General information
Joebox version:	4.3.5
Start time:	21:53:34
Start date:	09/10/2011
Overall analysis duration:	0h 9m 9s
Target binary file name:	scuints.exe_
Target script file name:	default.jbs
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Errors:

Summary
Binary contains device paths (device paths are often used for kernelmode <-> usermode communication)
Binary contains paths to debug symbols
Creates temporary files
Printf formatting strings found in memory and binary data
Queries a list of all running drivers
Queries a list of all running processes
Spawns processes
Creates a mutex to recognise infected hosts
Creates files inside the system directory
Creates driver files
Found strings which match to known social media urls
Allocates a big amount of executable memory (probably used for heap spraying)
Allocates memory in foreign processes
Binary may include packed or crypted data
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Modifies IRP (I/O request packets) handlers (IRP hooks)
Modifies the prolog of usermode functions (usermode inline hooks)
Spawns drivers
Writes to foreign memory regions

PE Information

General
Entrypoint:	0x404eddL	.text
Imagebase:	0x400000L
Time stamp:	0x4CFD0E2E [Mon Dec 6 16:24:14 2010 UTC]
Subsystem:	windows gui
TLS callbacks:

Resources
Name	RVA address	Size	Type
German	0x131b8L	0x56000L	PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
German	0x691b8L	0x2780L	PE32 executable for MS Windows (native) Intel 80386 32-bit
German	0x6b938L	0xa000L	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
German	0x75938L	0x26000L	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
German	0x9b938L	0x2210L	PE32+ executable for MS Windows (native) Mono/.Net assembly
German	0x9db48L	0x274L	data
English	0x9ddbcL	0x15cL	ASCII text, with CRLF line terminators

Imports
DLL	Import
KERNEL32.dll	GetTempPathA, GetModuleFileNameA, GetVersionExA, GetEnvironmentVariableW, GetLastError, SetFileTime, SystemTimeToFileTime, GetFileTime, MoveFileExW, GetModuleFileNameW, Process32First, CreateToolhelp32Snapshot, lstrlenA, GetSystemDirectoryA, SetFileAttributesA, MoveFileExA, GetShortPathNameW, Sleep, GetExitCodeProcess, GetModuleHandleA, GetCurrentProcess, CreateFileA, WriteFile, CloseHandle, FindResourceA, LoadResource, SizeofResource, LockResource, LoadLibraryA, GetProcAddress, FreeLibrary, Process32Next, FlushFileBuffers, RtlUnwind, HeapAlloc, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, HeapFree, RaiseException, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, WideCharToMultiByte, TerminateProcess, HeapSize, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, SetFilePointer, InterlockedDecrement, InterlockedIncrement, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetCPInfo, GetACP, GetOEMCP, SetStdHandle, LCMapStringA, LCMapStringW, DeleteFileA
USER32.dll	DispatchMessageA, TranslateMessage, PeekMessageA
ADVAPI32.dll	RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, OpenSCManagerA, OpenServiceA, CloseServiceHandle, StartServiceA

Exports

Sections
Name	Virtual address	Virtual size	Raw size	entropy
.text	0x1000L	0xa1e2L	0xb000L	6.33511413611
.rdata	0xc000L	0x16aeL	0x2000L	3.95847135159
.data	0xe000L	0x4780L	0x4000L	0.976263860363
.rsrc	0x13000L	0x8af18L	0x8b000L	6.00349430728

Version Infos
Description	Data
LegalTrademarks
FileVersion
InternalName
Comments
ProductVersion
PrivateBuild
LegalCopyright
SpecialBuild
FileDescription
CompanyName
ProductName
OriginalFilename
Translation	0x0407 0x04b0

Possible Origin
Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Debug symbol paths
String value	Source
Z:\driver\winsys32\objfre_w2K_x86\i386\winsys32.pdb	scuints.exe_, winsys32.sys.dr
z:\driver\winsys32\objfre_win7_amd64\amd64\winsys32.pdb	scuints.exe_

Formattings for printf style functions
String value	Source
Quantizing to %d = %d%d%d colors	mfc42ul.dll.dr
CALL %d STATUS RINGIN%c	mfc42ul.dll.dr
CONNECT %s:%d HTTP/1.0	mfc42ul.dll.dr
warning: %s	mfc42ul.dll.dr
Unknown APP14 marker (not Adobe), length %u	mfc42ul.dll.dr
ControlSet%d	mfc42ul.dll.dr
Bogus DQT index %d	mfc42ul.dll.dr
GET FILETRANSFER %d PARTNER_HANDLE	mfc42ul.dll.dr
GET MESSAGE %d PARTNER_HANDLE	mfc42ul.dll.dr
Too many color components: %d, max %d	mfc42ul.dll.dr
Unrecognized component IDs %d %d %d, assuming YCbCr	mfc42ul.dll.dr
Improper call to JPEG library in state %d	mfc42ul.dll.dr
JFIF APP0 marker: version %d.%02d, density %dx%d %d	mfc42ul.dll.dr
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u	mfc42ul.dll.dr
CALL %d STATUS BUS%c	mfc42ul.dll.dr
Obtained XMS handle %u	mfc42ul.dll.dr
Start Of Frame 0x%02x: width=%u, height=%u, components=%d	mfc42ul.dll.dr
Cannot transcode due to multiple use of quantization table %d	mfc42ul.dll.dr
Fatal error: %s	mfc42ul.dll.dr
CURRENTUSERHANDLE %s	mfc42ul.dll.dr
JFIF extension marker: palette thumbnail image, length %u	mfc42ul.dll.dr
MESSAGE %d STATUS RECEIVE%c	mfc42ul.dll.dr
CALL %d STATUS FINISHE%c	mfc42ul.dll.dr
Cannot quantize to more than %d colors	mfc42ul.dll.dr
%%oJ..r\	mfc42ul.dll.dr
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d	mfc42ul.dll.dr
Wrong JPEG library version: library is %d, caller expects %d	mfc42ul.dll.dr
Invalid progressive parameters at scan script entry %d	mfc42ul.dll.dr
%d %d %d %d %d %d %d	mfc42ul.dll.dr
Invalid component ID %d in SOS	mfc42ul.dll.dr
Miscellaneous marker 0x%02x, length %u	mfc42ul.dll.dr
CALL %d DURATION %d	mfc42ul.dll.dr
Invalid scan script at entry %d	mfc42ul.dll.dr
J%%o\..r8	mfc42ul.dll.dr
Selected %d colors for quantization	mfc42ul.dll.dr
CALL %d STATUS INPROGRES%c	mfc42ul.dll.dr
\|$$t%G	mfc42ul.dll.dr
Invalid memory pool code %d	mfc42ul.dll.dr
Bogus DAC value 0x%x	mfc42ul.dll.dr
Freed EMS handle %u	mfc42ul.dll.dr
%d.%d.%d.%d	mfc42ul.dll.dr
Define Quantization Table %d precision %d	mfc42ul.dll.dr
Unsupported JPEG data precision %d	mfc42ul.dll.dr
GET CALL %d PARTNER_HANDLE	mfc42ul.dll.dr
GET CALL %d TYPE	mfc42ul.dll.dr
GET CALL %d CONF_PARTICIPANT %d	mfc42ul.dll.dr
GET CALL %d PARTNER_DISPNAME	mfc42ul.dll.dr
APIState: %d%c	mfc42ul.dll.dr
CALL %d CONF_PARTICIPANTS_COUNT %d	mfc42ul.dll.dr
Start Of Scan: %d components	mfc42ul.dll.dr
CALL %d STATUS FAILE%c	mfc42ul.dll.dr
Corrupt JPEG data: found marker 0x%02x instead of RST%d	mfc42ul.dll.dr
JFIF extension marker: RGB thumbnail image, length %u	mfc42ul.dll.dr
Bogus DAC index %d	mfc42ul.dll.dr
CALL %d VIDEO_RECEIVE_STATUS RUNNIN%c	mfc42ul.dll.dr
warning: %s %d	mfc42ul.dll.dr
IDCT output block size %d not supported	mfc42ul.dll.dr
Cannot quantize more than %d color components	mfc42ul.dll.dr
Failed to create temporary file %s	mfc42ul.dll.dr
9^(u%Sj	mfc42ul.dll.dr
Unknown APP0 marker (not JFIF), length %u	mfc42ul.dll.dr
At marker 0x%02x, recovery action %d	mfc42ul.dll.dr
JFIF extension marker: type 0x%02x, length %u	mfc42ul.dll.dr
CALL %d VIDEO_SEND_STATUS STOPPIN%c	mfc42ul.dll.dr
CALL %d STATUS REFUSE%c	mfc42ul.dll.dr
CALL %d VIDEO_RECEIVE_STATUS STOPPIN%c	mfc42ul.dll.dr
JFIF extension marker: JPEG-compressed thumbnail image, length %u	mfc42ul.dll.dr
with %d x %d thumbnail image	mfc42ul.dll.dr
Ss=%d, Se=%d, Ah=%d, Al=%d	mfc42ul.dll.dr
x%oJ%.r\.	mfc42ul.dll.dr
Unknown Adobe color transform code %d	mfc42ul.dll.dr
Bogus DHT index %d	mfc42ul.dll.dr
Cannot quantize to fewer than %d colors	mfc42ul.dll.dr
Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d	mfc42ul.dll.dr
GET MESSAGE %d BODY	mfc42ul.dll.dr
Inconsistent progression sequence for component %d coefficient %d	mfc42ul.dll.dr
Corrupt JPEG data: %u extraneous bytes before marker 0x%02x	mfc42ul.dll.dr
Quantizing to %d colors	mfc42ul.dll.dr
CALL %d STATUS ROUTIN%c	mfc42ul.dll.dr
Component %d: dc=%d ac=%d	mfc42ul.dll.dr
GET CALL %d PSTN_NUMBER	mfc42ul.dll.dr
\$$t%C	mfc42ul.dll.dr
APIState: %d\|	mfc42ul.dll.dr
Closed temporary file %s	mfc42ul.dll.dr
Component %d: %dhx%dv q=%d	mfc42ul.dll.dr
GET MESSAGE %d PARTNER_DISPNAME	mfc42ul.dll.dr
CALL %d VIDEO_SEND_STATUS RUNNIN%c	mfc42ul.dll.dr
Opened temporary file %s	mfc42ul.dll.dr
SKYPEVERSION %d.%d.%d.%d	mfc42ul.dll.dr
Insufficient memory (case %d)	mfc42ul.dll.dr
MESSAGE %d STATUS REA%c	mfc42ul.dll.dr
Maximum supported image dimension is %u pixels	mfc42ul.dll.dr
Warning: unknown JFIF revision number %d.%02d	mfc42ul.dll.dr
Define Restart Interval %u	mfc42ul.dll.dr
%s~tmp%08x~.exe	mfc42ul.dll.dr
Freed XMS handle %u	mfc42ul.dll.dr
Obtained EMS handle %u	mfc42ul.dll.dr
Warning: thumbnail image size does not match data length %u	mfc42ul.dll.dr
Bogus message code %d	mfc42ul.dll.dr
GET FILETRANSFER %d TYPE	mfc42ul.dll.dr
CALL %d STATUS MISSE%c	mfc42ul.dll.dr
MESSAGE %d STATUS SEN%c	mfc42ul.dll.dr
ache%OLK*	scuints.exe_.exe

Social media names
String value	Source
Yahoo equals www.yahoo.com (Yahoo)	explorer.exe, scuints.exe_, mfc42ul.dll.dr

Startup

system is xp

scuints.exe_.exe (PID: 1424 MD5: 309EDE406988486BF81E603C514B4B82)

winsys32.sys (PID: 4 MD5: 9A8004E2F0093E3FE542FA53BD6AD1B2)

explorer.exe (PID: 1552 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

~acrd~tmp~.exe (PID: 1232 MD5: 96C56885D0C87B41D0A657A8789779F2)

cleanup

Dropped Files
File Path	MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	96C56885D0C87B41D0A657A8789779F2
C:\WINDOWS\system32\mfc42ul.dll	934B696CC17A1EFC102C0D5633768CA2
C:\WINDOWS\system32\winsys32.sys	9A8004E2F0093E3FE542FA53BD6AD1B2

Involved IP Addresses
IP	ASN	ASN Description	ANS State
83.236.140.90	AS20676	QSC-1 QSC AG	DE

All TCP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 9, 2011 22:00:24.915546000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:24.915671000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:24.916421000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.255528000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.255593000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.256017000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.256037000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.257468000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.257484000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.258349000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.258381000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.261880000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.261961000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.262414000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.262469000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:00:25.265433000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:00:25.265516000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:01:34.752611000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:01:34.752689000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:02:25.851636000 CEST	443	1119	83.236.140.90	192.168.0.10
Oct 9, 2011 22:02:25.852083000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:02:25.852966000 CEST	1119	443	192.168.0.10	83.236.140.90
Oct 9, 2011 22:02:25.852996000 CEST	443	1119	83.236.140.90	192.168.0.10

IRP Handler
Handler Function	Driver	Address	Type

New Devices
Driver	Device	Attached to (lower)	Attached to (upper)
\Driver\winsys32	\Device\KeyboardClassC

User Modules

Hook Summary
Function Name	Hook Type	Active in Processes
ZwWaitForSingleObject	INLINE	explorer.exe
NtWaitForSingleObject	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: ntdll.dll
Function Name	Hook Type	New Data
ZwWaitForSingleObject	INLINE	0xE8 0x8A 0xAD 0xD2 0x20 0x07
NtWaitForSingleObject	INLINE	0xE8 0x8A 0xAD 0xD2 0x20 0x07

Sections

General
Start time:	12:53:24
Start date:	09/10/2011
Path:	C:\scuints.exe_.exe
Commandline:	not known
Imagebase:	0x400000
File size:	643072 bytes
MD5 hash:	309EDE406988486BF81E603C514B4B82

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWS\system32\mfc42ul.dll	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	12FA9C	1	401143
C:\WINDOWS\system32\mfc42ul.dll	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	2	401143
C:\WINDOWS\system32\mfc42.dll	read attributes and synchronize and generic read	synchronous io non alert and non directory file	false	success or wait	2	401DDB
C:\WINDOWS\system32\winsys32.sys	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	false	success or wait	1	401E2B

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\WINDOWS\system32\~pgp~.tmp	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	403A81
C:\WINDOWS\system32\mfc42ul.dll	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	401143
C:\WINDOWS\system32\winsys32.sys	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	401143
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	read attributes and synchronize and generic write	normal	synchronous io non alert and non directory file	success or wait	1	401143

File deleted
File Path	Completion	Count	Source Address
C:\WINDOWS\system32\~pgp~.tmp	success or wait	1	40AFE0

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\WINDOWS\system32\mfc42ul.dll	none	352256	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	4010D5
C:\WINDOWS\system32\winsys32.sys	none	10112	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 02 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	4010D5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	none	40960	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1	4010D5

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\WINDOWS\system32\mfc42ul.dll	BasicInformation	Creation Time: 13:00 28-02-2006 Last Access Time: 18:00 08-04-2011 Last Write Time: 08:53 18-09-2010 Change Time: 01:00 01-01-1601 File Attributes: none		success or wait	1	401E49
C:\WINDOWS\system32\winsys32.sys	BasicInformation	Creation Time: 13:00 28-02-2006 Last Access Time: 18:00 08-04-2011 Last Write Time: 08:53 18-09-2010 Change Time: 01:00 01-01-1601 File Attributes: none		success or wait	1	401E49

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	270000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	290000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2E0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	330000	24576	own pid	readonly	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	image	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	image	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	image	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	image	77E70000	602112	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	image	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\NLS\NlsSectionCType	read	image	370000	12288	own pid	readonly	success or wait	1	409BFA
none	query and write and read	commit	390000	12288	own pid	read write	success or wait	6	4031B3
none	query and write and read	commit	380000	12288	own pid	read write	success or wait	59	4031DA
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	380000	126976	own pid	execute	success or wait	1	4016AD
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	4016AD
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	980000	1208320	own pid	readonly	success or wait	1	4016AD
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	query and read	commit	380000	40960	own pid	readonly	success or wait	1	4016AD

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
1232	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe C:\SCUINT~2.EXE	0	success or wait	1	4016AD

Process terminated
PID	Filepath	Completion	Count	Source Address
1424	C:\scuints.exe_.exe	success or wait	1	408173
1424	C:\scuints.exe_.exe	success or wait	0	408173

Thread Activities:

Thread created
TID	PID	EIP	Injected	Filepath	Completion	Count	Source Address
1204	1552	7C8106F9	true	C:\WINDOWS\explorer.exe	success or wait	1	402CC3

Thread resumed
TID	PID	Completion	Count	Source Address
1204	1552	success or wait	1	402CC3

Memory Activities:

Memory written
PID	Filepath	Base	Length	Value	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	980000	31	43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 6D 66 63 34 32 75 6C 2E 64 6C 6C	success or wait	1	402CB4

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	980000	12FA9C	page read and write	success or wait	1	402C95

Memory attributes changed
PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	980000	1000	page execute and read and write	page read and write	success or wait	1	402CB4
1552	C:\WINDOWS\explorer.exe	980000	1000	page read and write	page execute and read and write	success or wait	1	402CB4

System Activities:

System information queried
System info class	Completion	Count	Source Address
ProcessInformation	success or wait	1	4031B3
ProcessInformation	success or wait	1	4031B3
ProcessInformation	success or wait	1	4031B3

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1587890054
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1587902452
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1587903913
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1587904943
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1587905521
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: image Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	1587927876
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: image Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	1587929679
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: image Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	1587937506
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: image Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid	success or wait	1587940086
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: image Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	1587943641
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1587955979
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	1587958256
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	1587960465
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1587982260
File created	Path: C:\WINDOWS\system32\~pgp~.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1587987323
File deleted	Path: C:\WINDOWS\system32\~pgp~.tmp	success or wait	1587998246
File opened	Path: C:\WINDOWS\system32\mfc42ul.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	12FA9C	1588000941
File created	Path: C:\WINDOWS\system32\mfc42ul.dll Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1588003517
File write	Path: C:\WINDOWS\system32\mfc42ul.dll Offset: none Length: 352256 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1588259235
File opened	Path: C:\WINDOWS\system32\mfc42ul.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1588355855
File opened	Path: C:\WINDOWS\system32\mfc42.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1588356883
File opened	Path: C:\WINDOWS\system32\mfc42ul.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1588360210
File other operation	Disposition: BasicInformation Data : Creation Time: 13:00 28-02-2006 Last Access Time: 18:00 08-04-2011 Last Write Time: 08:53 18-09-2010 Change Time: 01:00 01-01-1601 File Attributes: none Path: C:\WINDOWS\system32\mfc42ul.dll	success or wait	1588360862
File created	Path: C:\WINDOWS\system32\winsys32.sys Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1588363110
File write	Path: C:\WINDOWS\system32\winsys32.sys Offset: none Length: 10112 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 02 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1588392333
File opened	Path: C:\WINDOWS\system32\mfc42.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1589366394
File opened	Path: C:\WINDOWS\system32\winsys32.sys Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false	success or wait	1589367170
File other operation	Disposition: BasicInformation Data : Creation Time: 13:00 28-02-2006 Last Access Time: 18:00 08-04-2011 Last Write Time: 08:53 18-09-2010 Change Time: 01:00 01-01-1601 File Attributes: none Path: C:\WINDOWS\system32\winsys32.sys	success or wait	1589367914
System info queried	Type: ProcessInformation	success or wait	1589375856
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589398176
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589399424
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589400504
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589403140
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589403477
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589403800
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589417863
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589418204
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589418519
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589423345
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589423804
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589424234
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589438660
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589439117
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1589439549
Memory allocated	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 980000 Length: 12FA9C Allocation Type: null Protection: page read and write	success or wait	1589444261
Memory attributes changed	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 980000 Length: 1000 New Protection: page execute and read and write New Protection: page read and write		1589444589
Memory attributes changed	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 980000 Length: 1000 New Protection: page read and write New Protection: page execute and read and write		1589444900
Memory written	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 980000 Length: 31 Value: 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 6D 66 63 34 32 75 6C 2E 64 6C 6C	success or wait	1603212782
Thread created	PID: 1552 TID: 1204 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: true	success or wait	1603342552
Thread resumed	TID: 1204 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603346258
System info queried	Type: ProcessInformation	success or wait	1603355754
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603362203
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603362571
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603368443
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603368792
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603369111
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603371485
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603371807
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603372122
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603375050
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603375371
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603375789
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603378762
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603379200
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603379634
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603385724
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603386164
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603386599
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603390084
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603390522
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603390956
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603394214
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603394651
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603395084
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603398005
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603398442
System info queried	Type: ProcessInformation	success or wait	1603401643
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603406668
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 390000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603409564
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603410495
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603410828
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603414838
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603416600
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603417353
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603417682
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603419938
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603421674
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603422111
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603423850
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603424709
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603425143
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603426271
Section loaded	Path: none Access: query and write and read Type: commit Baseaddress: 380000 Size: 12288 Protection: read write Mapped to pid: own pid	success or wait	1603430689
File created	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false	success or wait	1603442821
File write	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe Offset: none Length: 40960 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65	success or wait	1603492260
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: 380000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	1603536633
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	1603543072
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 980000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	1603553257
Section loaded	Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe Access: query and read Type: commit Baseaddress: 380000 Size: 40960 Protection: readonly Mapped to pid: own pid	success or wait	1603685324
Process created	PID: 1232 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe Cmdline: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe C:\SCUINT~2.EXE Createflags: 0	success or wait	1603769382
Process terminated	PID: 1424 Path: C:\scuints.exe_.exe	success or wait	1605657571

Sections

General
Start time:	12:53:25
Start date:	09/10/2011
Path:	C:\WINDOWS\system32\winsys32.sys
Commandline:	not known
Imagebase:
File size:	10112 bytes
MD5 hash:	9A8004E2F0093E3FE542FA53BD6AD1B2

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	generic read	no options		success or wait	1

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
\Device\KeyboardClassC	SymbolicLinkCreate	Symbolic link name: \DosDevices\KeyboardClassC		success or wait	1

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	read	commit	40000	12288	own pid	readonly	success or wait	1

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINSYS32\0000\Control	ActiveService	String	winsys32	success or wait	1

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32\Enum	Count	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINSYS32\0000	ConfigFlags	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32	ImagePath	buffer overflow	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32	ImagePath	success or wait	1

Memory Activities:

Memory written
PID	Filepath	Base	Length	Value	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	2020000	266	B8 78 56 34 12 60 E8 01 00 00 00 00 5A F6 02 FF 75 48 FE 02 81 EC 14 00 00 00 89 E0 E8 3B 00 00 00 09 DB 74 2F E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 5A E8 99 00 00 00 09 D2 74 13 E8 0C 00 00 00 6D 66 63 34 32 75 6C 2E 64 6C 6C 00 FF D2 81 C4 14 00 00 00 61 C3 64 8B 1D 30 00 00 00 8B 53 0C 81 C2 1C 00 00 00 8B 1A FC 39 D3 74 5E 8B 73 20 E8 1A 00 00 00 6B 00 65 00 72 00 6E 00 65 00 6C 00 33 00 32 00 2E 00 64 00 6C 00 6C 00 00 00 5F B9 0D 00 00 00 F3 66 A7 89 D9 8B 1B 75 CB 8B 59 08 89 18 8B 4B 3C 8B 4C 0B 78 01 D9 8B 51 18 89 50 04 8B 51 20 01 DA 89 50 08 8B 51 24 01 DA 89 50 0C 8B 51 1C 01 DA 89 50 10 C3 31 DB 89 18 C3 8B 48 04 8B 58 08 89 C5 FC E3 26 49 8B 34 8B 03 75 00 89 D7 AC 3A 07 75 F0 08 C0 74 03 47 EB F4 8B 5D 0C 0F B7 1C 4B 8B 55	success or wait	1
1552	C:\WINDOWS\explorer.exe	2050000	266	B8 78 56 34 12 60 E8 01 00 00 00 00 5A F6 02 FF 75 48 FE 02 81 EC 14 00 00 00 89 E0 E8 3B 00 00 00 09 DB 74 2F E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 5A E8 99 00 00 00 09 D2 74 13 E8 0C 00 00 00 6D 66 63 34 32 75 6C 2E 64 6C 6C 00 FF D2 81 C4 14 00 00 00 61 C3 64 8B 1D 30 00 00 00 8B 53 0C 81 C2 1C 00 00 00 8B 1A FC 39 D3 74 5E 8B 73 20 E8 1A 00 00 00 6B 00 65 00 72 00 6E 00 65 00 6C 00 33 00 32 00 2E 00 64 00 6C 00 6C 00 00 00 5F B9 0D 00 00 00 F3 66 A7 89 D9 8B 1B 75 CB 8B 59 08 89 18 8B 4B 3C 8B 4C 0B 78 01 D9 8B 51 18 89 50 04 8B 51 20 01 DA 89 50 08 8B 51 24 01 DA 89 50 0C 8B 51 1C 01 DA 89 50 10 C3 31 DB 89 18 C3 8B 48 04 8B 58 08 89 C5 FC E3 26 49 8B 34 8B 03 75 00 89 D7 AC 3A 07 75 F0 08 C0 74 03 47 EB F4 8B 5D 0C 0F B7 1C 4B 8B 55	success or wait	1

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	2020000	F8AC7BD8	page execute and read and write	success or wait	1
1552	C:\WINDOWS\explorer.exe	2050000	F8AC7BD8	page execute and read and write	success or wait	1

Memory attributes changed
PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	7C90DF4E	1000	page execute and write copy	page execute read	success or wait	1
1552	C:\WINDOWS\explorer.exe	7C90DF4E	1000	page execute and write copy	page execute and read and write	success or wait	1

Driver Activities:

Device created
Device name	Device type	Completion	Count	Source Address
\Device\KeyboardClassC	keyboard	success or wait	1

System Activities:

System information queried
System info class	Completion	Count	Source Address
ProcessInformation	success or wait	1
ModuleInformation	info length mismatch	3
ModuleInformation	success or wait	2
ModuleInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1
ProcessInformation	success or wait	1

Chronological sections
Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32\Enum Name: Count	success or wait	1589357030
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINSYS32\0000 Name: ConfigFlags	success or wait	1589357924
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINSYS32\0000\Control Name: ActiveService Type: String Data: winsys32	success or wait	1589359073
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32 Name: ImagePath	buffer overflow	1589359502
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winsys32 Name: ImagePath	success or wait	1589359690
File opened	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: generic read Options: no options	success or wait	1589359952
Section loaded	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: read Type: commit Baseaddress: 40000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1589360786
Device created	Device Name: \Device\KeyboardClassC Device Type: keyboard	success or wait	1589361782
Symbolic link created	Symbolic link name: \DosDevices\KeyboardClassC File path: \Device\KeyboardClassC	success or wait	1589362047
System info queried	Type: ProcessInformation	success or wait	1603214194
System info queried	Type: ModuleInformation	info length mismatch	1606769291
System info queried	Type: ModuleInformation	success or wait	1606769643
Memory allocated	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2020000 Length: F8AC7BD8 Allocation Type: null Protection: page execute and read and write	success or wait	1606780158
Memory written	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2020000 Length: 266 Value: B8 78 56 34 12 60 E8 01 00 00 00 00 5A F6 02 FF 75 48 FE 02 81 EC 14 00 00 00 89 E0 E8 3B 00 00 00 09 DB 74 2F E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 5A E8 99 00 00 00 09 D2 74 13 E8 0C 00 00 00 6D 66 63 34 32 75 6C 2E 64 6C 6C 00 FF D2 81 C4 14 00 00 00 61 C3 64 8B 1D 30 00 00 00 8B 53 0C 81 C2 1C 00 00 00 8B 1A FC 39 D3 74 5E 8B 73 20 E8 1A 00 00 00 6B 00 65 00 72 00 6E 00 65 00 6C 00 33 00 32 00 2E 00 64 00 6C 00 6C 00 00 00 5F B9 0D 00 00 00 F3 66 A7 89 D9 8B 1B 75 CB 8B 59 08 89 18 8B 4B 3C 8B 4C 0B 78 01 D9 8B 51 18 89 50 04 8B 51 20 01 DA 89 50 08 8B 51 24 01 DA 89 50 0C 8B 51 1C 01 DA 89 50 10 C3 31 DB 89 18 C3 8B 48 04 8B 58 08 89 C5 FC E3 26 49 8B 34 8B 03 75 00 89 D7 AC 3A 07 75 F0 08 C0 74 03 47 EB F4 8B 5D 0C 0F B7 1C 4B 8B 55	success or wait	1606838789
System info queried	Type: ModuleInformation	info length mismatch	1606839609
System info queried	Type: ModuleInformation	success or wait	1606839961
Memory attributes changed	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C90DF4E Length: 1000 New Protection: page execute and write copy New Protection: page execute read		1606850627
Memory allocated	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2050000 Length: F8AC7BD8 Allocation Type: null Protection: page execute and read and write	success or wait	1610455695
Memory written	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2050000 Length: 266 Value: B8 78 56 34 12 60 E8 01 00 00 00 00 5A F6 02 FF 75 48 FE 02 81 EC 14 00 00 00 89 E0 E8 3B 00 00 00 09 DB 74 2F E8 0D 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 5A E8 99 00 00 00 09 D2 74 13 E8 0C 00 00 00 6D 66 63 34 32 75 6C 2E 64 6C 6C 00 FF D2 81 C4 14 00 00 00 61 C3 64 8B 1D 30 00 00 00 8B 53 0C 81 C2 1C 00 00 00 8B 1A FC 39 D3 74 5E 8B 73 20 E8 1A 00 00 00 6B 00 65 00 72 00 6E 00 65 00 6C 00 33 00 32 00 2E 00 64 00 6C 00 6C 00 00 00 5F B9 0D 00 00 00 F3 66 A7 89 D9 8B 1B 75 CB 8B 59 08 89 18 8B 4B 3C 8B 4C 0B 78 01 D9 8B 51 18 89 50 04 8B 51 20 01 DA 89 50 08 8B 51 24 01 DA 89 50 0C 8B 51 1C 01 DA 89 50 10 C3 31 DB 89 18 C3 8B 48 04 8B 58 08 89 C5 FC E3 26 49 8B 34 8B 03 75 00 89 D7 AC 3A 07 75 F0 08 C0 74 03 47 EB F4 8B 5D 0C 0F B7 1C 4B 8B 55	success or wait	1610626914
System info queried	Type: ModuleInformation	info length mismatch	1610744893
System info queried	Type: ModuleInformation	success or wait	1610746643
Memory attributes changed	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C90DF4E Length: 1000 New Protection: page execute and write copy New Protection: page execute and read and write		1610776079
System info queried	Type: ProcessInformation	success or wait	1614323711
System info queried	Type: ProcessInformation	success or wait	1617903175
System info queried	Type: ProcessInformation	success or wait	1621482749
System info queried	Type: ProcessInformation	success or wait	1625063063
System info queried	Type: ProcessInformation	success or wait	1628646709
System info queried	Type: ProcessInformation	success or wait	1632222225
System info queried	Type: ProcessInformation	success or wait	1635822862
System info queried	Type: ProcessInformation	success or wait	1639385280
System info queried	Type: ProcessInformation	success or wait	1642961403
System info queried	Type: ProcessInformation	success or wait	1646541065
System info queried	Type: ProcessInformation	success or wait	1650120405
System info queried	Type: ProcessInformation	success or wait	1653702168
System info queried	Type: ProcessInformation	success or wait	1657393412
System info queried	Type: ProcessInformation	success or wait	1660967852
System info queried	Type: ProcessInformation	success or wait	1664556644
System info queried	Type: ProcessInformation	success or wait	1668151852
System info queried	Type: ProcessInformation	success or wait	1671713895
System info queried	Type: ProcessInformation	success or wait	1675289070
System info queried	Type: ProcessInformation	success or wait	1678869644
System info queried	Type: ProcessInformation	success or wait	1682448753
System info queried	Type: ProcessInformation	success or wait	1686028793
System info queried	Type: ProcessInformation	success or wait	1689610738
System info queried	Type: ProcessInformation	success or wait	1693192867
System info queried	Type: ProcessInformation	success or wait	1696768262
System info queried	Type: ProcessInformation	success or wait	1700345982
System info queried	Type: ProcessInformation	success or wait	1703926142
System info queried	Type: ProcessInformation	success or wait	1707505760
System info queried	Type: ProcessInformation	success or wait	1711085653
System info queried	Type: ProcessInformation	success or wait	1714672059
System info queried	Type: ProcessInformation	success or wait	1718246625
System info queried	Type: ProcessInformation	success or wait	1721820506
System info queried	Type: ProcessInformation	success or wait	1725400493
System info queried	Type: ProcessInformation	success or wait	1728989396
System info queried	Type: ProcessInformation	success or wait	1732696515
System info queried	Type: ProcessInformation	success or wait	1736252774
System info queried	Type: ProcessInformation	success or wait	1739831950
System info queried	Type: ProcessInformation	success or wait	1743411189
System info queried	Type: ProcessInformation	success or wait	1746990280
System info queried	Type: ProcessInformation	success or wait	1750567221
System info queried	Type: ProcessInformation	success or wait	1754154375
System info queried	Type: ProcessInformation	success or wait	1757729422
System info queried	Type: ProcessInformation	success or wait	1761312808
System info queried	Type: ProcessInformation	success or wait	1764888571
System info queried	Type: ProcessInformation	success or wait	1768468180
System info queried	Type: ProcessInformation	success or wait	1772047451
System info queried	Type: ProcessInformation	success or wait	1775626813
System info queried	Type: ProcessInformation	success or wait	1779206542
System info queried	Type: ProcessInformation	success or wait	1782786147
System info queried	Type: ProcessInformation	success or wait	1786366263
System info queried	Type: ProcessInformation	success or wait	1789942278
System info queried	Type: ProcessInformation	success or wait	1793541682
System info queried	Type: ProcessInformation	success or wait	1797122986
System info queried	Type: ProcessInformation	success or wait	1800822035
System info queried	Type: ProcessInformation	success or wait	1804375456
System info queried	Type: ProcessInformation	success or wait	1807957422
System info queried	Type: ProcessInformation	success or wait	1811539655
System info queried	Type: ProcessInformation	success or wait	1815118950
System info queried	Type: ProcessInformation	success or wait	1818698791
System info queried	Type: ProcessInformation	success or wait	1822779570
System info queried	Type: ProcessInformation	success or wait	1826355062
System info queried	Type: ProcessInformation	success or wait	1829937640
System info queried	Type: ProcessInformation	success or wait	1833514848
System info queried	Type: ProcessInformation	success or wait	1837097089
System info queried	Type: ProcessInformation	success or wait	1840673237
System info queried	Type: ProcessInformation	success or wait	1844250631
System info queried	Type: ProcessInformation	success or wait	1847836275
System info queried	Type: ProcessInformation	success or wait	1851412919
System info queried	Type: ProcessInformation	success or wait	1854991649
System info queried	Type: ProcessInformation	success or wait	1858571454
System info queried	Type: ProcessInformation	success or wait	1862153359
System info queried	Type: ProcessInformation	success or wait	1865731972
System info queried	Type: ProcessInformation	success or wait	1869373540
System info queried	Type: ProcessInformation	success or wait	1872947146
System info queried	Type: ProcessInformation	success or wait	1876991431
System info queried	Type: ProcessInformation	success or wait	1880551599
System info queried	Type: ProcessInformation	success or wait	1884314268
System info queried	Type: ProcessInformation	success or wait	1887880285
System info queried	Type: ProcessInformation	success or wait	1891458867
System info queried	Type: ProcessInformation	success or wait	1895036090
System info queried	Type: ProcessInformation	success or wait	1898618823
System info queried	Type: ProcessInformation	success or wait	1902198560
System info queried	Type: ProcessInformation	success or wait	1905779739
System info queried	Type: ProcessInformation	success or wait	1909376316
System info queried	Type: ProcessInformation	success or wait	1912939023
System info queried	Type: ProcessInformation	success or wait	1916516053
System info queried	Type: ProcessInformation	success or wait	1920096254
System info queried	Type: ProcessInformation	success or wait	1923676481
System info queried	Type: ProcessInformation	success or wait	1927255950
System info queried	Type: ProcessInformation	success or wait	1930836870
System info queried	Type: ProcessInformation	success or wait	1934413749
System info queried	Type: ProcessInformation	success or wait	1938011846
System info queried	Type: ProcessInformation	success or wait	1941631311
System info queried	Type: ProcessInformation	success or wait	1945587302
System info queried	Type: ProcessInformation	success or wait	1949179715
System info queried	Type: ProcessInformation	success or wait	1953114722
System info queried	Type: ProcessInformation	success or wait	1956785076
System info queried	Type: ProcessInformation	success or wait	1960904197
System info queried	Type: ProcessInformation	success or wait	1964506000
System info queried	Type: ProcessInformation	success or wait	1968437069
System info queried	Type: ProcessInformation	success or wait	1972223606
System info queried	Type: ProcessInformation	success or wait	1975914176
System info queried	Type: ProcessInformation	success or wait	1979828951
System info queried	Type: ProcessInformation	success or wait	1983408048
System info queried	Type: ProcessInformation	success or wait	1986987568
System info queried	Type: ProcessInformation	success or wait	1990578914
System info queried	Type: ProcessInformation	success or wait	1994146133
System info queried	Type: ProcessInformation	success or wait	1997726168
System info queried	Type: ProcessInformation	success or wait	2001305909
System info queried	Type: ProcessInformation	success or wait	2004886274
System info queried	Type: ProcessInformation	success or wait	2008464756
System info queried	Type: ProcessInformation	success or wait	2012047581
System info queried	Type: ProcessInformation	success or wait	2015623966
System info queried	Type: ProcessInformation	success or wait	2019254453
System info queried	Type: ProcessInformation	success or wait	2022839478
System info queried	Type: ProcessInformation	success or wait	2026442765

Sections

General
Start time:	12:53:25
Start date:	09/10/2011
Path:	C:\WINDOWS\explorer.exe
Commandline:	C:\WINDOWS\Explorer.EXE
Imagebase:	0x1000000
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

File Activities:

File opened
File Path	Access	Options	Content overwritten	Completion	Count	Source Address
KeyboardClassC	read attributes and synchronize and generic read and generic write	synchronous io non alert and non directory file	true	success or wait	1	293003E

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
C:\WINDOWS\system32\mfc42ul.dll	write and read and execute	commit	2920000	352256	own pid	execute	success or wait	1
C:\WINDOWS\system32\mfc42ul.dll	query and write and read and execute	image	2920000	356352	own pid	read write	image not at base	1
C:\WINDOWS\system32\mfc42ul.dll	query and write and read and execute	image	2920000	356352	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\snmpapi.dll	query and write and read and execute	image	71F60000	32768	own pid	read write	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\SYS!ICP!393-2	query and write and read	commit	1980000	8192	own pid	read write	success or wait	1	292A318
\BaseNamedObjects\SYS!ICP!3949-1a	query and write and read	commit	1990000	4096	own pid	read write	success or wait	1	292A318
\BaseNamedObjects\SYS!ICP!393-1	query and write and read	commit	2B20000	1052672	own pid	read write	success or wait	1	292A318
\BaseNamedObjects\SYS!ICP!393-1	query and write and read	commit	2CB0000	1052672	own pid	read write	success or wait	1	292A318
C:\WINDOWS\system32\wshtcpip.dll	write and read and execute	commit	2020000	20480	own pid	execute	success or wait	1	293275B
C:\WINDOWS\system32\wshtcpip.dll	query and write and read and execute	image	71A90000	32768	own pid	read write	success or wait	1	293275B

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ProxyEnable	success or wait	1	2927F62

Mutant Activities:

Mutant created
Name	Completion	Count	Source Address
\BaseNamedObjects\SYS!ICP!393-2-M	success or wait	1	2932A02
\BaseNamedObjects\SYS!ICP!393-1M	success or wait	1	2932A02
\BaseNamedObjects\SYS!ICP!393-1MR	success or wait	1	2932A02
\BaseNamedObjects\SYS!ICP!94062	success or wait	1	2932A02
\BaseNamedObjects\SYS!ICP!393-1M	object name exists	1	2932A02
\BaseNamedObjects\SYS!ICP!393-1MR	object name exists	1	2932A02
\BaseNamedObjects\SYS!ICP!94064	success or wait	1	2932A02
\BaseNamedObjects\SYS!IPC!79025	success or wait	1	292FCB2

Thread Activities:

Thread created
TID	PID	EIP	Injected	Filepath	Completion	Count	Source Address
1800	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949
1684	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949
2012	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949
1348	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949
1976	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949
1944	1552	7C8106F9	false	C:\WINDOWS\explorer.exe	success or wait	1	2932949

Thread resumed
TID	PID	Completion	Count	Source Address
1800	1552	success or wait	1	2932953
1684	1552	success or wait	1	2932953
2012	1552	success or wait	1	2932953
1348	1552	success or wait	1	2932953
1976	1552	success or wait	1	2932953
1944	1552	success or wait	1	2932953

Thread delayed
TID	Delay	Completion	Count	Source Address
5764	0s	success or wait	7096	293297B
4936	70s	success or wait	1	293297B
4936	74s	no status	0	293297B
6144	-1s	no status	0	293297B

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
1552	C:\WINDOWS\explorer.exe	2DC0000	2C6FF1C	page read and write	success or wait	1	294E060

System Activities:

System information queried
System info class	Completion	Count	Source Address
CurrentTimeZoneInformation	success or wait	4	294E24A

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: C:\WINDOWS\system32\mfc42ul.dll Access: write and read and execute Type: commit Baseaddress: 2920000 Size: 352256 Protection: execute Mapped to pid: own pid	success or wait	1603352615
Section loaded	Path: C:\WINDOWS\system32\mfc42ul.dll Access: query and write and read and execute Type: image Baseaddress: 2920000 Size: 356352 Protection: read write Mapped to pid: own pid	image not at base	1603355538
Section loaded	Path: C:\WINDOWS\system32\mfc42ul.dll Access: query and write and read and execute Type: image Baseaddress: 2920000 Size: 356352 Protection: read write Mapped to pid: own pid	conflicting addresses	1603426433
Section loaded	Path: C:\WINDOWS\system32\snmpapi.dll Access: query and write and read and execute Type: image Baseaddress: 71F60000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1603453776
Mutant created	Name: \BaseNamedObjects\SYS!ICP!393-2-M	success or wait	1603540553
Section loaded	Path: \BaseNamedObjects\SYS!ICP!393-2 Access: query and write and read Type: commit Baseaddress: 1980000 Size: 8192 Protection: read write Mapped to pid: own pid	success or wait	1603541169
Thread created	PID: 1552 TID: 1800 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1603546672
Thread resumed	TID: 1800 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603547971
File opened	Path: KeyboardClassC Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true	success or wait	1603557513
Section loaded	Path: \BaseNamedObjects\SYS!ICP!3949-1a Access: query and write and read Type: commit Baseaddress: 1990000 Size: 4096 Protection: read write Mapped to pid: own pid	success or wait	1603571745
Key value queried	Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: ProxyEnable	success or wait	1603574335
Mutant created	Name: \BaseNamedObjects\SYS!ICP!393-1M	success or wait	1603574868
Mutant created	Name: \BaseNamedObjects\SYS!ICP!393-1MR	success or wait	1603593676
Section loaded	Path: \BaseNamedObjects\SYS!ICP!393-1 Access: query and write and read Type: commit Baseaddress: 2B20000 Size: 1052672 Protection: read write Mapped to pid: own pid	success or wait	1603594333
Thread created	PID: 1552 TID: 1684 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1603604547
Thread resumed	TID: 1684 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603605753
Mutant created	Name: \BaseNamedObjects\SYS!ICP!94062	success or wait	1603606310
Thread delayed	Time: 0 TID: 5764	success or wait	1603610279
Thread created	PID: 1552 TID: 2012 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1603614367
Thread resumed	TID: 2012 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603616183
Mutant created	Name: \BaseNamedObjects\SYS!ICP!393-1M	object name exists	1603618508
Mutant created	Name: \BaseNamedObjects\SYS!ICP!393-1MR	object name exists	1603619329
Mutant created	Name: \BaseNamedObjects\SYS!ICP!94064	success or wait	1603620753
Section loaded	Path: \BaseNamedObjects\SYS!ICP!393-1 Access: query and write and read Type: commit Baseaddress: 2CB0000 Size: 1052672 Protection: read write Mapped to pid: own pid	success or wait	1603622452
Memory allocated	PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2DC0000 Length: 2C6FF1C Allocation Type: null Protection: page read and write	success or wait	1603623304
Thread created	PID: 1552 TID: 1348 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1603625914
Thread resumed	TID: 1348 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603628705
System info queried	Type: CurrentTimeZoneInformation	success or wait	1603628792
System info queried	Type: CurrentTimeZoneInformation	success or wait	1603629934
Thread delayed	Time: 70 TID: 4936	success or wait	1603635424
Thread delayed	Time: 0 TID: 5764	success or wait	1603646441
Thread created	PID: 1552 TID: 1976 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1603646939
Thread resumed	TID: 1976 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1603648812
Mutant created	Name: \BaseNamedObjects\SYS!IPC!79025	success or wait	1603654281
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 2020000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	1603687924
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	1603689687
Thread delayed	Time: 0 TID: 5764	success or wait	1603693049
Thread delayed	Time: 0 TID: 5764	success or wait	1603793379
Thread delayed	Time: 0 TID: 5764	success or wait	1604254967
Thread delayed	Time: 0 TID: 5764	success or wait	1604482760
Thread created	PID: 1552 TID: 1944 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false	success or wait	1604484234
Thread resumed	TID: 1944 PID: 1552 Path: C:\WINDOWS\explorer.exe	success or wait	1604504701
Thread delayed	Time: 0 TID: 5764	success or wait	1604533290
Thread delayed	Time: 0 TID: 5764	success or wait	1604598980
Thread delayed	Time: 0 TID: 5764	success or wait	1604653776
Thread delayed	Time: 0 TID: 5764	success or wait	1604736024
Thread delayed	Time: 0 TID: 5764	success or wait	1604790138
Thread delayed	Time: 0 TID: 5764	success or wait	1604815784
Thread delayed	Time: 0 TID: 5764	success or wait	1604868592
Thread delayed	Time: 0 TID: 5764	success or wait	1604959865
Thread delayed	Time: 0 TID: 5764	success or wait	1605609188
Thread delayed	Time: 0 TID: 5764	success or wait	1605657764
Thread delayed	Time: 0 TID: 5764	success or wait	1605707039
Thread delayed	Time: 0 TID: 5764	success or wait	1605762750
Thread delayed	Time: 0 TID: 5764	success or wait	1605820488
Thread delayed	Time: 0 TID: 5764	success or wait	1605885344
Thread delayed	Time: 0 TID: 5764	success or wait	1605939723
Thread delayed	Time: 0 TID: 5764	success or wait	1605995759
Thread delayed	Time: 0 TID: 5764	success or wait	1606043671
Thread delayed	Time: 0 TID: 5764	success or wait	1606098790
Thread delayed	Time: 0 TID: 5764	success or wait	1606168907
Thread delayed	Time: 0 TID: 5764	success or wait	1606218901
Thread delayed	Time: 0 TID: 5764	success or wait	1606272921
Thread delayed	Time: 0 TID: 5764	success or wait	1606325357
Thread delayed	Time: 0 TID: 5764	success or wait	1606411038
Thread delayed	Time: 0 TID: 5764	success or wait	1606434654
Thread delayed	Time: 0 TID: 5764	success or wait	1606489928
Thread delayed	Time: 0 TID: 5764	success or wait	1606545818
Thread delayed	Time: 0 TID: 5764	success or wait	1606601477
Thread delayed	Time: 0 TID: 5764	success or wait	1606658183
Thread delayed	Time: 0 TID: 5764	success or wait	1606713753
Thread delayed	Time: 0 TID: 5764	success or wait	1606839091
Thread delayed	Time: 0 TID: 5764	success or wait	1606884222
Thread delayed	Time: 0 TID: 5764	success or wait	1606938247
Thread delayed	Time: 0 TID: 5764	success or wait	1606994528
Thread delayed	Time: 0 TID: 5764	success or wait	1607075727
Thread delayed	Time: 0 TID: 5764	success or wait	1607105116
Thread delayed	Time: 0 TID: 5764	success or wait	1607161162
Thread delayed	Time: 0 TID: 5764	success or wait	1607218136
Thread delayed	Time: 0 TID: 5764	success or wait	1607272971
Thread delayed	Time: 0 TID: 5764	success or wait	1607332143
Thread delayed	Time: 0 TID: 5764	success or wait	1607385024
Thread delayed	Time: 0 TID: 5764	success or wait	1607441352
Thread delayed	Time: 0 TID: 5764	success or wait	1607497059
Thread delayed	Time: 0 TID: 5764	success or wait	1607552841
Thread delayed	Time: 0 TID: 5764	success or wait	1607609246
System info queried	Type: CurrentTimeZoneInformation	success or wait	1713713925
System info queried	Type: CurrentTimeZoneInformation	success or wait	1930834866

Sections

General
Start time:	12:53:29
Start date:	09/10/2011
Path:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe
Commandline:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe C:\SCUINT~2.EXE
Imagebase:	0x400000
File size:	40960 bytes
MD5 hash:	96C56885D0C87B41D0A657A8789779F2

File Activities:

File deleted
File Path	Completion	Count	Source Address
C:\SCUINT~2.EXE	success or wait	1	4010AA

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count
\KnownDlls\kernel32.dll	write and read and execute	image	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	image	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	image	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	image	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	image	320000	24576	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\NLS\NlsSectionCType	read	image	340000	12288	own pid	readonly	success or wait	1	4044F1

Process Activities:

Process terminated
PID	Filepath	Completion	Count	Source Address
1232	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	success or wait	1	4014A6
1232	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	success or wait	0	4014A6

Thread Activities:

Thread delayed
TID	Delay	Completion	Count	Source Address
278	1s	success or wait	1	401044

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: image Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	1605662904
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: image Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	1605703175
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: image Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1605709787
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: image Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	1605713118
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: image Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	1605713669
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: image Baseaddress: 340000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	1605758829
Thread delayed	Time: 1 TID: 278	success or wait	1605760361
File deleted	Path: C:\SCUINT~2.EXE	success or wait	1609297526
Process terminated	PID: 1232 Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~acrd~tmp~.exe	success or wait	1609324510