:44.986167000 CEST5357148195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:44.992883000 CEST5471653192.168.0.10168.95.192.1
    Sep 5, 2011 19:56:44.992907000 CEST5354716168.95.192.1192.168.0.10
    Sep 5, 2011 19:56:45.001048000 CEST6457953192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.001072000 CEST5364579195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:45.010188000 CEST6458053192.168.0.10143.90.130.39
    Sep 5, 2011 19:56:45.010222000 CEST5364580143.90.130.39192.168.0.10
    Sep 5, 2011 19:56:45.018230000 CEST5159053192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.018259000 CEST5351590195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:45.027636000 CEST5018753192.168.0.10168.126.63.1
    Sep 5, 2011 19:56:45.027664000 CEST5350187168.126.63.1192.168.0.10
    Sep 5, 2011 19:56:45.036148000 CEST6114253192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.036176000 CEST5361142195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:45.298751000 CEST5141253192.168.0.1046.19.140.194
    Sep 5, 2011 19:56:45.298783000 CEST535141246.19.140.194192.168.0.10
    Sep 5, 2011 19:56:45.306126000 CEST5499053192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.306154000 CEST5354990195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:45.314550000 CEST5669253192.168.0.10205.171.3.65
    Sep 5, 2011 19:56:45.314587000 CEST5356692205.171.3.65192.168.0.10
    Sep 5, 2011 19:56:45.322816000 CEST6058153192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.322844000 CEST5360581195.186.1.121192.168.0.10
    Sep 5, 2011 19:56:45.329911000 CEST6042753192.168.0.10208.67.220.220
    Sep 5, 2011 19:56:45.329938000 CEST5360427208.67.220.220192.168.0.10
    Sep 5, 2011 19:56:45.339943000 CEST6458153192.168.0.10195.186.1.121
    Sep 5, 2011 19:56:45.339971000 CEST5364581195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.335648000 CEST5873953192.168.0.1085.185.53.4
    Sep 5, 2011 19:57:00.335719000 CEST535873985.185.53.4192.168.0.10
    Sep 5, 2011 19:57:00.341967000 CEST5048353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.342001000 CEST5350483195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.349183000 CEST5863953192.168.0.10216.146.35.35
    Sep 5, 2011 19:57:00.349215000 CEST5358639216.146.35.35192.168.0.10
    Sep 5, 2011 19:57:00.355721000 CEST5746653192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.355752000 CEST5357466195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.363128000 CEST6514653192.168.0.10205.171.3.65
    Sep 5, 2011 19:57:00.363160000 CEST5365146205.171.3.65192.168.0.10
    Sep 5, 2011 19:57:00.370630000 CEST5832353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.370664000 CEST5358323195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.378294000 CEST6498853192.168.0.10168.95.1.1
    Sep 5, 2011 19:57:00.378326000 CEST5364988168.95.1.1192.168.0.10
    Sep 5, 2011 19:57:00.385383000 CEST6458253192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.385415000 CEST5364582195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.664576000 CEST5357453192.168.0.1087.118.111.215
    Sep 5, 2011 19:57:00.664631000 CEST535357487.118.111.215192.168.0.10
    Sep 5, 2011 19:57:00.673706000 CEST5355453192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.673739000 CEST5353554195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.687250000 CEST5682153192.168.0.1064.68.200.200
    Sep 5, 2011 19:57:00.687283000 CEST535682164.68.200.200192.168.0.10
    Sep 5, 2011 19:57:00.694958000 CEST6103353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.694989000 CEST5361033195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:00.701155000 CEST5841453192.168.0.10165.87.13.129
    Sep 5, 2011 19:57:00.701187000 CEST5358414165.87.13.129192.168.0.10
    Sep 5, 2011 19:57:00.723444000 CEST6458353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:00.723477000 CEST5364583195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:15.805506000 CEST4985153192.168.0.10203.128.7.10
    Sep 5, 2011 19:57:15.805569000 CEST5349851203.128.7.10192.168.0.10
    Sep 5, 2011 19:57:15.844915000 CEST4941653192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:15.844951000 CEST5349416195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:15.854476000 CEST5572853192.168.0.10202.181.202.140
    Sep 5, 2011 19:57:15.854509000 CEST5355728202.181.202.140192.168.0.10
    Sep 5, 2011 19:57:15.861994000 CEST5689853192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:15.862026000 CEST5356898195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:15.889587000 CEST5647453192.168.0.10156.154.70.1
    Sep 5, 2011 19:57:15.889621000 CEST5356474156.154.70.1192.168.0.10
    Sep 5, 2011 19:57:15.899305000 CEST6458453192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:15.899338000 CEST5364584195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:15.906688000 CEST6039553192.168.0.10165.87.13.129
    Sep 5, 2011 19:57:15.906720000 CEST5360395165.87.13.129192.168.0.10
    Sep 5, 2011 19:57:15.913585000 CEST5834253192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:15.913618000 CEST5358342195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:16.272612000 CEST6090953192.168.0.10203.236.43.5
    Sep 5, 2011 19:57:16.272675000 CEST5360909203.236.43.5192.168.0.10
    Sep 5, 2011 19:57:16.280446000 CEST4972253192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:16.280477000 CEST5349722195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:16.291467000 CEST6458553192.168.0.10156.154.70.22
    Sep 5, 2011 19:57:16.291499000 CEST5364585156.154.70.22192.168.0.10
    Sep 5, 2011 19:57:16.301121000 CEST5462253192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:16.301153000 CEST5354622195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:16.309242000 CEST5420853192.168.0.1046.19.140.194
    Sep 5, 2011 19:57:16.309273000 CEST535420846.19.140.194192.168.0.10
    Sep 5, 2011 19:57:16.317897000 CEST6058253192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:16.317929000 CEST5360582195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.336586000 CEST5675553192.168.0.10208.67.220.220
    Sep 5, 2011 19:57:31.336656000 CEST5356755208.67.220.220192.168.0.10
    Sep 5, 2011 19:57:31.344166000 CEST4954053192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.344204000 CEST5349540195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.350679000 CEST5332953192.168.0.10205.210.42.205
    Sep 5, 2011 19:57:31.350712000 CEST5353329205.210.42.205192.168.0.10
    Sep 5, 2011 19:57:31.363041000 CEST5449053192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.363075000 CEST5354490195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.371015000 CEST6538953192.168.0.10190.211.253.2
    Sep 5, 2011 19:57:31.371059000 CEST5365389190.211.253.2192.168.0.10
    Sep 5, 2011 19:57:31.380545000 CEST6062153192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.380578000 CEST5360621195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.386918000 CEST5281053192.168.0.10209.166.160.36
    Sep 5, 2011 19:57:31.386960000 CEST5352810209.166.160.36192.168.0.10
    Sep 5, 2011 19:57:31.399319000 CEST6230353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.399352000 CEST5362303195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.678972000 CEST5819053192.168.0.10168.167.49.240
    Sep 5, 2011 19:57:31.679022000 CEST5358190168.167.49.240192.168.0.10
    Sep 5, 2011 19:57:31.686855000 CEST5834953192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.686889000 CEST5358349195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.693820000 CEST5975653192.168.0.10211.234.229.23
    Sep 5, 2011 19:57:31.693851000 CEST5359756211.234.229.23192.168.0.10
    Sep 5, 2011 19:57:31.706369000 CEST5879353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.706401000 CEST5358793195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:31.713125000 CEST5290453192.168.0.10163.180.96.54
    Sep 5, 2011 19:57:31.713156000 CEST5352904163.180.96.54192.168.0.10
    Sep 5, 2011 19:57:31.723053000 CEST6458653192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:31.723084000 CEST5364586195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.724121000 CEST5025253192.168.0.108.8.8.8
    Sep 5, 2011 19:57:46.724193000 CEST53502528.8.8.8192.168.0.10
    Sep 5, 2011 19:57:46.726686000 CEST6458753192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.726719000 CEST5364587195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.729466000 CEST5231453192.168.0.10206.141.192.60
    Sep 5, 2011 19:57:46.729500000 CEST5352314206.141.192.60192.168.0.10
    Sep 5, 2011 19:57:46.732475000 CEST5981453192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.732509000 CEST5359814195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.734989000 CEST6044553192.168.0.10165.87.13.129
    Sep 5, 2011 19:57:46.735023000 CEST5360445165.87.13.129192.168.0.10
    Sep 5, 2011 19:57:46.737579000 CEST5566653192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.737610000 CEST5355666195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.740116000 CEST4934853192.168.0.10198.153.192.1
    Sep 5, 2011 19:57:46.740151000 CEST5349348198.153.192.1192.168.0.10
    Sep 5, 2011 19:57:46.742524000 CEST4936553192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.742556000 CEST5349365195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.836688000 CEST5040653192.168.0.10205.171.3.65
    Sep 5, 2011 19:57:46.836724000 CEST5350406205.171.3.65192.168.0.10
    Sep 5, 2011 19:57:46.839452000 CEST6193053192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.839497000 CEST5361930195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.842557000 CEST5197553192.168.0.104.2.2.2
    Sep 5, 2011 19:57:46.842591000 CEST53519754.2.2.2192.168.0.10
    Sep 5, 2011 19:57:46.845428000 CEST5523453192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.845460000 CEST5355234195.186.1.121192.168.0.10
    Sep 5, 2011 19:57:46.848360000 CEST5701553192.168.0.10203.236.43.5
    Sep 5, 2011 19:57:46.848391000 CEST5357015203.236.43.5192.168.0.10
    Sep 5, 2011 19:57:46.850984000 CEST5419353192.168.0.10195.186.1.121
    Sep 5, 2011 19:57:46.851014000 CEST5354193195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:01.847045000 CEST5799953192.168.0.10219.250.36.130
    Sep 5, 2011 19:58:01.847112000 CEST5357999219.250.36.130192.168.0.10
    Sep 5, 2011 19:58:01.854123000 CEST6091653192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:01.854157000 CEST5360916195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:01.862903000 CEST5199753192.168.0.10202.27.184.3
    Sep 5, 2011 19:58:01.862935000 CEST5351997202.27.184.3192.168.0.10
    Sep 5, 2011 19:58:01.871248000 CEST5596453192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:01.871280000 CEST5355964195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:01.880675000 CEST6059653192.168.0.1046.19.140.194
    Sep 5, 2011 19:58:01.880707000 CEST536059646.19.140.194192.168.0.10
    Sep 5, 2011 19:58:01.890302000 CEST5972553192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:01.890339000 CEST5359725195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:01.898871000 CEST6458853192.168.0.1087.118.111.215
    Sep 5, 2011 19:58:01.898910000 CEST536458887.118.111.215192.168.0.10
    Sep 5, 2011 19:58:01.907070000 CEST5709353192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:01.907104000 CEST5357093195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:02.172869000 CEST6104053192.168.0.10212.76.127.133
    Sep 5, 2011 19:58:02.172926000 CEST5361040212.76.127.133192.168.0.10
    Sep 5, 2011 19:58:02.180676000 CEST6125153192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:02.180711000 CEST5361251195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:02.197520000 CEST5275753192.168.0.10205.171.2.65
    Sep 5, 2011 19:58:02.197554000 CEST5352757205.171.2.65192.168.0.10
    Sep 5, 2011 19:58:02.222026000 CEST5979153192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:02.222060000 CEST5359791195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:02.230713000 CEST5869153192.168.0.104.2.2.2
    Sep 5, 2011 19:58:02.230747000 CEST53586914.2.2.2192.168.0.10
    Sep 5, 2011 19:58:02.238228000 CEST6540453192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:02.238262000 CEST5365404195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.237308000 CEST4946753192.168.0.1087.118.111.215
    Sep 5, 2011 19:58:17.237378000 CEST534946787.118.111.215192.168.0.10
    Sep 5, 2011 19:58:17.246934000 CEST6458953192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.246967000 CEST5364589195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.257307000 CEST5484453192.168.0.10198.153.192.1
    Sep 5, 2011 19:58:17.257363000 CEST5354844198.153.192.1192.168.0.10
    Sep 5, 2011 19:58:17.267296000 CEST6043453192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.267352000 CEST5360434195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.277323000 CEST6459053192.168.0.10198.153.192.1
    Sep 5, 2011 19:58:17.277356000 CEST5364590198.153.192.1192.168.0.10
    Sep 5, 2011 19:58:17.297332000 CEST6459153192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.297365000 CEST5364591195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.305392000 CEST5939753192.168.0.10168.95.192.1
    Sep 5, 2011 19:58:17.305424000 CEST5359397168.95.192.1192.168.0.10
    Sep 5, 2011 19:58:17.313113000 CEST5081553192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.313146000 CEST5350815195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.551832000 CEST6459253192.168.0.1085.185.53.4
    Sep 5, 2011 19:58:17.551879000 CEST536459285.185.53.4192.168.0.10
    Sep 5, 2011 19:58:17.555762000 CEST5654253192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.555801000 CEST5356542195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.560917000 CEST5738853192.168.0.10198.153.194.1
    Sep 5, 2011 19:58:17.560955000 CEST5357388198.153.194.1192.168.0.10
    Sep 5, 2011 19:58:17.563872000 CEST5198153192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.563907000 CEST5351981195.186.1.121192.168.0.10
    Sep 5, 2011 19:58:17.566641000 CEST6459353192.168.0.10202.181.202.140
    Sep 5, 2011 19:58:17.566673000 CEST5364593202.181.202.140192.168.0.10
    Sep 5, 2011 19:58:17.573604000 CEST6505053192.168.0.10195.186.1.121
    Sep 5, 2011 19:58:17.573638000 CEST5365050195.186.1.121192.168.0.10
    DNS
    TimestampSource IPDest IPTypeData
    Sep 5, 2011 19:56:29.342585000 CEST192.168.0.10156.154.71.1queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.349919000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.374484000 CEST192.168.0.10203.236.43.5queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:29.395789000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:29.413404000 CEST192.168.0.10205.171.3.65queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:29.434131000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:29.454766000 CEST192.168.0.10165.87.13.129queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:29.462321000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:29.780414000 CEST192.168.0.10211.234.229.23queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.784498000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.813436000 CEST192.168.0.108.8.4.4queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.816941000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.819638000 CEST192.168.0.10202.27.184.3queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:29.823320000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:29.827491000 CEST192.168.0.10203.236.43.5queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:29.830274000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:29.834747000 CEST192.168.0.10156.154.70.1queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:29.846241000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:29.953942000 CEST192.168.0.10208.67.222.222queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.958782000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.965696000 CEST192.168.0.10203.248.252.2querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.968731000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.971372000 CEST192.168.0.1046.19.140.194queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:29.978385000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:44.979447000 CEST192.168.0.10203.248.252.2queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:44.986141000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:44.992883000 CEST192.168.0.10168.95.192.1queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:45.001048000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:56:45.010188000 CEST192.168.0.10143.90.130.39queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:45.018230000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:56:45.027636000 CEST192.168.0.10168.126.63.1queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:45.036148000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:56:45.298751000 CEST192.168.0.1046.19.140.194queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:45.306126000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:45.314550000 CEST192.168.0.10205.171.3.65querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:45.322816000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:45.329911000 CEST192.168.0.10208.67.220.220queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:56:45.339943000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.335648000 CEST192.168.0.1085.185.53.4queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.341967000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.349183000 CEST192.168.0.10216.146.35.35queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:00.355721000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:00.363128000 CEST192.168.0.10205.171.3.65queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:00.370630000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:00.378294000 CEST192.168.0.10168.95.1.1queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:00.385383000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:00.664576000 CEST192.168.0.1087.118.111.215queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.673706000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.687250000 CEST192.168.0.1064.68.200.200querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.694958000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.701155000 CEST192.168.0.10165.87.13.129queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:00.723444000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:15.805506000 CEST192.168.0.10203.128.7.10queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:15.844915000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:15.854476000 CEST192.168.0.10202.181.202.140queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:15.861994000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:15.889587000 CEST192.168.0.10156.154.70.1queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:15.899305000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:15.906688000 CEST192.168.0.10165.87.13.129queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:15.913585000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:16.272612000 CEST192.168.0.10203.236.43.5queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:16.280446000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:16.291467000 CEST192.168.0.10156.154.70.22querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:16.301121000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:16.309242000 CEST192.168.0.1046.19.140.194queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:16.317897000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.336586000 CEST192.168.0.10208.67.220.220queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.344166000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.350679000 CEST192.168.0.10205.210.42.205queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:31.363041000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:31.371015000 CEST192.168.0.10190.211.253.2queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:31.380545000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:31.386918000 CEST192.168.0.10209.166.160.36queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:31.399319000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:31.678972000 CEST192.168.0.10168.167.49.240queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.686855000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.693820000 CEST192.168.0.10211.234.229.23querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.706369000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.713125000 CEST192.168.0.10163.180.96.54queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:31.723053000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.724121000 CEST192.168.0.108.8.8.8queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.726686000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.729466000 CEST192.168.0.10206.141.192.60queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:46.732475000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:57:46.734989000 CEST192.168.0.10165.87.13.129queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:46.737579000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:57:46.740116000 CEST192.168.0.10198.153.192.1queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:46.742524000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:57:46.836688000 CEST192.168.0.10205.171.3.65queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.839452000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.842557000 CEST192.168.0.104.2.2.2querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.845428000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.848360000 CEST192.168.0.10203.236.43.5queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:57:46.850984000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:01.847045000 CEST192.168.0.10219.250.36.130queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:01.854123000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:01.862903000 CEST192.168.0.10202.27.184.3queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:58:01.871248000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:58:01.880675000 CEST192.168.0.1046.19.140.194queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:58:01.890302000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:58:01.898871000 CEST192.168.0.1087.118.111.215queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:58:01.907070000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:58:02.172869000 CEST192.168.0.10212.76.127.133queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:02.180676000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:02.197520000 CEST192.168.0.10205.171.2.65querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:02.222026000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:02.230713000 CEST192.168.0.104.2.2.2queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:02.238228000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.237308000 CEST192.168.0.1087.118.111.215queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.246934000 CEST192.168.0.10195.186.1.121queryt.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.257307000 CEST192.168.0.10198.153.192.1queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:58:17.267296000 CEST192.168.0.10195.186.1.121queryms.jifr.info: type TXT, class IN
    Sep 5, 2011 19:58:17.277323000 CEST192.168.0.10198.153.192.1queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:58:17.297332000 CEST192.168.0.10195.186.1.121queryms.jifr.co.cc: type TXT, class IN
    Sep 5, 2011 19:58:17.305392000 CEST192.168.0.10168.95.192.1queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:58:17.313113000 CEST192.168.0.10195.186.1.121queryms.jifr.co.be: type TXT, class IN
    Sep 5, 2011 19:58:17.551832000 CEST192.168.0.1085.185.53.4queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.555762000 CEST192.168.0.10195.186.1.121queryflt1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.560917000 CEST192.168.0.10198.153.194.1querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.563872000 CEST192.168.0.10195.186.1.121querydostest1.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.566641000 CEST192.168.0.10202.181.202.140queryst.qfsl.net: type TXT, class IN
    Sep 5, 2011 19:58:17.573604000 CEST192.168.0.10195.186.1.121queryst.qfsl.net: type TXT, class IN
    Hooks
    Analysis File: morto.exe PID: 1928 Parent PID: 1352
    Sections
    General
    Start time:10:44:25
    Start date:05/09/2011
    Path:C:\morto.exe
    Commandline:not known
    Imagebase:0x400000
    File size:49969 bytes
    MD5 hash:2EEF4D8B88161BAF2525ABFB6C1BAC2B
    File Activities:
    File opened
    File PathAccessOptionsContent overwrittenCompletionCountSource Address
    C:\morto.exeread attributes and synchronize and generic readsynchronous io non alert and non directory filefalsesuccess or wait1401585
    UNC\tsclient\a\ID1274D32CSOPNUKGJread attributes and synchronize and generic writesynchronous io non alert and non directory filefalse12FE4C19F741A
    C:\WINDOWS\system32\wmi.dllread attributes and synchronize and generic readsynchronous io non alert and non directory filefalsesuccess or wait19F4EF2
    C:\WINDOWS\clb.dllread attributes and synchronize and generic read and generic writesynchronous io non alert and non directory filefalsesuccess or wait19F4F0B
    File created
    File PathAccessAttributesOptionsCompletionCountSource Address
    C:\WINDOWS\Offline Web Pages\read data or list directory and synchronizenormaldirectory file and synchronous io non alert and open for backup ident7FFDDBF819FD933
    C:\WINDOWS\Offline Web Pages\2011-09-05 1744read attributes and synchronize and generic writenonewrite through and synchronous io non alert and non directory filesuccess or wait19F24B3
    C:\WINDOWS\clb.dllread attributes and synchronize and generic writenonewrite through and synchronous io non alert and non directory filesuccess or wait19F5F31
    File written
    File PathOffsetLengthValueCompletionCountSource Address
    C:\WINDOWS\clb.dllnone66724D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 2F E4 EA DD 6B 85 84 8E 6B 85 84 8E 6B 85 84 8E 10 99 88 8E 69 85 84 8E 5D A3 8E 8E 6D 85 84 8E E8 8D D9 8E 69 85 84 8E E8 99 8A 8E 68 85 84 8E 04 9A 8E 8E 6F 85 84 8E 04 9A 80 8E 69 85 84 8E 6B 85 85 8E 48 85 84 8E 5D A3 80 8E 68 85 84 8E 5D A3 8F 8E 6F 85 84 8E 94 A5 80 8E 6A 85 84 8E 52 69 63 68 6B 85 84 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 success or wait19F5F4A
    File read
    File PathOffsetLengthValueCompletionCountSource Address
    C:\morto.exenone499694D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 03 00 48 7B 3A 4E 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 0E 00 00 00 0C 00 00 00 00 00 00 84 18 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 23 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait14015BC
    Other file operations
    File PathDispositionDataAscii DataCompletionCountSource Address
    C:\WINDOWS\clb.dllBasicInformationCreation Time: 13:00 28-02-2006 Last Access Time: 09:09 17-08-2011 Last Write Time: 15:41 14-04-2008 Change Time: 01:00 01-01-1601 File Attributes: nonesuccess or wait19F4F41
    Section Activities:
    Section loaded by Windows
    File PathAccessTypeBaseSizeMapped to pidProtectionCompletionCount
    \KnownDlls\kernel32.dllwrite and read and executeimage7C8000001007616own pidread writesuccess or wait1
    \NLS\NlsSectionUnicodereadimage26000090112own pidreadonlysuccess or wait1
    \NLS\NlsSectionLocalereadimage280000266240own pidreadonlysuccess or wait1
    \NLS\NlsSectionSortkeyquery and readimage2D0000266240own pidreadonlysuccess or wait1
    \NLS\NlsSectionSortTblsreadimage32000024576own pidreadonlysuccess or wait1
    C:\WINDOWS\system32\mfc42.dllquery and write and read and executeimage73DD0000987136own pidread writesuccess or wait1
    \KnownDlls\msvcrt.dllwrite and read and executeimage77C10000360448own pidread writesuccess or wait1
    \KnownDlls\GDI32.dllwrite and read and executeimage77F10000299008own pidread writesuccess or wait1
    \KnownDlls\USER32.dllwrite and read and executeimage7E410000593920own pidread writesuccess or wait1
    \NLS\NlsSectionCTypereadimage34000012288own pidreadonlysuccess or wait1
    C:\WINDOWS\system32\imm32.dllwrite and read and executecommit350000110592own pidexecutesuccess or wait2
    C:\WINDOWS\system32\imm32.dllquery and write and read and executeimage76390000118784own pidread writesuccess or wait1
    \KnownDlls\ADVAPI32.dllwrite and read and executeimage77DD0000634880own pidread writesuccess or wait1
    \KnownDlls\RPCRT4.dllwrite and read and executeimage77E70000602112own pidread writesuccess or wait1
    \KnownDlls\Secur32.dllwrite and read and executeimage77FE000069632own pidread writesuccess or wait1
    Section loaded by program
    File PathAccessTypeBaseSizeMapped to pidProtectionCompletionCountSource Address
    C:\WINDOWS\system32\msctf.dllwrite and read and executecommit8F0000299008own pidexecutesuccess or wait1401567
    C:\WINDOWS\system32\msctf.dllquery and write and read and executeimage74720000311296own pidread writesuccess or wait1401567
    \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500query and write and readcommit3F00004096own pidread writesuccess or wait1401567
    C:\WINDOWS\system32\ws2_32.dllquery and write and read and executeimage71AB000094208own pidread writesuccess or wait14011E8
    C:\WINDOWS\system32\ws2help.dllquery and write and read and executeimage71AA000032768own pidread writesuccess or wait14011E8
    \KnownDlls\WININET.dllwrite and read and executeimage3D930000942080own pidread writesuccess or wait19F2829
    \KnownDlls\SHLWAPI.dllwrite and read and executeimage77F60000483328own pidread writesuccess or wait19F2829
    \KnownDlls\Normaliz.dllwrite and read and executeimageA5000036864own pidread writeimage not at base19F2829
    \KnownDlls\Normaliz.dllwrite and read and executeimageA5000036864own pidread writeconflicting addresses19F2829
    \KnownDlls\urlmon.dllwrite and read and executeimage781300001257472own pidread writesuccess or wait19F2829
    \KnownDlls\ole32.dllwrite and read and executeimage774E00001302528own pidread writesuccess or wait19F2829
    \KnownDlls\OLEAUT32.dllwrite and read and executeimage77120000569344own pidread writesuccess or wait19F2829
    \KnownDlls\iertutil.dllwrite and read and executeimage3DFD00002002944own pidread writesuccess or wait19F2829
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dllwrite and read and executecommitA700001056768own pidexecutesuccess or wait19F2829
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dllquery and write and read and executeimage773D00001060864own pidread writesuccess or wait19F2829
    C:\WINDOWS\WindowsShell.Manifestwrite and read and executecommitA700004096own pidexecutesuccess or wait19F2829
    C:\WINDOWS\WindowsShell.Manifestquery and readcommitA700004096own pidreadonlysuccess or wait29F2829
    \KnownDlls\SHELL32.dllwrite and read and executeimage7C9C00008482816own pidread writesuccess or wait19F2837
    C:\WINDOWS\system32\shell32.dllreadcommitC900008462336own pidreadonlysuccess or wait19F2837
    \KnownDlls\comctl32.dllwrite and read and executeimage5D090000630784own pidread writesuccess or wait19F2837
    C:\WINDOWS\system32\comctl32.dllreadcommitCA0000618496own pidreadonlysuccess or wait19F2837
    C:\WINDOWS\system32\avicap32.dllquery and write and read and executeimage73B8000073728own pidread writesuccess or wait19F2845
    C:\WINDOWS\system32\winmm.dllquery and write and read and executeimage76B40000184320own pidread writesuccess or wait19F2845
    \KnownDlls\VERSION.dllwrite and read and executeimage77C0000032768own pidread writesuccess or wait19F2845
    C:\WINDOWS\system32\msvfw32.dllquery and write and read and executeimage75A70000135168own pidread writesuccess or wait19F2845
    C:\WINDOWS\system32\wtsapi32.dllquery and write and read and executeimage76F5000032768own pidread writesuccess or wait19F286F
    C:\WINDOWS\system32\winsta.dllquery and write and read and executeimage7636000065536own pidread writesuccess or wait19F286F
    C:\WINDOWS\system32\netapi32.dllquery and write and read and executeimage5B860000348160own pidread writesuccess or wait19F286F
    C:\WINDOWS\system32\dnsapi.dllquery and write and read and executeimage76F20000159744own pidread writesuccess or wait19F287D
    C:\WINDOWS\system32\crypt32.dllquery and write and read and executeimage77A80000610304own pidread writesuccess or wait19F288B
    C:\WINDOWS\system32\msasn1.dllquery and write and read and executeimage77B2000073728own pidread writesuccess or wait19F288B
    \BaseNamedObjects\Global\_MOTO_SHARE_query and write and readcommitCA00004096own pidread writesuccess or wait19FE035
    C:\WINDOWS\system32\mswsock.dllwrite and read and executecommitCB0000245760own pidexecutesuccess or wait19F241A
    C:\WINDOWS\system32\mswsock.dllquery and write and read and executeimage71A50000258048own pidread writesuccess or wait19F241A
    C:\WINDOWS\system32\winrnr.dllwrite and read and executecommitCB000020480own pidexecutesuccess or wait19F241A
    C:\WINDOWS\system32\winrnr.dllquery and write and read and executeimage76FB000032768own pidread writesuccess or wait19F241A
    \KnownDlls\WLDAP32.dllwrite and read and executeimage76F60000180224own pidread writesuccess or wait19F241A
    C:\WINDOWS\system32\rasadhlp.dllquery and write and read and executeimage76FC000024576own pidread writesuccess or wait19F709D
    Registry Activities:
    Key value set
    Key PathNameTypeDataCompletionCountSource Address
    HKEY_LOCAL_MACHINE\SYSTEM\WPAitBinaryDB 07 09 00 01 00 05 00 11 00 2C 00 1A 00 2C 00 success or wait19F21FD
    HKEY_LOCAL_MACHINE\SYSTEM\WPAidString1274D32CSOPNUKGJsuccess or wait19F21FD
    HKEY_LOCAL_MACHINE\SYSTEM\WPAieStringC:\morto.exesuccess or wait19F21FD
    HKEY_LOCAL_MACHINE\SYSTEM\WPAmdOtherD4 AC 01 01 41 01 01 01 01 01 06 01 92 01 C9 05 01 1F E1 01 4B F8 9E E9 05 60 11 0A 02 91 01 DA 01 42 FE 11 26 03 01 63 DA 08 99 22 6D 65 29 84 B7 E1 9C FD C9 6E 26 BC A8 35 02 27 01 1C ED CE 06 F7 08 03 1B 18 21 6E 03 61 94 0D 27 B4 02 FC 7E 08 EF 86 28 D9 41 03 B4 01 DE 85 A9 45 31 77 04 15 01 6C 03 28 24 B3 C1 0D 6D 19 DC D9 08 DA 29 28 4F 43 01 CB 01 AB A4 25 05 11 EF E9 06 05 CE EA 0B BA FF E9 44 03 11 EA 62 D1 E0 0A 69 21 11 01 F3 11 E9 7F D7 FE 5A C4 F7 06 E1 E0 17 02 76 12 81 0E 63 09 CF 26 6D 70 C4 56 8C ED 00 52 52 54 34 DC 39 1E 09 B8 45 14 57 67 F7 8A 1E 41 D7 08 F8 10 85 8E 4D 77 69 41 31 0B E0 69 2C E9 DE 99 0A 48 BF 80 0B 5A 54 8C B7 CF 57 D2 D7 0F 07 FE 8A 46 F9 E9 82 00 0A F1 8A 5E FD C2 DA EF 03 44 FE 77 56 58 C0 29 E0 08 8E 48 E5 51 E9 DE C7 08 38 8A 00 08 8C 4E F9 3C CC 75 1F 00 3C F4 75 1B 3C C4 75 17 DC 34 D3 0A 7F 00 11 3C 02 75 0B 43 84 C2 00 05 3C D7 7D F5 EC 03 8A 00 20 3A 20 75 08 67 00 06 64 80 B7 C0 06 4B 00 46 FC FD 84 C8 25 3A 06 80 7D B3 60 5F 5C CA F8 C4 B9 19 F1 D4 6E CF D6 54 EF 84 ED 1D B5 F7 84 3E 15 D0 26 00 06 57 58 76 0F 6B 02 F8 59 3A 06 19 0E 38 95 F1 75 B8 04 90 F1 8E FC 4E D9 E9 5A D0 2A 7F 8E 46 D9 69 51 EC C8 51 A4 BC E9 D2 09 8F BC 86 C1 5A E0 78 55 02 1B 3B 23 C2 1C 05 3E AD B8 85 05 10 86 BC 42 13 E9 ED F8 FF 00 00 54 19 CE 9C 8C C3 01 3C 5A BA 88 B8 2F 26 1C 32 17 A0 85 F1 C0 80 16 BA 2C 22 70 0C F4 A6 E9 BB BA 33 A2 00 11 8C 0E DD D4 6F 06 A4 3D EF C1 E9 76 59 D1 1C B8 77 05 16 71 02 C0 81 E0 4C 75 3F 67 3A 3E C4 8D 49 1F 37 E4 8A C8 09 34 F7 6D 12 1E 90 24 54 54 6F BF 00 36 FF 43 69 A7 13 EE E2 3A A3 DC 90 B8 06 1D 00 84 C5 15 47 3C F1 DA 7D DE 4C D9 05 47 E5 99 C9 1D 99 C9 84 99 93 C9 1D D0 14 DA F3 A2 1D 99 C9 92 E2 03 75 2D 43 22 EE 76 54 39 BC 89 AC 76 0E EE E9 B3 AF 2A 67 0D C7 61 A5 44 91 A5 E5 A5 90 1F 16 35 92 9D A5 81 F9 84 4E FD 00 7D 28 10 CF D9 4E F5 6F B7 65 8A 0E 3F A4 CA 40 6B 82 ED F1 09 05 01 01 99 28 6C EB 43 71 83 BD F8 E9 4A 58 14 77 76 09 3A 5A 22 88 6F DD 2E 6E 66 91 DF 55 00 16 B1 CD EE 5B 3E 39 E0 28 03 76 0B 6B 65 68 11 EC E2 D6 00 76 CC 71 F7 C2 FC DD 09 51 04 64 F9 68 72 B1 04 D9 14 C5 0D 60 DB 75 BA 69 31 BE 76 19 AE 87 52 6C 03 1B B4 56 C1 CB 11 EE 10 36 95 DC 56 EC BA 52 08 75 8E 68 73 76 F8 6E E9 8F 14 CA 71 B7 0E 8F FF 98 D3 69 A9 62 E0 0E F8 F2 84 CA 00 00 34 C1 C2 E3 0B 8E 93 BC 90 17 8C FB FF F3 AF F8 D2 4A 52 53 FC 7C AF 54 3F 69 99 3B EF 6B 86 F9 FC 38 01 69 01 76 D9 51 F7 1C F8 70 20 75 09 10 DC 8D 29 1A 00 FC EC D9 81 3E 90 78 BF 01 76 88 EA 19 E7 10 FF 1D 0E FE E9 4D 57 CF EE 37 BB 28 CF 5A 18 2F CA C3 69 48 47 29 9D 99 D4 30 1C 34 00 BF BC 79 09 E9 EF 1C 17 01 FC 89 85 3E 65 FB 3F 7F 48 3C FF 7D F0 1B 76 9B ED 53 3C C7 6F EF FD 7F 57 40 90 00 6D 0B 7E B3 46 F7 01 6B 03 02 FE 67 C8 46 DD 03 B9 5A 16 19 6F 31 8C F9 84 D2 38 B9 C5 EE 01 41 7C 6F 47 7D A6 54 4C BC 56 AD 66 F1 0E 30 F1 FE 6B 05 51 69 02 11 34 F6 2B 5C 05 58 6D 39 0D FC 5E 09 47 78 F9 65 38 0E 03 0A 9D C9 90 CA A1 13 DE 32 84 7E BC 35 7D 33 55 62 ED 9E A2 F5 83 78 13 03 66 6E 7E F5 E0 EE 5A 75 B8 EC B7 F5 29 39 67 09 DC ED AD E1 6E 0C 35 FD 46 66 F9 01 6F 6F 46 DF 40 6C 36 9D 3E 90 BB 39 DD 6B 59 B5 6B 71 1C B0 62 F8 BC 51 94 29 02 6C A2 FB 9F 22 40 6E DC EA 85 66 50 0F 47 7E FD 55 DD BE E9 DA C0 35 4E 5C 25 4F F1 B9 29 35 D6 45 B6 D1 AC 54 A2 54 2B 6C 5F 3B 64 57 CC 6F 69 E8 0C 2B 04 2C 58 67 25 09 25 DB 8A B9 17 28 5D BE 1C A2 BC 11 9C 1C 54 86 58 5D 85 ED 0D F1 84 F9 D7 44 41 1C 31 E9 F3 2D 06 49 5D 24 E9 E9 74 81 27 02 99 1A 25 6B E0 45 98 65 33 C6 26 B1 2D FD F2 51 3C A2 BB A3 A2 D9 1A 43 54 BB 97 01 D8 B0 32 06 59 93 A9 9A 0E 10 EA 9C 0F 7B 07 12 B8 7E 40 7D 58 0D B1 14 5C D7 B7 01 D3 79 75 80 66 5A C2 E4 5D 0D 0B 94 15 41 27 5D 1C 59 DB 8E E2 B6 D9 CC 2A AA E0 C0 9B 1A 13 83 7F 51 57 E9 73 AC 32 AE FD 84 C7 35 4C 76 E3 2B 17 47 ED A7 1F 81 31 07 39 0E 81 8C 00 C7 9A 8C D0 54 F8 FA 6B FF 35 6C D3 35 8E 85 16 F2 47 D1 E7 F9 94 8C A7 21 EE D1 8C D1 82 3A 2E 07 35 11 96 37 FE 39 67 54 F1 E6 6F 2F 42 BF 32 E6 88 5C 98 EA E9 1A 11 75 1D 09 45 EA 70 80 8C 4D 25 05 8E 05 FD D3 C2 E1 03 8C 91 20 41 8A F1 12 8C 55 25 BF 25 8C 81 2D 45 FB C5 03 60 8D 3A 02 10 96 FC C1 C4 57 8C 75 17 47 27 88 1F DA 75 16 67 FE 86 CA 75 0C 8A 89 12 5C 00 53 55 5A 0B EE 5F C4 32 E1 8B 89 65 6C FC 3B 5A B9 75 0A 41 5F 9A 41 7D EF DC 14 C4 69 A2 09 09 6A 89 32 42 89 FE DE 7C FD 01 D6 5B 46 B2 07 55 BE 1C C8 06 A9 D1 30 2E F2 91 C9 3F 59 77 10 D8 05 9C 60 36 16 8C DB F3 47 C8 C8 10 8E 0D BE B6 11 84 17 32 DC 43 50 B7 96 64 0B 15 64 07 8A B8 31 BB 76 C5 E0 60 B9 0C 5F 03 0D A7 91 8E 52 4A 5E 8D 0D 5F 93 37 6C CC E1 29 A1 C7 EA CE 44 E1 01 E2 A4 35 82 57 29 7C 59 D4 4E 9C 49 ED E9 D4 CD CE 6F 6E 5E 0D A2 8E 60 8E 8A FD B4 41 B1 46 09 FC ED E9 B0 17 9C 11 ED 8A EC 81 62 6B DF B9 0D E9 41 7B 65 F1 E2 F5 30 4C 76 15 58 68 14 2D 26 00 75 23 3A 5F 19 75 12 E3 8E 47 1D 6F 72 0B 00 31 E7 5D BE BA 43 DE 1A 09 58 57 B4 87 21 B1 5B 65 55 DE 23 89 14 25 5D 3B 0E 07 BB 0D D0 05 BE 0F 57 B9 57 69 3D 57 7A B2 ED C8 FF 65 20 86 F7 76 19 6C 14 16 07 B2 41 62 03 7B 7D 54 00 77 19 67 65 D1 20 B7 B1 D9 70 0F C4 5C DE 1A B9 61 F9 F7 0A CF 9F C5 25 E5 82 DD 92 E9 4C CA 7E 1F 0D FC A4 D5 CD 7E 9B 95 15 0F 77 CC 8C 71 98 94 FF 03 C7 7E 08 96 EF EA FB 85 70 1F D1 E9 87 87 C8 81 B7 00 C5 C7 18 42 02 7F BC 2C 29 8B 05 EE 08 89 46 3A 4C 82 51 10 01 0B 73 86 47 0E 6F DC 0E E9 30 F3 73 C9 82 32 F8 D6 54 0E CD C7 E7 08 A8 F0 E9 CA 0A DC 3D 41 65 0D 00 D2 E8 C2 F0 04 C2 E8 04 FE 3C FC 10 8F 87 01 E2 7D 7B 79 07 9A 5A EE F3 09 5C 6F 1E 8C C9 F0 10 9A F8 FC 5C 74 04 94 80 2C D4 75 42 4B 75 F7 2E 4B 76 49 77 00 32 8B 4D 32 02 C1 E9 FE 05 C1 E2 03 EC 29 C2 55 3B EF 1A 9E 13 02 6E 62 DE F4 CC AA C1 F7 EC 53 8B 45 27 FE 8B 0D 32 C1 E1 C0 2A EA 03 0B C2 EC BE 0B 11 BC 0E 07 0B 42 5C B9 ED 04 06 07 04 DF E9 CC 39 D2 69 B9 D7 7E 0D 37 35 7B 1A C6 84 51 C9 AF C7 A3 5B B0 C4 54 9A A0 29 92 93 58 1D B9 95 3F 51 B9 CD 7A 41 3E 8A 66 BC 2C F8 C8 EC E2 CD DD 62 C7 5C 11 8C 51 10 62 0D 39 F8 E9 70 48 7E 69 61 32 03 11 9D 11 03 6C E8 11 87 28 B8 7B BB 02 7F 70 60 8E 1B 52 4E 5E E9 3C F8 70 C8 22 58 04 6D 5E E9 46 48 6D 14 46 C2 E7 B0 8E BC 77 23 37 FE 1B 72 5A 17 25 ED F0 26 05 3A 59 F9 DB 76 6C 3A F9 0C 04 B7 7F CB FC 81 E9 60 1C E7 0C B0 54 8E B4 45 96 03 6D EF E9 48 0A 0E 74 85 BA 48 73 29 9A 98 2C 83 3F 04 34 F5 10 84 C1 70 2B C9 10 88 B2 32 89 F1 8E 72 09 5B B1 87 59 6C E7 17 6F B5 EC 0C 47 39 A6 85 EA AE 08 34 00 CA 43 10 B0 D2 41 EC E8 70 4A B5 E9 75 BD C6 E0 6F BD 46 B5 EC 6A 06 91 68 9D 69 CC DE 03 60 54 FC 1F D4 C7 DA F8 75 53 0C CA D5 D0 47 C9 34 21 C8 0C 5E B1 0B 57 C0 51 9E 07 C7 3C 49 00 05 E9 4E C6 01 01 62 CB C9 28 0E 1C E0 0C EA DC FF 00 00 62 29 C9 25 0F FF CA 4C BC F3 0C EC 6D F9 3C 58 05 76 68 56 B4 B5 D6 0B 70 82 46 E5 E9 BA 02 3E 29 0F DC A3 DC 92 9B 0F 97 54 51 06 7A D2 F9 54 B5 E5 09 D9 05 E7 D2 79 59 15 BB A9 31 D9 D0 E5 71 C9 AF 97 5B 6E 06 A4 D1 49 5A E2 B8 AE 9C DF CA 19 63 6E AF C4 AB C5 25 F7 59 EC 22 24 CF 80 11 DF ED 79 24 07 87 62 A4 87 33 12 83 32 A8 49 C7 15 1D 33 B7 06 B1 40 39 80 CB 3E 19 4D 4F B6 75 69 1A 59 90 BD 9F EE 5E 07 C6 A8 B4 0D D1 7E 11 89 07 B2 FC 6D 13 A1 EE 65 70 16 09 8C D2 C7 57 C2 CF B8 A8 11 F4 00 AC 8C CB 84 E2 04 F4 AB 69 CF 38 2E E9 29 8D FC 0E E4 11 6D BB 84 79 F9 5A BC 05 77 EC 5D 88 F9 DD E9 CE C4 72 A7 A1 71 D8 96 A3 B7 2A F6 75 D8 AA 76 22 D0 30 37 71 ED 98 16 0D 76 E0 F0 54 0E 1C 34 6B 08 F1 8C BA C2 6C 4B 6A 96 8C B0 ED 6B DD A5 5F 21 A0 1E AB C4 62 E8 B8 C7 85 C9 50 1B 5F DA EC 03 ED A5 1F BC EA 07 C1 BC 20 47 5A 19 7E C0 F1 CE 03 DE B1 67 AC 60 88 16 2B 3D 49 8C 14 41 26 47 C2 D1 D9 D6 EA F4 BC B7 69 68 87 1E 24 88 38 5E B4 C4 16 7F 39 B9 C5 1F 3A 46 EB 16 52 D9 DD F2 B7 22 F1 10 45 EF 8E 87 41 31 FD F8 DA 1C CA 24 C9 6E DE 0B 99 9B 06 2D C1 D4 BA 8E 50 5F 93 92 C1 68 6F 31 7B EF EA B3 C3 68 A0 D0 D0 C9 01 8F AF B1 C9 4E 8C 09 26 3A BE 99 3B 1E B9 F8 8D 78 3B E7 0B 1F 91 95 1A 03 0F 03 CF 26 83 CC 3B BB 0C 05 C8 D1 25 0C 29 39 14 C0 78 C4 69 47 3C C9 59 E0 BA 16 EA BA 13 2C C1 D4 58 4A 08 63 F7 45 5B 29 02 52 70 6E 26 22 35 AC 5A 33 5E 14 4E 1C 2E 45 44 47 E2 47 BB 4F C4 41 2A 1B 44 54 8F 28 A2 8E E4 5B 0E 2E D5 FB F5 72 67 74 6D 3C 38 6E 70 C6 75 70 DC EE 01 33 3D 48 40 EE 2C FA 0D F9 BD 58 6A 6F 65 5E CF 8C F8 AE 34 0D F9 C1 70 78 74 21 42 DA 69 38 67 DA 13 FD C5 4E 62 6F 62 2C E1 49 6F BD 4F 70 0F C9 68 66 DC 6E 66 07 CD F3 6F 75 21 4A FD D1 6F 74 75 73 BC D5 76 14 69 6F 70 3B 75 62 75 6A 48 E5 7C 70 6F 21 45 07 7E E1 73 6A 77 DF 2A E5 73 21 54 E1 07 30 F7 77 6A 64 70 07 ED 66 01 62 7B FE BC 6E 74 2F 6B FE 79 C0 8B CF C0 B5 BB 6A 67 73 2F 61 7A 64 AF 70 F5 76 9C F5 8A 56 BC F9 B5 6F 66 B1 75 3A 59 35 CD 03 C1 30 DC 2D C0 82 69 3F 9D 2F CC 25 74 20 28 12 ED 0C 59 07 F1 7A F1 19 F5 67 15 00 ED 67 70 59 07 24 4B 59 2D 2E 38 68 30 64 DE 70 2F CA FD 93 64 59 37 C9 45 01 CE 63 66 22 73 66 5C 35 16 BE 14 C7 06 02 D5 14 02 6F 8B 06 87 EB 08 0B C7 1D E7 3F DD 69 07 0B 57 86 E4 95 02 0E 16 31 05 18 27 1A B7 58 2C 8F E8 9E BF 1C 16 E9 83 3F 55 DD FD CD C8 07 41 78 4C C8 08 3D 77 06 E9 DD 07 7F ED E9 A7 BB 21 67 4A 01 D9 78 6B 9E 97 00 01 E6 1D 2D C9 61 0D 38 A6 3A BA 03 40 B2 12 2D 71 1D C8 74 E9 C6 48 16 71 A2 CD D2 4C 3C AD 7D 0F DB 77 AA 69 11 EE 0A A4 D1 CE 14 9A 7F 0B 9D 01 FA 33 65 B0 A1 15 4C 57 A3 C0 AC 2B 53 B8 44 A5 5F 5C 8F 2F B1 D3 C7 60 64 59 FB C3 57 59 7F 00 CA C3 CA 5F C5 3E B9 10 F2 D6 E1 88 D5 61 52 36 FE ED B9 E1 69 75 92 0B 6E E3 58 CB 25 59 60 0D 9D 73 03 54 F8 76 1B A2 90 84 92 61 15 E9 FE F1 B9 60 4C A8 55 73 21 BC 11 EC 13 18 AE B1 14 65 41 E2 81 1B DE 44 FC A2 C4 3F 0E 97 8E 90 68 02 B0 93 2F 6E 03 1D B5 C8 91 31 0D 0E 21 B1 15 14 3A 85 1E 76 30 C0 3C 19 84 FA 02 7E C1 0F 58 82 7C E1 60 52 67 3C 03 C1 15 33 10 3A 47 4E E6 95 68 43 05 6C 20 5F 59 11 CD D9 C7 09 8D 61 74 16 76 15 6F 57 F7 3A DE 60 75 41 AB 05 5C 2C 3C 05 79 15 77 37 27 33 64 73 19 25 DC 28 14 15 38 11 57 57 47 A4 1E 89 9E 5D 0F 8C 0D 50 DC 66 5F DA 5E C4 0E 2E DC E1 15 EC F0 3F A6 29 3D 20 08 71 38 19 A5 CD 35 F1 2D E3 D9 FC 57 C8 08 18 1F B7 1A A9 68 4E 5D 34 40 DA 1F FD DC 14 11 B2 CE 7B B1 11 30 DC 12 AD 02 D8 3D D9 09 60 E9 49 86 BC E1 17 EC 0A 61 0F BA 7F 89 CF 39 A8 13 EF 8E 74 84 00 41 71 6B 29 CB 47 F7 C4 07 DA A1 C7 E2 05 33 0B 91 CB AE DF AE D9 1C C1 24 1D 56 AC 48 09 A2 02 80 85 B1 78 F5 1D 8B EC 7F 54 2D 67 9D C1 54 54 34 C3 3B 6B 54 C7 C9 99 20 39 16 F9 68 A5 04 07 58 D9 00 16 BF 77 8B D5 69 F2 10 2D F1 2F 59 CF D7 F0 05 BD E6 81 A6 CD 71 E4 10 4A B5 80 99 4C 75 BE B9 CE 0F 10 02 AB 8F BF 89 EF 81 C0 01 06 B6 57 D8 FF 25 58 51 BC C5 3C 5B 69 C1 71 05 97 A4 6D E2 D3 34 E1 1B 3F BA D5 C9 E1 BD 69 1D 26 F7 C0 A2 0B 8C 41 47 EC C5 F9 D1 76 7F 20 61 CD 1E 72 F4 76 04 D1 BB 22 7E 03 11 70 6F D5 EB B9 4D 96 2E 70 11 C9 0D D5 9B B7 48 BD 57 3A A0 FE E7 19 14 53 06 F0 BB 58 27 41 67 98 BD 10 63 42 AE B2 13 C0 3B 75 20 18 3A 85 16 7F 16 04 F1 C1 1E 6D 43 1D 7D 3C D2 73 E2 5E C6 E9 BC 4F 91 10 B8 E2 46 DF 51 AF 5E 07 DD AC 51 84 9E 08 DB BB 51 05 D7 7C D5 96 BE ED 69 A5 32 FC BD 3B C2 9B E1 1D 92 E8 ED E5 69 ED D2 6F 3E 15 8A 8C 5B 62 69 79 B9 81 6B 05 26 6E 7F 0A 41 51 BE 29 B4 99 71 25 29 D1 BC 0B D3 C1 6A 1F E3 9A BA 04 FC B7 82 E7 70 8A 3E 97 A8 B7 F4 53 DC E2 65 B3 71 5A BF FC 17 F8 F2 75 62 B7 0B B8 69 99 72 26 C6 E0 C9 C1 72 19 09 32 8C 60 B9 11 7E 30 55 42 7E 2A 25 C3 30 18 B2 FB 0B 5C FE E9 FF 74 06 81 C3 31 EC 04 DD 05 38 53 4E 7E 8B 73 32 39 A9 17 9D 79 C7 69 78 A3 95 43 51 94 0E 63 71 24 9D A8 3C 41 FE B2 3F C1 1A B7 1F B9 49 1F FF 5A E2 D6 31 EC D9 43 58 56 DB 37 B0 2F C1 05 0C 15 D8 F1 1D 0C 70 6B 15 E0 EC 60 69 D1 49 17 20 D9 45 76 CC 09 C1 06 8F 12 75 0A C7 0E 81 3E DB 6C 37 BA AC 01 5D 59 20 1B FC 4E 09 4D 83 3F DE 05 3A 50 ED 76 B7 57 2D C2 3C B0 0C A2 C5 F8 DA 2E A7 64 70 28 47 F8 DF C4 1C F7 49 FB 47 E9 8C C0 11 05 DC 77 80 82 C0 0A 2C 01 B6 9E 09 CE 37 06 81 15 6E A8 69 D5 CF A2 0F D4 16 15 81 21 46 FE 89 C8 A6 45 08 36 41 09 8E 66 35 24 11 8D 78 6C 2C 46 FD 49 78 37 45 22 C8 BD 59 59 7D C1 EB 0D 8B D1 9E 89 49 58 E0 C5 7D 89 09 69 0D 33 76 E5 DD DD 5A E9 89 FC 67 E4 26 91 14 94 5D 21 4F EA 35 D1 11 1C 6E E9 E1 8A 09 CA 91 74 FC 84 3E 59 18 B9 01 75 12 12 05 49 CC 70 14 05 FD 1E 00 06 65 3E F2 58 9B 89 96 EF 8C 0F 21 83 3A DC 02 21 36 BC FD 06 5A 00 ED D7 8C F9 1F 37 09 D9 D7 24 23 D7 46 FD AD 2C 11 31 84 A6 42 C7 3C C8 C4 FD F5 75 03 8A 39 71 A8 86 E0 BD 51 EC 2D 58 58 48 4F 2D E7 FC 6C 3A 7E 19 B9 FD 77 58 27 86 5D 1A D9 0C F1 12 F1 6D 3F F9 13 B7 EF 35 04 2A 94 31 E0 26 8C 17 31 08 BC 3C 10 3C F8 F9 75 success or wait19F21FD
    Key value queried
    Key PathNameCompletionCountSource Address
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001srobject name not found19F225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001snobject name not found19F225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001idobject name not found19F225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001~MHzsuccess or wait19F225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersmdobject name not found19F225A
    Thread Activities:
    Thread delayed
    TIDDelayCompletionCountSource Address
    51881s success or wait29F4CCE
    Memory Activities:
    Memory allocated
    PIDFilepathBaseLengthProtectionCompletionCountSource Address
    1928C:\morto.exe9F000012FE6Cpage execute and read and writesuccess or wait1401161
    System Activities:
    System information queried
    System info classCompletionCountSource Address
    BasicInformationsuccess or wait19F2673
    PerformanceInformationsuccess or wait19F26A8
    User Activities:
    Window found
    Window nameClass nameHWND of windowCompletionCountSource Address
    no stringShell_TrayWnd3004Esuccess19F652E
    Window enumerated
    Desktop HWNDParent HWNDEnum ChildrensTIDWindow HandlesCountSource Address
    00false0500da, 3003a, 100b4, 10070, 4d00e8, 200b0, 20086, 10072, 10074, 10082, 1006e, 3004e, 500e4, 600f2, 300fc, 1008e, 200a6, a00ea, 20088, 300b2, a0130, b0120, 7013a, a014a, c014e, 9011e, 70138, a0122, 20038, 100dc, 100d0, 100c2, 100c0, 2003e, 1007a, 30044, 40032, 30060, 7010c, 10090, 10084, 30052, 30050, 2003c, 70132, 7012a, 70134, a0128, 80154, 20034, 100de, 100c4, 60102, 100ae, 30062, 1, 0, 0, c, 0, 0, 0, 0, 0, 210005, 8012c, 0, 1460a8, 148648, 148258, 0, 0, 0, 0, 50003, 80129, 3dfd1fac, 1, 3, 80000000, 3001d, 80134, 1, 0, a70000, 7c8130be, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 3, 147ff8, 0, 0, 14a720, 43003b, 5c003a, 490057, 44004e, 57004f, 5c0053, 790073, 740073, 6d0065, 320033, 43003b, 5c003a, 490057, 44004e, 57004f, 3b0053, 3a0043, 57005c, 4e0049, 4f0044, 530057, 53005c, 730079, 650074, 33006d, 5c0032, 620057, 6d0065, 0, 1d001d, c01c9, 0, cc00ca, 148090, 60, 3a0043, 57005c, 4e0049, 4f0044, 530057, 57005c, 6e0069, 780053, 5c0053, 380078, 5f0036, 69004d, 720063, 73006f, 66006f, 2e0074, 690057, 64006e, 77006f, 2e0073, 6f0043, 6d006d, 6e006f, 43002d, 6e006f, 720074, 6c006f, 5f0073, 350036, 350039, 360062, 310034, 340034, 630063, 310066, 660064, 36005f, 30002e, 32002e, 300036, 2e0030, 300036, 380032, 78005f, 77002d, 5f0077, 310036, 360065, 320035, 320030, 5c, 0, 1d001d, 801ea, 1, 0, a80000, 7c8130be, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 3, 1481c8, 0, 0, 0, 43003b, 5c003a, 490057, 44004e, 57004f, 5c0053, 790073, 740073, 6d0065, 320033, 43003b, 5c003a, 490057, 44004e, 57004f, 3b0053, 3a0043, 57005c, 4e0049, 4f0044, 530057, 53005c, 730079, 650074, 33006d, 5c0032, 620057, 6d0065, 0, 1d0005, 8018f, 0, 77462508, 147f60, 147958, 0, 0, 0, 0, 50052, 80188, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 520013, 80166, 0, 71a871c4, aabbccdd, 0, 0, 5, 148508, 1557b8, 0, 210, ffffffff, 0, 0, 0, 1, 0, 0, 0, 0, 2a803, 0, c0, 46000000, 22059d40, 11cf7e9e, aa005aae, 2b11a700, 610068, 75006e, 6c0065, 2d0065, 630062, 300036, 320037, 30, 0, 130010, c0175, 1556c0, 740066, 610077, 650072, 4d005c, 630069, 6f0072, 6f0073, 740066, 57005c, 6e0069, 6f0064, 730077, 43005c, 720075, 650072, 74006e, 650056, 730072, 6f0069, 5c006e, 780045, 6c0070, 72006f, 720065, 52005c, 6e0075, 52004d, 55, 0, 100004, c0105, 6f006d, 740072, 2e006f, 780065, 65, 0, 40005, 80101, 0, 3e19c67c, 148690, 147f60, 0, 0, 0, 0, 50004, c010a, 0, 0, 0, 20c, a, 0, 40005, 80116, 0, 3e19dfe0, 1488f0, 148648, 0, 0, 0, 0, 50003, 80113, 3dfd1fac, 1, 2, 70, 30044, c011e, 0, 0, 0, 0, 6f0053, 740066, 610077, 650072, 50005c, 6c006f, 630069, 650069, 5c0073, 69004d, 720063, 73006f, 66006f, 5c0074, 690057, 64006e, 77006f, 5c0073, 750043, 720072, 6e0065, 560074, 720065, 690073, 6e006f, 49005c, 74006e, 720065, 65006e, 200074, 650053, 740074, 6e0069, 730067, 5a005c, 6e006f, 4d0065, 700061, 52005c, 6e0061, 650067, 5c0073, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20019, 0, 440005, 801da, 0, 781fa570, 148918, 148690, 0, 0, 0, 0, 50005, 801e7, 0, 781fa648, 148940, 1488f0, 0, 0, 0, 0, 50005, 801e0, 0, 781fa690, 148968, 148918, 0, 0, 0, 0, 50005, 801ed, 0, 781fc428, 1489b0, 148940, 0, 0, 0, 0, 50004, c01f6, 6f006d, 740072, 2e006f, 780065, 65, 0, 40005, 801f2, 0, 781fc3b8, 1489d8, 148968, 0, 0, 0, 0, 50005, 801ff, 0, 781fc400, 148a00, 1489b0, 0, 0, 0, 0, 50005, 801f8, 0, 781fc3e8, 149f90, 1489d8, 0, 0, 0, 0, 502ad, 80185, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0not known19F656A
    Message sent to window
    HWNDMessageLParamWParamCompletionCountSource Address
    3004ECOMMAND4010success19F6550
    90110SETTEXT010566693success19F6615
    90110GETTEXT5121244156success19F662A
    B0120COMMAND10success19F6669
    Message sent to thread
    TIDMessageLParamWParamCompletionCountSource Address
    5A4NULL00not known140155D
    Chronological sections
    OperationDataCompletionTime
    Section loadedPath: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pidsuccess or wait1488079201
    Section loadedPath: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pidsuccess or wait1488136338
    Section loadedPath: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pidsuccess or wait1488144035
    Section loadedPath: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pidsuccess or wait1488146452
    Section loadedPath: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pidsuccess or wait1488147840
    Section loadedPath: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pidsuccess or wait1488178075
    Section loadedPath: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pidsuccess or wait1488190578
    Section loadedPath: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pidsuccess or wait1488208406
    Section loadedPath: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pidsuccess or wait1488215650
    Section loadedPath: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 340000 Size: 12288 Protection: readonly Mapped to pid: own pidsuccess or wait1488266944
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pidsuccess or wait1488284227
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 350000 Size: 110592 Protection: execute Mapped to pid: own pidsuccess or wait1488290161
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pidsuccess or wait1488294757
    Section loadedPath: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pidsuccess or wait1488296760
    Section loadedPath: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pidsuccess or wait1488303805
    Section loadedPath: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pidsuccess or wait1488317648
    Message postedTID: 5A4 Message: NULL WParam: 0 LParam: 0not known1488440627
    Section loadedPath: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 8F0000 Size: 299008 Protection: execute Mapped to pid: own pidsuccess or wait1488447067
    Section loadedPath: C:\WINDOWS\system32\msctf.dll Access: query and write and read and execute Type: image Baseaddress: 74720000 Size: 311296 Protection: read write Mapped to pid: own pidsuccess or wait1488453684
    Section loadedPath: \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 Access: query and write and read Type: commit Baseaddress: 3F0000 Size: 4096 Protection: read write Mapped to pid: own pidsuccess or wait1488469768
    File openedPath: C:\morto.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: falsesuccess or wait1488489200
    File readPath: C:\morto.exe Offset: none Length: 49969 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 50 45 00 00 4C 01 03 00 48 7B 3A 4E 00 00 00 00 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 0E 00 00 00 0C 00 00 00 00 00 00 84 18 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 23 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait1488492615
    Memory allocatedPID: 1928 Path: C:\morto.exe Base: 9F0000 Length: 12FE6C Allocation Type: null Protection: page execute and read and writesuccess or wait1488580438
    Section loadedPath: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pidsuccess or wait1488606039
    Section loadedPath: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1488619842
    Section loadedPath: \KnownDlls\WININET.dll Access: write and read and execute Type: image Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pidsuccess or wait1488634737
    Section loadedPath: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pidsuccess or wait1488641675
    Section loadedPath: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: A50000 Size: 36864 Protection: read write Mapped to pid: own pidimage not at base1488668745
    Section loadedPath: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: A50000 Size: 36864 Protection: read write Mapped to pid: own pidconflicting addresses1488674597
    Section loadedPath: \KnownDlls\urlmon.dll Access: write and read and execute Type: image Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pidsuccess or wait1488684659
    Section loadedPath: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pidsuccess or wait1488691490
    Section loadedPath: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pidsuccess or wait1488714493
    Section loadedPath: \KnownDlls\iertutil.dll Access: write and read and execute Type: image Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pidsuccess or wait1488738000
    Section loadedPath: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: A70000 Size: 1056768 Protection: execute Mapped to pid: own pidsuccess or wait1488920068
    Section loadedPath: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pidsuccess or wait1488932219
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: A70000 Size: 4096 Protection: execute Mapped to pid: own pidsuccess or wait1488954026
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A70000 Size: 4096 Protection: readonly Mapped to pid: own pidsuccess or wait1488958473
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: A70000 Size: 4096 Protection: readonly Mapped to pid: own pidsuccess or wait1488962567
    Section loadedPath: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pidsuccess or wait1489227208
    Section loadedPath: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: C90000 Size: 8462336 Protection: readonly Mapped to pid: own pidsuccess or wait1489258400
    Section loadedPath: \KnownDlls\comctl32.dll Access: write and read and execute Type: image Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pidsuccess or wait1489451966
    Section loadedPath: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: CA0000 Size: 618496 Protection: readonly Mapped to pid: own pidsuccess or wait1489566182
    Section loadedPath: C:\WINDOWS\system32\avicap32.dll Access: query and write and read and execute Type: image Baseaddress: 73B80000 Size: 73728 Protection: read write Mapped to pid: own pidsuccess or wait1489663570
    Section loadedPath: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pidsuccess or wait1489698361
    Section loadedPath: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1489724133
    Section loadedPath: C:\WINDOWS\system32\msvfw32.dll Access: query and write and read and execute Type: image Baseaddress: 75A70000 Size: 135168 Protection: read write Mapped to pid: own pidsuccess or wait1489751648
    Section loadedPath: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1489921588
    Section loadedPath: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pidsuccess or wait1489942581
    Section loadedPath: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pidsuccess or wait1489956734
    Section loadedPath: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pidsuccess or wait1490009348
    Section loadedPath: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pidsuccess or wait1490106725
    Section loadedPath: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pidsuccess or wait1490119555
    Section loadedPath: \BaseNamedObjects\Global\_MOTO_SHARE_ Access: query and write and read Type: commit Baseaddress: CA0000 Size: 4096 Protection: read write Mapped to pid: own pidsuccess or wait1490206419
    File createdPath: C:\WINDOWS\Offline Web Pages\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false7FFDDBF81490212224
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: srobject name not found1490215055
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: snobject name not found1490215380
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: idobject name not found1490215902
    System info queriedType: BasicInformationsuccess or wait1490216168
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 Name: ~MHzsuccess or wait1490217776
    System info queriedType: PerformanceInformationsuccess or wait1490218371
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: it Type: Binary Data: DB 07 09 00 01 00 05 00 11 00 2C 00 1A 00 2C 00 success or wait1490219455
    Section loadedPath: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: CB0000 Size: 245760 Protection: execute Mapped to pid: own pidsuccess or wait1490575831
    Section loadedPath: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pidsuccess or wait1490578234
    Section loadedPath: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: CB0000 Size: 20480 Protection: execute Mapped to pid: own pidsuccess or wait1490621219
    Section loadedPath: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1490624699
    Section loadedPath: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pidsuccess or wait1490631253
    File createdPath: C:\WINDOWS\Offline Web Pages\2011-09-05 1744 Access: read attributes and synchronize and generic write Options: write through and synchronous io non alert and non directory file Attributes: none Content Overwritten: falsesuccess or wait1490651102
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: id Type: String Data: 1274D32CSOPNUKGJsuccess or wait1491498313
    Section loadedPath: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pidsuccess or wait1491594870
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: mdobject name not found1491611427
    File openedPath: UNC\tsclient\a\ID1274D32CSOPNUKGJ Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false12FE4C1491612500
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: ie Type: String Data: C:\morto.exesuccess or wait1515877883
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: md Type: Other Data: D4 AC 01 01 41 01 01 01 01 01 06 01 92 01 C9 05 01 1F E1 01 4B F8 9E E9 05 60 11 0A 02 91 01 DA 01 42 FE 11 26 03 01 63 DA 08 99 22 6D 65 29 84 B7 E1 9C FD C9 6E 26 BC A8 35 02 27 01 1C ED CE 06 F7 08 03 1B 18 21 6E 03 61 94 0D 27 B4 02 FC 7E 08 EF 86 28 D9 41 03 B4 01 DE 85 A9 45 31 77 04 15 01 6C 03 28 24 B3 C1 0D 6D 19 DC D9 08 DA 29 28 4F 43 01 CB 01 AB A4 25 05 11 EF E9 06 05 CE EA 0B BA FF E9 44 03 11 EA 62 D1 E0 0A 69 21 11 01 F3 11 E9 7F D7 FE 5A C4 F7 06 E1 E0 17 02 76 12 81 0E 63 09 CF 26 6D 70 C4 56 8C ED 00 52 52 54 34 DC 39 1E 09 B8 45 14 57 67 F7 8A 1E 41 D7 08 F8 10 85 8E 4D 77 69 41 31 0B E0 69 2C E9 DE 99 0A 48 BF 80 0B 5A 54 8C B7 CF 57 D2 D7 0F 07 FE 8A 46 F9 E9 82 00 0A F1 8A 5E FD C2 DA EF 03 44 FE 77 56 58 C0 29 E0 08 8E 48 E5 51 E9 DE C7 08 38 8A 00 08 8C 4E F9 3C CC 75 1F 00 3C F4 75 1B 3C C4 75 17 DC 34 D3 0A 7F 00 11 3C 02 75 0B 43 84 C2 00 05 3C D7 7D F5 EC 03 8A 00 20 3A 20 75 08 67 00 06 64 80 B7 C0 06 4B 00 46 FC FD 84 C8 25 3A 06 80 7D B3 60 5F 5C CA F8 C4 B9 19 F1 D4 6E CF D6 54 EF 84 ED 1D B5 F7 84 3E 15 D0 26 00 06 57 58 76 0F 6B 02 F8 59 3A 06 19 0E 38 95 F1 75 B8 04 90 F1 8E FC 4E D9 E9 5A D0 2A 7F 8E 46 D9 69 51 EC C8 51 A4 BC E9 D2 09 8F BC 86 C1 5A E0 78 55 02 1B 3B 23 C2 1C 05 3E AD B8 85 05 10 86 BC 42 13 E9 ED F8 FF 00 00 54 19 CE 9C 8C C3 01 3C 5A BA 88 B8 2F 26 1C 32 17 A0 85 F1 C0 80 16 BA 2C 22 70 0C F4 A6 E9 BB BA 33 A2 00 11 8C 0E DD D4 6F 06 A4 3D EF C1 E9 76 59 D1 1C B8 77 05 16 71 02 C0 81 E0 4C 75 3F 67 3A 3E C4 8D 49 1F 37 E4 8A C8 09 34 F7 6D 12 1E 90 24 54 54 6F BF 00 36 FF 43 69 A7 13 EE E2 3A A3 DC 90 B8 06 1D 00 84 C5 15 47 3C F1 DA 7D DE 4C D9 05 47 E5 99 C9 1D 99 C9 84 99 93 C9 1D D0 14 DA F3 A2 1D 99 C9 92 E2 03 75 2D 43 22 EE 76 54 39 BC 89 AC 76 0E EE E9 B3 AF 2A 67 0D C7 61 A5 44 91 A5 E5 A5 90 1F 16 35 92 9D A5 81 F9 84 4E FD 00 7D 28 10 CF D9 4E F5 6F B7 65 8A 0E 3F A4 CA 40 6B 82 ED F1 09 05 01 01 99 28 6C EB 43 71 83 BD F8 E9 4A 58 14 77 76 09 3A 5A 22 88 6F DD 2E 6E 66 91 DF 55 00 16 B1 CD EE 5B 3E 39 E0 28 03 76 0B 6B 65 68 11 EC E2 D6 00 76 CC 71 F7 C2 FC DD 09 51 04 64 F9 68 72 B1 04 D9 14 C5 0D 60 DB 75 BA 69 31 BE 76 19 AE 87 52 6C 03 1B B4 56 C1 CB 11 EE 10 36 95 DC 56 EC BA 52 08 75 8E 68 73 76 F8 6E E9 8F 14 CA 71 B7 0E 8F FF 98 D3 69 A9 62 E0 0E F8 F2 84 CA 00 00 34 C1 C2 E3 0B 8E 93 BC 90 17 8C FB FF F3 AF F8 D2 4A 52 53 FC 7C AF 54 3F 69 99 3B EF 6B 86 F9 FC 38 01 69 01 76 D9 51 F7 1C F8 70 20 75 09 10 DC 8D 29 1A 00 FC EC D9 81 3E 90 78 BF 01 76 88 EA 19 E7 10 FF 1D 0E FE E9 4D 57 CF EE 37 BB 28 CF 5A 18 2F CA C3 69 48 47 29 9D 99 D4 30 1C 34 00 BF BC 79 09 E9 EF 1C 17 01 FC 89 85 3E 65 FB 3F 7F 48 3C FF 7D F0 1B 76 9B ED 53 3C C7 6F EF FD 7F 57 40 90 00 6D 0B 7E B3 46 F7 01 6B 03 02 FE 67 C8 46 DD 03 B9 5A 16 19 6F 31 8C F9 84 D2 38 B9 C5 EE 01 41 7C 6F 47 7D A6 54 4C BC 56 AD 66 F1 0E 30 F1 FE 6B 05 51 69 02 11 34 F6 2B 5C 05 58 6D 39 0D FC 5E 09 47 78 F9 65 38 0E 03 0A 9D C9 90 CA A1 13 DE 32 84 7E BC 35 7D 33 55 62 ED 9E A2 F5 83 78 13 03 66 6E 7E F5 E0 EE 5A 75 B8 EC B7 F5 29 39 67 09 DC ED AD E1 6E 0C 35 FD 46 66 F9 01 6F 6F 46 DF 40 6C 36 9D 3E 90 BB 39 DD 6B 59 B5 6B 71 1C B0 62 F8 BC 51 94 29 02 6C A2 FB 9F 22 40 6E DC EA 85 66 50 0F 47 7E FD 55 DD BE E9 DA C0 35 4E 5C 25 4F F1 B9 29 35 D6 45 B6 D1 AC 54 A2 54 2B 6C 5F 3B 64 57 CC 6F 69 E8 0C 2B 04 2C 58 67 25 09 25 DB 8A B9 17 28 5D BE 1C A2 BC 11 9C 1C 54 86 58 5D 85 ED 0D F1 84 F9 D7 44 41 1C 31 E9 F3 2D 06 49 5D 24 E9 E9 74 81 27 02 99 1A 25 6B E0 45 98 65 33 C6 26 B1 2D FD F2 51 3C A2 BB A3 A2 D9 1A 43 54 BB 97 01 D8 B0 32 06 59 93 A9 9A 0E 10 EA 9C 0F 7B 07 12 B8 7E 40 7D 58 0D B1 14 5C D7 B7 01 D3 79 75 80 66 5A C2 E4 5D 0D 0B 94 15 41 27 5D 1C 59 DB 8E E2 B6 D9 CC 2A AA E0 C0 9B 1A 13 83 7F 51 57 E9 73 AC 32 AE FD 84 C7 35 4C 76 E3 2B 17 47 ED A7 1F 81 31 07 39 0E 81 8C 00 C7 9A 8C D0 54 F8 FA 6B FF 35 6C D3 35 8E 85 16 F2 47 D1 E7 F9 94 8C A7 21 EE D1 8C D1 82 3A 2E 07 35 11 96 37 FE 39 67 54 F1 E6 6F 2F 42 BF 32 E6 88 5C 98 EA E9 1A 11 75 1D 09 45 EA 70 80 8C 4D 25 05 8E 05 FD D3 C2 E1 03 8C 91 20 41 8A F1 12 8C 55 25 BF 25 8C 81 2D 45 FB C5 03 60 8D 3A 02 10 96 FC C1 C4 57 8C 75 17 47 27 88 1F DA 75 16 67 FE 86 CA 75 0C 8A 89 12 5C 00 53 55 5A 0B EE 5F C4 32 E1 8B 89 65 6C FC 3B 5A B9 75 0A 41 5F 9A 41 7D EF DC 14 C4 69 A2 09 09 6A 89 32 42 89 FE DE 7C FD 01 D6 5B 46 B2 07 55 BE 1C C8 06 A9 D1 30 2E F2 91 C9 3F 59 77 10 D8 05 9C 60 36 16 8C DB F3 47 C8 C8 10 8E 0D BE B6 11 84 17 32 DC 43 50 B7 96 64 0B 15 64 07 8A B8 31 BB 76 C5 E0 60 B9 0C 5F 03 0D A7 91 8E 52 4A 5E 8D 0D 5F 93 37 6C CC E1 29 A1 C7 EA CE 44 E1 01 E2 A4 35 82 57 29 7C 59 D4 4E 9C 49 ED E9 D4 CD CE 6F 6E 5E 0D A2 8E 60 8E 8A FD B4 41 B1 46 09 FC ED E9 B0 17 9C 11 ED 8A EC 81 62 6B DF B9 0D E9 41 7B 65 F1 E2 F5 30 4C 76 15 58 68 14 2D 26 00 75 23 3A 5F 19 75 12 E3 8E 47 1D 6F 72 0B 00 31 E7 5D BE BA 43 DE 1A 09 58 57 B4 87 21 B1 5B 65 55 DE 23 89 14 25 5D 3B 0E 07 BB 0D D0 05 BE 0F 57 B9 57 69 3D 57 7A B2 ED C8 FF 65 20 86 F7 76 19 6C 14 16 07 B2 41 62 03 7B 7D 54 00 77 19 67 65 D1 20 B7 B1 D9 70 0F C4 5C DE 1A B9 61 F9 F7 0A CF 9F C5 25 E5 82 DD 92 E9 4C CA 7E 1F 0D FC A4 D5 CD 7E 9B 95 15 0F 77 CC 8C 71 98 94 FF 03 C7 7E 08 96 EF EA FB 85 70 1F D1 E9 87 87 C8 81 B7 00 C5 C7 18 42 02 7F BC 2C 29 8B 05 EE 08 89 46 3A 4C 82 51 10 01 0B 73 86 47 0E 6F DC 0E E9 30 F3 73 C9 82 32 F8 D6 54 0E CD C7 E7 08 A8 F0 E9 CA 0A DC 3D 41 65 0D 00 D2 E8 C2 F0 04 C2 E8 04 FE 3C FC 10 8F 87 01 E2 7D 7B 79 07 9A 5A EE F3 09 5C 6F 1E 8C C9 F0 10 9A F8 FC 5C 74 04 94 80 2C D4 75 42 4B 75 F7 2E 4B 76 49 77 00 32 8B 4D 32 02 C1 E9 FE 05 C1 E2 03 EC 29 C2 55 3B EF 1A 9E 13 02 6E 62 DE F4 CC AA C1 F7 EC 53 8B 45 27 FE 8B 0D 32 C1 E1 C0 2A EA 03 0B C2 EC BE 0B 11 BC 0E 07 0B 42 5C B9 ED 04 06 07 04 DF E9 CC 39 D2 69 B9 D7 7E 0D 37 35 7B 1A C6 84 51 C9 AF C7 A3 5B B0 C4 54 9A A0 29 92 93 58 1D B9 95 3F 51 B9 CD 7A 41 3E 8A 66 BC 2C F8 C8 EC E2 CD DD 62 C7 5C 11 8C 51 10 62 0D 39 F8 E9 70 48 7E 69 61 32 03 11 9D 11 03 6C E8 11 87 28 B8 7B BB 02 7F 70 60 8E 1B 52 4E 5E E9 3C F8 70 C8 22 58 04 6D 5E E9 46 48 6D 14 46 C2 E7 B0 8E BC 77 23 37 FE 1B 72 5A 17 25 ED F0 26 05 3A 59 F9 DB 76 6C 3A F9 0C 04 B7 7F CB FC 81 E9 60 1C E7 0C B0 54 8E B4 45 96 03 6D EF E9 48 0A 0E 74 85 BA 48 73 29 9A 98 2C 83 3F 04 34 F5 10 84 C1 70 2B C9 10 88 B2 32 89 F1 8E 72 09 5B B1 87 59 6C E7 17 6F B5 EC 0C 47 39 A6 85 EA AE 08 34 00 CA 43 10 B0 D2 41 EC E8 70 4A B5 E9 75 BD C6 E0 6F BD 46 B5 EC 6A 06 91 68 9D 69 CC DE 03 60 54 FC 1F D4 C7 DA F8 75 53 0C CA D5 D0 47 C9 34 21 C8 0C 5E B1 0B 57 C0 51 9E 07 C7 3C 49 00 05 E9 4E C6 01 01 62 CB C9 28 0E 1C E0 0C EA DC FF 00 00 62 29 C9 25 0F FF CA 4C BC F3 0C EC 6D F9 3C 58 05 76 68 56 B4 B5 D6 0B 70 82 46 E5 E9 BA 02 3E 29 0F DC A3 DC 92 9B 0F 97 54 51 06 7A D2 F9 54 B5 E5 09 D9 05 E7 D2 79 59 15 BB A9 31 D9 D0 E5 71 C9 AF 97 5B 6E 06 A4 D1 49 5A E2 B8 AE 9C DF CA 19 63 6E AF C4 AB C5 25 F7 59 EC 22 24 CF 80 11 DF ED 79 24 07 87 62 A4 87 33 12 83 32 A8 49 C7 15 1D 33 B7 06 B1 40 39 80 CB 3E 19 4D 4F B6 75 69 1A 59 90 BD 9F EE 5E 07 C6 A8 B4 0D D1 7E 11 89 07 B2 FC 6D 13 A1 EE 65 70 16 09 8C D2 C7 57 C2 CF B8 A8 11 F4 00 AC 8C CB 84 E2 04 F4 AB 69 CF 38 2E E9 29 8D FC 0E E4 11 6D BB 84 79 F9 5A BC 05 77 EC 5D 88 F9 DD E9 CE C4 72 A7 A1 71 D8 96 A3 B7 2A F6 75 D8 AA 76 22 D0 30 37 71 ED 98 16 0D 76 E0 F0 54 0E 1C 34 6B 08 F1 8C BA C2 6C 4B 6A 96 8C B0 ED 6B DD A5 5F 21 A0 1E AB C4 62 E8 B8 C7 85 C9 50 1B 5F DA EC 03 ED A5 1F BC EA 07 C1 BC 20 47 5A 19 7E C0 F1 CE 03 DE B1 67 AC 60 88 16 2B 3D 49 8C 14 41 26 47 C2 D1 D9 D6 EA F4 BC B7 69 68 87 1E 24 88 38 5E B4 C4 16 7F 39 B9 C5 1F 3A 46 EB 16 52 D9 DD F2 B7 22 F1 10 45 EF 8E 87 41 31 FD F8 DA 1C CA 24 C9 6E DE 0B 99 9B 06 2D C1 D4 BA 8E 50 5F 93 92 C1 68 6F 31 7B EF EA B3 C3 68 A0 D0 D0 C9 01 8F AF B1 C9 4E 8C 09 26 3A BE 99 3B 1E B9 F8 8D 78 3B E7 0B 1F 91 95 1A 03 0F 03 CF 26 83 CC 3B BB 0C 05 C8 D1 25 0C 29 39 14 C0 78 C4 69 47 3C C9 59 E0 BA 16 EA BA 13 2C C1 D4 58 4A 08 63 F7 45 5B 29 02 52 70 6E 26 22 35 AC 5A 33 5E 14 4E 1C 2E 45 44 47 E2 47 BB 4F C4 41 2A 1B 44 54 8F 28 A2 8E E4 5B 0E 2E D5 FB F5 72 67 74 6D 3C 38 6E 70 C6 75 70 DC EE 01 33 3D 48 40 EE 2C FA 0D F9 BD 58 6A 6F 65 5E CF 8C F8 AE 34 0D F9 C1 70 78 74 21 42 DA 69 38 67 DA 13 FD C5 4E 62 6F 62 2C E1 49 6F BD 4F 70 0F C9 68 66 DC 6E 66 07 CD F3 6F 75 21 4A FD D1 6F 74 75 73 BC D5 76 14 69 6F 70 3B 75 62 75 6A 48 E5 7C 70 6F 21 45 07 7E E1 73 6A 77 DF 2A E5 73 21 54 E1 07 30 F7 77 6A 64 70 07 ED 66 01 62 7B FE BC 6E 74 2F 6B FE 79 C0 8B CF C0 B5 BB 6A 67 73 2F 61 7A 64 AF 70 F5 76 9C F5 8A 56 BC F9 B5 6F 66 B1 75 3A 59 35 CD 03 C1 30 DC 2D C0 82 69 3F 9D 2F CC 25 74 20 28 12 ED 0C 59 07 F1 7A F1 19 F5 67 15 00 ED 67 70 59 07 24 4B 59 2D 2E 38 68 30 64 DE 70 2F CA FD 93 64 59 37 C9 45 01 CE 63 66 22 73 66 5C 35 16 BE 14 C7 06 02 D5 14 02 6F 8B 06 87 EB 08 0B C7 1D E7 3F DD 69 07 0B 57 86 E4 95 02 0E 16 31 05 18 27 1A B7 58 2C 8F E8 9E BF 1C 16 E9 83 3F 55 DD FD CD C8 07 41 78 4C C8 08 3D 77 06 E9 DD 07 7F ED E9 A7 BB 21 67 4A 01 D9 78 6B 9E 97 00 01 E6 1D 2D C9 61 0D 38 A6 3A BA 03 40 B2 12 2D 71 1D C8 74 E9 C6 48 16 71 A2 CD D2 4C 3C AD 7D 0F DB 77 AA 69 11 EE 0A A4 D1 CE 14 9A 7F 0B 9D 01 FA 33 65 B0 A1 15 4C 57 A3 C0 AC 2B 53 B8 44 A5 5F 5C 8F 2F B1 D3 C7 60 64 59 FB C3 57 59 7F 00 CA C3 CA 5F C5 3E B9 10 F2 D6 E1 88 D5 61 52 36 FE ED B9 E1 69 75 92 0B 6E E3 58 CB 25 59 60 0D 9D 73 03 54 F8 76 1B A2 90 84 92 61 15 E9 FE F1 B9 60 4C A8 55 73 21 BC 11 EC 13 18 AE B1 14 65 41 E2 81 1B DE 44 FC A2 C4 3F 0E 97 8E 90 68 02 B0 93 2F 6E 03 1D B5 C8 91 31 0D 0E 21 B1 15 14 3A 85 1E 76 30 C0 3C 19 84 FA 02 7E C1 0F 58 82 7C E1 60 52 67 3C 03 C1 15 33 10 3A 47 4E E6 95 68 43 05 6C 20 5F 59 11 CD D9 C7 09 8D 61 74 16 76 15 6F 57 F7 3A DE 60 75 41 AB 05 5C 2C 3C 05 79 15 77 37 27 33 64 73 19 25 DC 28 14 15 38 11 57 57 47 A4 1E 89 9E 5D 0F 8C 0D 50 DC 66 5F DA 5E C4 0E 2E DC E1 15 EC F0 3F A6 29 3D 20 08 71 38 19 A5 CD 35 F1 2D E3 D9 FC 57 C8 08 18 1F B7 1A A9 68 4E 5D 34 40 DA 1F FD DC 14 11 B2 CE 7B B1 11 30 DC 12 AD 02 D8 3D D9 09 60 E9 49 86 BC E1 17 EC 0A 61 0F BA 7F 89 CF 39 A8 13 EF 8E 74 84 00 41 71 6B 29 CB 47 F7 C4 07 DA A1 C7 E2 05 33 0B 91 CB AE DF AE D9 1C C1 24 1D 56 AC 48 09 A2 02 80 85 B1 78 F5 1D 8B EC 7F 54 2D 67 9D C1 54 54 34 C3 3B 6B 54 C7 C9 99 20 39 16 F9 68 A5 04 07 58 D9 00 16 BF 77 8B D5 69 F2 10 2D F1 2F 59 CF D7 F0 05 BD E6 81 A6 CD 71 E4 10 4A B5 80 99 4C 75 BE B9 CE 0F 10 02 AB 8F BF 89 EF 81 C0 01 06 B6 57 D8 FF 25 58 51 BC C5 3C 5B 69 C1 71 05 97 A4 6D E2 D3 34 E1 1B 3F BA D5 C9 E1 BD 69 1D 26 F7 C0 A2 0B 8C 41 47 EC C5 F9 D1 76 7F 20 61 CD 1E 72 F4 76 04 D1 BB 22 7E 03 11 70 6F D5 EB B9 4D 96 2E 70 11 C9 0D D5 9B B7 48 BD 57 3A A0 FE E7 19 14 53 06 F0 BB 58 27 41 67 98 BD 10 63 42 AE B2 13 C0 3B 75 20 18 3A 85 16 7F 16 04 F1 C1 1E 6D 43 1D 7D 3C D2 73 E2 5E C6 E9 BC 4F 91 10 B8 E2 46 DF 51 AF 5E 07 DD AC 51 84 9E 08 DB BB 51 05 D7 7C D5 96 BE ED 69 A5 32 FC BD 3B C2 9B E1 1D 92 E8 ED E5 69 ED D2 6F 3E 15 8A 8C 5B 62 69 79 B9 81 6B 05 26 6E 7F 0A 41 51 BE 29 B4 99 71 25 29 D1 BC 0B D3 C1 6A 1F E3 9A BA 04 FC B7 82 E7 70 8A 3E 97 A8 B7 F4 53 DC E2 65 B3 71 5A BF FC 17 F8 F2 75 62 B7 0B B8 69 99 72 26 C6 E0 C9 C1 72 19 09 32 8C 60 B9 11 7E 30 55 42 7E 2A 25 C3 30 18 B2 FB 0B 5C FE E9 FF 74 06 81 C3 31 EC 04 DD 05 38 53 4E 7E 8B 73 32 39 A9 17 9D 79 C7 69 78 A3 95 43 51 94 0E 63 71 24 9D A8 3C 41 FE B2 3F C1 1A B7 1F B9 49 1F FF 5A E2 D6 31 EC D9 43 58 56 DB 37 B0 2F C1 05 0C 15 D8 F1 1D 0C 70 6B 15 E0 EC 60 69 D1 49 17 20 D9 45 76 CC 09 C1 06 8F 12 75 0A C7 0E 81 3E DB 6C 37 BA AC 01 5D 59 20 1B FC 4E 09 4D 83 3F DE 05 3A 50 ED 76 B7 57 2D C2 3C B0 0C A2 C5 F8 DA 2E A7 64 70 28 47 F8 DF C4 1C F7 49 FB 47 E9 8C C0 11 05 DC 77 80 82 C0 0A 2C 01 B6 9E 09 CE 37 06 81 15 6E A8 69 D5 CF A2 0F D4 16 15 81 21 46 FE 89 C8 A6 45 08 36 41 09 8E 66 35 24 11 8D 78 6C 2C 46 FD 49 78 37 45 22 C8 BD 59 59 7D C1 EB 0D 8B D1 9E 89 49 58 E0 C5 7D 89 09 69 0D 33 76 E5 DD DD 5A E9 89 FC 67 E4 26 91 14 94 5D 21 4F EA 35 D1 11 1C 6E E9 E1 8A 09 CA 91 74 FC 84 3E 59 18 B9 01 75 12 12 05 49 CC 70 14 05 FD 1E 00 06 65 3E F2 58 9B 89 96 EF 8C 0F 21 83 3A DC 02 21 36 BC FD 06 5A 00 ED D7 8C F9 1F 37 09 D9 D7 24 23 D7 46 FD AD 2C 11 31 84 A6 42 C7 3C C8 C4 FD F5 75 03 8A 39 71 A8 86 E0 BD 51 EC 2D 58 58 48 4F 2D E7 FC 6C 3A 7E 19 B9 FD 77 58 27 86 5D 1A D9 0C F1 12 F1 6D 3F F9 13 B7 EF 35 04 2A 94 31 E0 26 8C 17 31 08 BC 3C 10 3C F8 F9 75 success or wait1516131074
    File createdPath: C:\WINDOWS\clb.dll Access: read attributes and synchronize and generic write Options: write through and synchronous io non alert and non directory file Attributes: none Content Overwritten: falsesuccess or wait1516519074
    File writePath: C:\WINDOWS\clb.dll Offset: none Length: 6672 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 2F E4 EA DD 6B 85 84 8E 6B 85 84 8E 6B 85 84 8E 10 99 88 8E 69 85 84 8E 5D A3 8E 8E 6D 85 84 8E E8 8D D9 8E 69 85 84 8E E8 99 8A 8E 68 85 84 8E 04 9A 8E 8E 6F 85 84 8E 04 9A 80 8E 69 85 84 8E 6B 85 85 8E 48 85 84 8E 5D A3 80 8E 68 85 84 8E 5D A3 8F 8E 6F 85 84 8E 94 A5 80 8E 6A 85 84 8E 52 69 63 68 6B 85 84 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 success or wait1516565357
    File openedPath: C:\WINDOWS\system32\wmi.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: falsesuccess or wait1516595858
    File openedPath: C:\WINDOWS\clb.dll Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: falsesuccess or wait1516597767
    File other operationDisposition: BasicInformation Data : Creation Time: 13:00 28-02-2006 Last Access Time: 09:09 17-08-2011 Last Write Time: 15:41 14-04-2008 Change Time: 01:00 01-01-1601 File Attributes: none Path: C:\WINDOWS\clb.dllsuccess or wait1516600010
    Windows foundWindow Name: no string Class Name: Shell_TrayWnd HWND: 3004Esuccess1516605689
    Message sentHWND: 3004E Message: COMMAND WParam: 401 LParam: 0success1516606877
    Windows enumeratedDesktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 500da, 3003a, 100b4, 10070, 4d00e8, 200b0, 20086, 10072, 10074, 10082, 1006e, 3004e, 500e4, 600f2, 300fc, 1008e, 200a6, a00ea, 20088, 300b2, a0130, b0120, 7013a, a014a, c014e, 9011e, 70138, a0122, 20038, 100dc, 100d0, 100c2, 100c0, 2003e, 1007a, 30044, 40032, 30060, 7010c, 10090, 10084, 30052, 30050, 2003c, 70132, 7012a, 70134, a0128, 80154, 20034, 100de, 100c4, 60102, 100ae, 30062, 1, 0, 0, c, 0, 0, 0, 0, 0, 210005, 8012c, 0, 1460a8, 148648, 148258, 0, 0, 0, 0, 50003, 80129, 3dfd1fac, 1, 3, 80000000, 3001d, 80134, 1, 0, a70000, 7c8130be, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 3, 147ff8, 0, 0, 14a720, 43003b, 5c003a, 490057, 44004e, 57004f, 5c0053, 790073, 740073, 6d0065, 320033, 43003b, 5c003a, 490057, 44004e, 57004f, 3b0053, 3a0043, 57005c, 4e0049, 4f0044, 530057, 53005c, 730079, 650074, 33006d, 5c0032, 620057, 6d0065, 0, 1d001d, c01c9, 0, cc00ca, 148090, 60, 3a0043, 57005c, 4e0049, 4f0044, 530057, 57005c, 6e0069, 780053, 5c0053, 380078, 5f0036, 69004d, 720063, 73006f, 66006f, 2e0074, 690057, 64006e, 77006f, 2e0073, 6f0043, 6d006d, 6e006f, 43002d, 6e006f, 720074, 6c006f, 5f0073, 350036, 350039, 360062, 310034, 340034, 630063, 310066, 660064, 36005f, 30002e, 32002e, 300036, 2e0030, 300036, 380032, 78005f, 77002d, 5f0077, 310036, 360065, 320035, 320030, 5c, 0, 1d001d, 801ea, 1, 0, a80000, 7c8130be, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 3, 1481c8, 0, 0, 0, 43003b, 5c003a, 490057, 44004e, 57004f, 5c0053, 790073, 740073, 6d0065, 320033, 43003b, 5c003a, 490057, 44004e, 57004f, 3b0053, 3a0043, 57005c, 4e0049, 4f0044, 530057, 53005c, 730079, 650074, 33006d, 5c0032, 620057, 6d0065, 0, 1d0005, 8018f, 0, 77462508, 147f60, 147958, 0, 0, 0, 0, 50052, 80188, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 520013, 80166, 0, 71a871c4, aabbccdd, 0, 0, 5, 148508, 1557b8, 0, 210, ffffffff, 0, 0, 0, 1, 0, 0, 0, 0, 2a803, 0, c0, 46000000, 22059d40, 11cf7e9e, aa005aae, 2b11a700, 610068, 75006e, 6c0065, 2d0065, 630062, 300036, 320037, 30, 0, 130010, c0175, 1556c0, 740066, 610077, 650072, 4d005c, 630069, 6f0072, 6f0073, 740066, 57005c, 6e0069, 6f0064, 730077, 43005c, 720075, 650072, 74006e, 650056, 730072, 6f0069, 5c006e, 780045, 6c0070, 72006f, 720065, 52005c, 6e0075, 52004d, 55, 0, 100004, c0105, 6f006d, 740072, 2e006f, 780065, 65, 0, 40005, 80101, 0, 3e19c67c, 148690, 147f60, 0, 0, 0, 0, 50004, c010a, 0, 0, 0, 20c, a, 0, 40005, 80116, 0, 3e19dfe0, 1488f0, 148648, 0, 0, 0, 0, 50003, 80113, 3dfd1fac, 1, 2, 70, 30044, c011e, 0, 0, 0, 0, 6f0053, 740066, 610077, 650072, 50005c, 6c006f, 630069, 650069, 5c0073, 69004d, 720063, 73006f, 66006f, 5c0074, 690057, 64006e, 77006f, 5c0073, 750043, 720072, 6e0065, 560074, 720065, 690073, 6e006f, 49005c, 74006e, 720065, 65006e, 200074, 650053, 740074, 6e0069, 730067, 5a005c, 6e006f, 4d0065, 700061, 52005c, 6e0061, 650067, 5c0073, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20019, 0, 440005, 801da, 0, 781fa570, 148918, 148690, 0, 0, 0, 0, 50005, 801e7, 0, 781fa648, 148940, 1488f0, 0, 0, 0, 0, 50005, 801e0, 0, 781fa690, 148968, 148918, 0, 0, 0, 0, 50005, 801ed, 0, 781fc428, 1489b0, 148940, 0, 0, 0, 0, 50004, c01f6, 6f006d, 740072, 2e006f, 780065, 65, 0, 40005, 801f2, 0, 781fc3b8, 1489d8, 148968, 0, 0, 0, 0, 50005, 801ff, 0, 781fc400, 148a00, 1489b0, 0, 0, 0, 0, 50005, 801f8, 0, 781fc3e8, 149f90, 1489d8, 0, 0, 0, 0, 502ad, 80185, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0not known1516946818
    Message sentHWND: 90110 Message: SETTEXT WParam: 0 LParam: 10566693success1516958279
    Message sentHWND: 90110 Message: GETTEXT WParam: 512 LParam: 1244156success1516982917
    Message sentHWND: B0120 Message: COMMAND WParam: 1 LParam: 0success1516985323
    Thread delayedTime: 1 TID: 5188success or wait1518787408
    Thread delayedTime: 1 TID: 5188success or wait1522319657
    Analysis File: regedit.exe PID: 520 Parent PID: 1552
    Sections
    General
    Start time:10:44:33
    Start date:05/09/2011
    Path:C:\WINDOWS\regedit.exe
    Commandline:not known
    Imagebase:0x1000000
    File size:146432 bytes
    MD5 hash:058710B720282CA82B909912D3EF28DB
    File Activities:
    File opened
    File PathAccessOptionsContent overwrittenCompletionCountSource Address
    C:\WINDOWS\winhlp32.exeread attributes and synchronize and generic readsynchronous io non alert and non directory filefalsesuccess or wait11000164A
    C:\WINDOWS\system32\wmi.dllread attributes and synchronize and generic readsynchronous io non alert and non directory filefalsesuccess or wait1854EF2
    C:\WINDOWS\Temp\ntshrui.dllread attributes and synchronize and generic read and generic writesynchronous io non alert and non directory filefalsesuccess or wait1854F0B
    File created
    File PathAccessAttributesOptionsCompletionCountSource Address
    C:\WINDOWS\Offline Web Pages\read data or list directory and synchronizenormaldirectory file and synchronous io non alert and open for backup ident7FFDEBF8185D933
    C:\WINDOWS\Temp\ntshrui.dllread attributes and synchronize and generic writenonewrite through and synchronous io non alert and non directory filesuccess or wait1855F31
    File deleted
    File PathCompletionCountSource Address
    C:\WINDOWS\Temp\ntshrui.dllsuccess or wait18525DF
    C:\WINDOWS\clb.dllcannot delete18525DF
    File renamed
    Old File PathNew File PathCompletionCountSource Address
    C:\WINDOWS\clb.dllC:\WINDOWS\clb.dllbaksuccess or wait18525EB
    File copied
    Old File PathNew File PathCompletionCountSource Address
    C:\WINDOWS\system32\wmi.dllC:\WINDOWS\Temp\ntshrui.dllsuccess or wait1855370
    C:\WINDOWS\system32\sens.dllC:\WINDOWS\system32\Sens32.dllsuccess or wait1856160
    File written
    File PathOffsetLengthValueCompletionCountSource Address
    C:\WINDOWS\Temp\ntshrui.dllnone66724D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 2F E4 EA DD 6B 85 84 8E 6B 85 84 8E 6B 85 84 8E 10 99 88 8E 69 85 84 8E 5D A3 8E 8E 6D 85 84 8E E8 8D D9 8E 69 85 84 8E E8 99 8A 8E 68 85 84 8E 04 9A 8E 8E 6F 85 84 8E 04 9A 80 8E 69 85 84 8E 6B 85 85 8E 48 85 84 8E 5D A3 80 8E 68 85 84 8E 5D A3 8F 8E 6F 85 84 8E 94 A5 80 8E 6A 85 84 8E 52 69 63 68 6B 85 84 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 success or wait1855F4A
    File read
    File PathOffsetLengthValueCompletionCountSource Address
    C:\WINDOWS\winhlp32.exenone44D 5A 90 00 success or wait110001699
    Section Activities:
    Section loaded by Windows
    File PathAccessTypeBaseSizeMapped to pidProtectionCompletionCount
    \KnownDlls\kernel32.dllwrite and read and executeimage7C8000001007616own pidread writesuccess or wait1
    \NLS\NlsSectionUnicodereadimage1C000090112own pidreadonlysuccess or wait1
    \NLS\NlsSectionLocalereadimage1E0000266240own pidreadonlysuccess or wait1
    \NLS\NlsSectionSortkeyquery and readimage230000266240own pidreadonlysuccess or wait1
    \NLS\NlsSectionSortTblsreadimage28000024576own pidreadonlysuccess or wait1
    \KnownDlls\msvcrt.dllwrite and read and executeimage77C10000360448own pidread writesuccess or wait1
    \KnownDlls\ADVAPI32.dllwrite and read and executeimage77DD0000634880own pidread writesuccess or wait1
    \KnownDlls\RPCRT4.dllwrite and read and executeimage77E70000602112own pidread writesuccess or wait1
    \KnownDlls\Secur32.dllwrite and read and executeimage77FE000069632own pidread writesuccess or wait1
    \KnownDlls\GDI32.dllwrite and read and executeimage77F10000299008own pidread writesuccess or wait1
    \KnownDlls\USER32.dllwrite and read and executeimage7E410000593920own pidread writesuccess or wait1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dllquery and write and read and executeimage773D00001060864own pidread writesuccess or wait1
    \KnownDlls\SHLWAPI.dllwrite and read and executeimage77F60000483328own pidread writesuccess or wait1
    \KnownDlls\comdlg32.dllwrite and read and executeimage763B0000299008own pidread writesuccess or wait1
    \KnownDlls\SHELL32.dllwrite and read and executeimage7C9C00008482816own pidread writesuccess or wait1
    C:\WINDOWS\system32\authz.dllquery and write and read and executeimage776C000073728own pidread writesuccess or wait1
    C:\WINDOWS\system32\aclui.dllquery and write and read and executeimage71550000126976own pidread writesuccess or wait1
    \KnownDlls\ole32.dllwrite and read and executeimage774E00001302528own pidread writesuccess or wait1
    \KnownDlls\OLEAUT32.dllwrite and read and executeimage77120000569344own pidread writesuccess or wait1
    C:\WINDOWS\system32\ulib.dllquery and write and read and executeimage71FA0000282624own pidread writesuccess or wait1
    C:\WINDOWS\clb.dllquery and write and read and executeimage1000000020480own pidread writesuccess or wait1
    C:\WINDOWS\system32\shimeng.dllquery and write and read and executeimage5CB70000155648own pidread writesuccess or wait1
    C:\WINDOWS\AppPatch\sysmain.sdbreadcommit2900001208320own pidreadonlysuccess or wait1
    C:\WINDOWS\AppPatch\acgenral.dllwrite and read and executecommit3D00001855488own pidexecutesuccess or wait2
    C:\WINDOWS\AppPatch\acgenral.dllquery and write and read and executeimage6F8800001875968own pidread writesuccess or wait1
    C:\WINDOWS\system32\winmm.dllquery and write and read and executeimage76B40000184320own pidread writesuccess or wait1
    C:\WINDOWS\system32\msacm32.dllquery and write and read and executeimage77BE000086016own pidread writesuccess or wait1
    \KnownDlls\VERSION.dllwrite and read and executeimage77C0000032768own pidread writesuccess or wait1
    \KnownDlls\USERENV.dllwrite and read and executeimage769C0000737280own pidread writesuccess or wait1
    C:\WINDOWS\system32\uxtheme.dllquery and write and read and executeimage5AD70000229376own pidread writesuccess or wait1
    \NLS\NlsSectionCTypereadimage3E000012288own pidreadonlysuccess or wait1
    C:\WINDOWS\system32\imm32.dllwrite and read and executecommit360000110592own pidexecutesuccess or wait2
    C:\WINDOWS\system32\imm32.dllquery and write and read and executeimage76390000118784own pidread writesuccess or wait1
    C:\WINDOWS\WindowsShell.Manifestwrite and read and executecommit3800004096own pidexecutesuccess or wait1
    C:\WINDOWS\WindowsShell.Manifestquery and readcommit3800004096own pidreadonlysuccess or wait2
    C:\WINDOWS\system32\shell32.dllreadcommit10700008462336own pidreadonlysuccess or wait1
    C:\WINDOWS\system32\aclui.dllreadcommit3A0000118784own pidreadonlysuccess or wait1
    Section loaded by program
    File PathAccessTypeBaseSizeMapped to pidProtectionCompletionCountSource Address
    C:\WINDOWS\system32\mfc42.dllquery and write and read and executeimage73DD0000987136own pidread writesuccess or wait1100011E8
    C:\WINDOWS\system32\ws2_32.dllquery and write and read and executeimage71AB000094208own pidread writesuccess or wait1100011E8
    C:\WINDOWS\system32\ws2help.dllquery and write and read and executeimage71AA000032768own pidread writesuccess or wait1100011E8
    \KnownDlls\WININET.dllwrite and read and executeimage3D930000942080own pidread writesuccess or wait1852829
    \KnownDlls\Normaliz.dllwrite and read and executeimage3A000036864own pidread writeimage not at base1852829
    \KnownDlls\Normaliz.dllwrite and read and executeimage3A000036864own pidread writeconflicting addresses1852829
    \KnownDlls\urlmon.dllwrite and read and executeimage781300001257472own pidread writesuccess or wait1852829
    \KnownDlls\iertutil.dllwrite and read and executeimage3DFD00002002944own pidread writesuccess or wait1852829
    C:\WINDOWS\system32\avicap32.dllquery and write and read and executeimage73B8000073728own pidread writesuccess or wait1852845
    C:\WINDOWS\system32\msvfw32.dllquery and write and read and executeimage75A70000135168own pidread writesuccess or wait1852845
    C:\WINDOWS\system32\wtsapi32.dllquery and write and read and executeimage76F5000032768own pidread writesuccess or wait185286F
    C:\WINDOWS\system32\winsta.dllquery and write and read and executeimage7636000065536own pidread writesuccess or wait185286F
    C:\WINDOWS\system32\netapi32.dllquery and write and read and executeimage5B860000348160own pidread writesuccess or wait185286F
    C:\WINDOWS\system32\dnsapi.dllquery and write and read and executeimage76F20000159744own pidread writesuccess or wait185287D
    C:\WINDOWS\system32\crypt32.dllquery and write and read and executeimage77A80000610304own pidread writesuccess or wait185288B
    C:\WINDOWS\system32\msasn1.dllquery and write and read and executeimage77B2000073728own pidread writesuccess or wait185288B
    \BaseNamedObjects\Global\_MOTO_SHARE_query and write and readcommitA800004096own pidread writesuccess or wait185E035
    C:\WINDOWS\system32\mswsock.dllwrite and read and executecommitA90000245760own pidexecutesuccess or wait1857092
    C:\WINDOWS\system32\mswsock.dllquery and write and read and executeimage71A50000258048own pidread writesuccess or wait1857092
    C:\WINDOWS\system32\winrnr.dllwrite and read and executecommitA9000020480own pidexecutesuccess or wait1857092
    C:\WINDOWS\system32\winrnr.dllquery and write and read and executeimage76FB000032768own pidread writesuccess or wait1857092
    \KnownDlls\WLDAP32.dllwrite and read and executeimage76F60000180224own pidread writesuccess or wait1857092
    C:\WINDOWS\system32\rasadhlp.dllquery and write and read and executeimage76FC000024576own pidread writesuccess or wait185709D
    C:\WINDOWS\system32\wmi.dllquery and write and read and execute and extend sizecommitBA00008192own pidreadonlysuccess or wait1855370
    C:\WINDOWS\system32\sens.dllquery and write and read and execute and extend sizecommitBA000040960own pidreadonlysuccess or wait1856160
    Registry Activities:
    Key value set
    Key PathNameTypeDataCompletionCountSource Address
    HKEY_LOCAL_MACHINE\SYSTEM\WPAsnString6to4success or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\ParametersServiceDllStringC:\WINDOWS\Temp\ntshrui.dll.success or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\WPAsrStringSenssuccess or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENSDependOnServiceOther00 00 success or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENSGroupStringSchedulerGroupsuccess or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS\ParametersServiceDllStringC:\WINDOWS\system32\Sens32.dllsuccess or wait18521FD
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4DescriptionStringsuccess or wait18521FD
    Key value queried
    Key PathNameCompletionCountSource Address
    HKEY_LOCAL_MACHINE\SYSTEM\WPAmdbuffer overflow1100016CE
    HKEY_LOCAL_MACHINE\SYSTEM\WPAmdsuccess or wait1100016CE
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameterssrobject name not found185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameterssnobject name not found185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parametersidsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersmdbuffer overflow185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersmdsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersnetsvcsbuffer overflow285225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersnetsvcssuccess or wait285225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parametersrmdobject name not found185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\ParametersImagePathsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\ParametersServiceDllsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\WPAStartsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\WPADependOnServicesuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENSGroupsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENSServiceDllsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS\ParametersServiceDllsuccess or wait185225A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtmsSvcDescriptionobject name not found185225A
    Memory Activities:
    Memory allocated
    PIDFilepathBaseLengthProtectionCompletionCountSource Address
    520C:\WINDOWS\regedit.exe8500004D304page execute and read and writesuccess or wait110001161
    Chronological sections
    OperationDataCompletionTime
    Section loadedPath: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pidsuccess or wait1518814302
    Section loadedPath: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 1C0000 Size: 90112 Protection: readonly Mapped to pid: own pidsuccess or wait1518840771
    Section loadedPath: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 1E0000 Size: 266240 Protection: readonly Mapped to pid: own pidsuccess or wait1518851213
    Section loadedPath: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 230000 Size: 266240 Protection: readonly Mapped to pid: own pidsuccess or wait1518854381
    Section loadedPath: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 280000 Size: 24576 Protection: readonly Mapped to pid: own pidsuccess or wait1518860850
    Section loadedPath: \KnownDlls\msvcrt.dll Access: write and read and execute Type: image Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pidsuccess or wait1518873082
    Section loadedPath: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pidsuccess or wait1518892234
    Section loadedPath: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pidsuccess or wait1518900235
    Section loadedPath: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pidsuccess or wait1518913759
    Section loadedPath: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pidsuccess or wait1518936503
    Section loadedPath: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pidsuccess or wait1518944795
    Section loadedPath: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pidsuccess or wait1518974874
    Section loadedPath: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: image Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pidsuccess or wait1518987510
    Section loadedPath: \KnownDlls\comdlg32.dll Access: write and read and execute Type: image Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pidsuccess or wait1519006627
    Section loadedPath: \KnownDlls\SHELL32.dll Access: write and read and execute Type: image Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pidsuccess or wait1519029134
    Section loadedPath: C:\WINDOWS\system32\authz.dll Access: query and write and read and execute Type: image Baseaddress: 776C0000 Size: 73728 Protection: read write Mapped to pid: own pidsuccess or wait1519072992
    Section loadedPath: C:\WINDOWS\system32\aclui.dll Access: query and write and read and execute Type: image Baseaddress: 71550000 Size: 126976 Protection: read write Mapped to pid: own pidsuccess or wait1519107735
    Section loadedPath: \KnownDlls\ole32.dll Access: write and read and execute Type: image Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pidsuccess or wait1519135619
    Section loadedPath: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: image Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pidsuccess or wait1519155027
    Section loadedPath: C:\WINDOWS\system32\ulib.dll Access: query and write and read and execute Type: image Baseaddress: 71FA0000 Size: 282624 Protection: read write Mapped to pid: own pidsuccess or wait1519189118
    Section loadedPath: C:\WINDOWS\clb.dll Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 20480 Protection: read write Mapped to pid: own pidsuccess or wait1519212380
    Section loadedPath: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pidsuccess or wait1519230370
    Section loadedPath: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 290000 Size: 1208320 Protection: readonly Mapped to pid: own pidsuccess or wait1519253454
    Section loadedPath: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pidsuccess or wait1519279003
    Section loadedPath: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 3D0000 Size: 1855488 Protection: execute Mapped to pid: own pidsuccess or wait1519285633
    Section loadedPath: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pidsuccess or wait1519290637
    Section loadedPath: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pidsuccess or wait1519315494
    Section loadedPath: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pidsuccess or wait1519335388
    Section loadedPath: \KnownDlls\VERSION.dll Access: write and read and execute Type: image Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1519348556
    Section loadedPath: \KnownDlls\USERENV.dll Access: write and read and execute Type: image Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pidsuccess or wait1519369744
    Section loadedPath: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pidsuccess or wait1519382905
    Section loadedPath: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 3E0000 Size: 12288 Protection: readonly Mapped to pid: own pidsuccess or wait1519414292
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pidsuccess or wait1519498087
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 360000 Size: 110592 Protection: execute Mapped to pid: own pidsuccess or wait1519503954
    Section loadedPath: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pidsuccess or wait1519508368
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 380000 Size: 4096 Protection: execute Mapped to pid: own pidsuccess or wait1519549137
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pidsuccess or wait1519554549
    Section loadedPath: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 380000 Size: 4096 Protection: readonly Mapped to pid: own pidsuccess or wait1519558206
    Section loadedPath: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1070000 Size: 8462336 Protection: readonly Mapped to pid: own pidsuccess or wait1519686373
    Section loadedPath: C:\WINDOWS\system32\aclui.dll Access: read Type: commit Baseaddress: 3A0000 Size: 118784 Protection: readonly Mapped to pid: own pidsuccess or wait1519900279
    File openedPath: C:\WINDOWS\winhlp32.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: falsesuccess or wait1520096485
    File readPath: C:\WINDOWS\winhlp32.exe Offset: none Length: 4 Value: 4D 5A 90 00 success or wait1520100714
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: mdbuffer overflow1520115664
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: mdsuccess or wait1520120602
    Memory allocatedPID: 520 Path: C:\WINDOWS\regedit.exe Base: 850000 Length: 4D304 Allocation Type: null Protection: page execute and read and writesuccess or wait1520139220
    Section loadedPath: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pidsuccess or wait1520166590
    Section loadedPath: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pidsuccess or wait1520203833
    Section loadedPath: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1520217744
    Section loadedPath: \KnownDlls\WININET.dll Access: write and read and execute Type: image Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pidsuccess or wait1520231789
    Section loadedPath: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 3A0000 Size: 36864 Protection: read write Mapped to pid: own pidimage not at base1520254901
    Section loadedPath: \KnownDlls\Normaliz.dll Access: write and read and execute Type: image Baseaddress: 3A0000 Size: 36864 Protection: read write Mapped to pid: own pidconflicting addresses1520260649
    Section loadedPath: \KnownDlls\urlmon.dll Access: write and read and execute Type: image Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pidsuccess or wait1520270206
    Section loadedPath: \KnownDlls\iertutil.dll Access: write and read and execute Type: image Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pidsuccess or wait1520284401
    Section loadedPath: C:\WINDOWS\system32\avicap32.dll Access: query and write and read and execute Type: image Baseaddress: 73B80000 Size: 73728 Protection: read write Mapped to pid: own pidsuccess or wait1520919577
    Section loadedPath: C:\WINDOWS\system32\msvfw32.dll Access: query and write and read and execute Type: image Baseaddress: 75A70000 Size: 135168 Protection: read write Mapped to pid: own pidsuccess or wait1521009098
    Section loadedPath: C:\WINDOWS\system32\wtsapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76F50000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1521017173
    Section loadedPath: C:\WINDOWS\system32\winsta.dll Access: query and write and read and execute Type: image Baseaddress: 76360000 Size: 65536 Protection: read write Mapped to pid: own pidsuccess or wait1521020973
    Section loadedPath: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pidsuccess or wait1521024210
    Section loadedPath: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pidsuccess or wait1521038057
    Section loadedPath: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pidsuccess or wait1521061657
    Section loadedPath: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pidsuccess or wait1521065506
    Section loadedPath: \BaseNamedObjects\Global\_MOTO_SHARE_ Access: query and write and read Type: commit Baseaddress: A80000 Size: 4096 Protection: read write Mapped to pid: own pidsuccess or wait1521132085
    File createdPath: C:\WINDOWS\Offline Web Pages\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false7FFDEBF81521133310
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters Name: srobject name not found1521133754
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters Name: snobject name not found1521134240
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters Name: idsuccess or wait1521134578
    Section loadedPath: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: A90000 Size: 245760 Protection: execute Mapped to pid: own pidsuccess or wait1521136806
    Section loadedPath: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pidsuccess or wait1521142100
    Section loadedPath: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: A90000 Size: 20480 Protection: execute Mapped to pid: own pidsuccess or wait1521177133
    Section loadedPath: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pidsuccess or wait1521179247
    Section loadedPath: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: image Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pidsuccess or wait1521182390
    Section loadedPath: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pidsuccess or wait1521204486
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: mdbuffer overflow1521211478
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: mdsuccess or wait1521213355
    File copiedFrom: C:\WINDOWS\system32\wmi.dll to: C:\WINDOWS\Temp\ntshrui.dllsuccess or wait1521236390
    Section loadedPath: C:\WINDOWS\system32\wmi.dll Access: query and write and read and execute and extend size Type: commit Baseaddress: BA0000 Size: 8192 Protection: readonly Mapped to pid: own pidsuccess or wait1521243756
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: netsvcsbuffer overflow1521252408
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: netsvcssuccess or wait1521254893
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: netsvcsbuffer overflow1521255519
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: netsvcssuccess or wait1521255781
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: rmdobject name not found1521262389
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: sn Type: String Data: 6to4success or wait1521357623
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters Name: ServiceDll Type: String Data: C:\WINDOWS\Temp\ntshrui.dll.success or wait1521429348
    File deletedPath: C:\WINDOWS\Temp\ntshrui.dllsuccess or wait1521878225
    File createdPath: C:\WINDOWS\Temp\ntshrui.dll Access: read attributes and synchronize and generic write Options: write through and synchronous io non alert and non directory file Attributes: none Content Overwritten: falsesuccess or wait1521883039
    File writePath: C:\WINDOWS\Temp\ntshrui.dll Offset: none Length: 6672 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 2F E4 EA DD 6B 85 84 8E 6B 85 84 8E 6B 85 84 8E 10 99 88 8E 69 85 84 8E 5D A3 8E 8E 6D 85 84 8E E8 8D D9 8E 69 85 84 8E E8 99 8A 8E 68 85 84 8E 04 9A 8E 8E 6F 85 84 8E 04 9A 80 8E 69 85 84 8E 6B 85 85 8E 48 85 84 8E 5D A3 80 8E 68 85 84 8E 5D A3 8F 8E 6F 85 84 8E 94 A5 80 8E 6A 85 84 8E 52 69 63 68 6B 85 84 8E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 success or wait1521893514
    File openedPath: C:\WINDOWS\system32\wmi.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: falsesuccess or wait1521904278
    File openedPath: C:\WINDOWS\Temp\ntshrui.dll Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: falsesuccess or wait1521904858
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters Name: ImagePathsuccess or wait1521907096
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4\Parameters Name: ServiceDllsuccess or wait1521907807
    File copiedFrom: C:\WINDOWS\system32\sens.dll to: C:\WINDOWS\system32\Sens32.dllsuccess or wait1521909427
    Section loadedPath: C:\WINDOWS\system32\sens.dll Access: query and write and read and execute and extend size Type: commit Baseaddress: BA0000 Size: 40960 Protection: readonly Mapped to pid: own pidsuccess or wait1521919015
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: sr Type: String Data: Senssuccess or wait1521945768
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: Startsuccess or wait1522008965
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\WPA Name: DependOnServicesuccess or wait1522009409
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS Name: DependOnService Type: Other Data: 00 00 success or wait1522010405
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS Name: Groupsuccess or wait1522064419
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS Name: Group Type: String Data: SchedulerGroupsuccess or wait1522065614
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS Name: ServiceDllsuccess or wait1522136380
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS\Parameters Name: ServiceDll Type: String Data: C:\WINDOWS\system32\Sens32.dllsuccess or wait1522137606
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SENS\Parameters Name: ServiceDllsuccess or wait1522196587
    Key value queriedPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NtmsSvc Name: Descriptionobject name not found1522198415
    Key value setPath: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 Name: Description Type: String Data: success or wait1522199288
    File deletedPath: C:\WINDOWS\clb.dllcannot delete1522298293
    File movedNew path: C:\WINDOWS\clb.dllbak Path: C:\WINDOWS\clb.dllsuccess or wait1522299313
    Copyright 2011 Joe Security | All rights reserved | www.joesecurity.org | This page is optimized for firefox - 1024x786