Joebox - Abstract Analysis File 2738

General information
Joebox version:	4.1.3
Start time:	13:33:47
Start date:	26/07/2011
Overall analysis duration:	0h 3m 11s
Target binary file name:	contacts_053.exe
Target script file name:	default.jbs
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Errors:

Summary
SQL strings found in memory and binary data
Printf formating strings found in memory and binary data
Binary contains paths to debug symbols
Spawns processes
Queries a list of all running processes
Queries a list of all running drivers
Creates windows services
Creates files inside the system directory
Creates files inside the driver directory
Creates driver files
Infects executable files (uses memory mapped files)	C:\WINDOWS\system32\drivers\mrxsmb.sys
Spawns drivers
Writes to foreign memory regions
Binary may include packed or crypted data
Modifies the context of a thread in another process (thread injection)
Maps a DLL or memory area into another process
Modifies IRP (I/O request packets) handlers (IRP hooks)
Registers kernel notifiers (kernel callbacks)
Allocates memory in foreign processes

Static File Information

PE Information

General
Entrypoint:	0x401019L	.text
Imagebase:	0x400000L
Time stamp:	0x4E204F4B [Fri Jul 15 14:31:39 2011 UTC]
Subsystem:	windows gui
TLS callbacks:

Resources
Name	RVA address	Size	Type
English	0x6d778L	0x658L	ump; data
English	0x6de40L	0x6fcL	ump; data
English	0x6e578L	0xa50L	ump; data
English	0x6efe0L	0x128L	ump; data
English	0x6d5d0L	0xa4L	ump; data
English	0x6d678L	0xfeL	ump; data
English	0x6f3f0L	0x98L	ump; data
English	0x6f530L	0x30L	ump; data
English	0x6f560L	0x28L	ump; data
English	0x6f500L	0x30L	ump; data
English	0x6f4d0L	0x2eL	ump; data
English	0x6e558L	0x20L	ump; Hitachi SH big-endian COFF object, not stripped
English	0x6f488L	0x48L	ump; data
English	0x6dde8L	0x58L	ump; data
English	0x6e540L	0x14L	ump; MS Windows icon resource - 1 icon
English	0x6ddd0L	0x14L	ump; MS Windows icon resource - 1 icon
English	0x6efc8L	0x14L	ump; MS Windows icon resource - 1 icon
English	0x6f108L	0x2e4L	ump; data

Imports
DLL	Import
kernel32.dll	SetFilePointer, SetStdHandle, SetFileAttributesW, VerSetConditionMask, SetEnvironmentVariableA, RtlZeroMemory, CloseHandle, RtlUnwind, RtlMoveMemory, RtlFillMemory, RtlCaptureStackBackTrace, RtlCaptureContext, ResetEvent, SetSystemPowerState
user32.dll	SetLayeredWindowAttributes, SetUserObjectInformationA, ClientToScreen, SetSysColors
gdi32.dll	SetDCBrushColor, ResizePalette, EnumFontsA, CreateEllipticRgn, SetSystemPaletteUse, SetTextJustification, SetMetaRgn
shlwapi.dll	PathSkipRootA
shell32.dll	SHCreateDirectory
inseng.dll	GetICifFileFromFile

Exports
E3BnbuqhATEn9, ESbOWj, LzJuYUgw, O3jvQO8iY1L7k0, Wfw, Y8Nw9cF6wpocSmjYyWq, ZzltM61vCaLREurSm, f5nOhW, jyPsVRE81Qye

Sections
Name	Virtual address	Virtual size	Raw size	entropy
.text	0x1000L	0x2c61bL	0x2c800L	6.07186136679
.rdata	0x2e000L	0x39fL	0x400L	1.89794523196
.data	0x2f000L	0x3c0e3L	0x4e00L	5.58781790769
.idata	0x6c000L	0x735L	0x800L	3.04730653555
.rsrc	0x6d000L	0x2ce0L	0x2e00L	5.03890674427
.reloc	0x70000L	0x949L	0xa00L	3.48181001246

Version Infos
Description	Data
FileVersion	5.918.84
InternalName	vxkeoqjxms
ProductVersion	5.918.84
LegalCopyright	p9!9x3o0 qow.AR
FileDescription	V.q,Ix DDoq827 nyP7
CompanyName	wna5z9 LO0ekX
ProductName	ecvLRJHM7 LzpkNHNe 9
OriginalFilename	vxkeoqjxms
Translation	0x0000 0x04b0

Possible Origin
Language of compilation system	Country where language is spoken	Map
English	United States

String Analysis

SQL
String value	Source
INSERT INTO AuthMonitor (BUILDLAB,CARD,CERTISSUER,DC,DOMAIN,MACHINENAME,READER,SESSION,STATUS,STOPWATCH,TIMESTAMP,UNLOCK,USERNAME) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)	winlogon.exe

Formattings for printf style functions
String value	Source
%s\%s\%s\%s\%s	explorer.exe, winlogon.exe
\registry\MACHINE\SYSTEM\CurrentControlSet\services\%S	contacts_053.exe
%f7A{[	contacts_053.exe, explorer.exe
GET /%s HTTP/1.0	contacts_053.exe
GET /stat2.php?w=%u&i=%s&a=%u HTTP/1.1	contacts_053.exe
u%fPfSh	winlogon.exe
%ls %ls	explorer.exe, winlogon.exe
y%pY2d\|	contacts_053.exe
8Uf4E%iP	contacts_053.exe
%iwM2iw	winlogon.exe
%s\%s\%s\%s\%s\%s	explorer.exe, winlogon.exe
l*",%pH	contacts_053.exe
\systemroot\$NtUninstallKB%u$	contacts_053.exe
\??\%s\%x%x	contacts_053.exe
Assertion failed: %s, file %s, line %d	contacts_053.exe, explorer.exe, winlogon.exe
%d %d %d %d	explorer.exe, winlogon.exe
\registry\MACHINE\SYSTEM\CurrentControlSet\Services\%u	contacts_053.exe
6nN@g%oP*	winlogon.exe
GET /bad.php?w=%u&fail=%u&i=%s HTTP/1.0	contacts_053.exe
User-Agent: Opera/6 (Windows NT %u.%u; U; LangID=%x; x86)	contacts_053.exe
\registry\MACHINE\SYSTEM\CurrentControlSet\services\%s	contacts_053.exe
Host: %s	contacts_053.exe
%user%	winlogon.exe
DragDrop%lx	contacts_053.exe, explorer.exe, winlogon.exe
%s\%x%x	contacts_053.exe
<%p>%x	contacts_053.exe
mXE4%l	winlogon.exe
User-Agent: Opera/6 (Windows NT %u.%u; U; LangID=%x; x64)	contacts_053.exe
%xsuIpZ	contacts_053.exe
\systemroot\system32\drivers\%u.sys	contacts_053.exe
ache%OLK*	contacts_053.exe, winlogon.exe
u%fRQfS	winlogon.exe
v%x;zO\|V~fImT?	contacts_053.exe
WX?k%o	contacts_053.exe

Debug symbol paths
String value	Source
Z:\xampp\htdocs\project-727,Permutation\stable\tmp\PDBSIG.pdb	contacts_053.exe

Analysis Overview

Startup

system is xp

contacts_053.exe (PID: 656 MD5: 5FD25E5B07DCEF95B5A33788F587CCB1)

explorer.exe (PID: 772 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

winlogon.exe (PID: 608 MD5: ED0EF0A136DEC83DF69F04118870003E)

1254331455.SYS (PID: 4 MD5: 88473C7FF4698E92BC7177415E14D666)

* (PID: 4 MD5: C7C653B9CE1B9177200372816B560E64)

svchost.exe (PID: 1560 MD5: )

cleanup

Global Network Data

All TCP
Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 26, 2011 14:34:00.585518000 W. Europe Daylight Time	1124	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.720641000 W. Europe Daylight Time	1125	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.721391000 W. Europe Daylight Time	1126	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.722412000 W. Europe Daylight Time	1127	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.775388000 W. Europe Daylight Time	1128	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.791016000 W. Europe Daylight Time	1129	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:00.852992000 W. Europe Daylight Time	1130	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:01.223633000 W. Europe Daylight Time	1131	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:01.255955000 W. Europe Daylight Time	1132	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:01.281301000 W. Europe Daylight Time	1133	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:01.503160000 W. Europe Daylight Time	1134	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:01.655450000 W. Europe Daylight Time	1135	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:03.496781000 W. Europe Daylight Time	1124	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:03.934055000 W. Europe Daylight Time	1125	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.152805000 W. Europe Daylight Time	1126	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.268050000 W. Europe Daylight Time	1127	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.371555000 W. Europe Daylight Time	1128	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.777868000 W. Europe Daylight Time	1129	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.777971000 W. Europe Daylight Time	1130	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.778017000 W. Europe Daylight Time	1131	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.778061000 W. Europe Daylight Time	1132	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.778104000 W. Europe Daylight Time	1133	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.778140000 W. Europe Daylight Time	1134	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:04.887852000 W. Europe Daylight Time	1135	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:06.473346000 W. Europe Daylight Time	1136	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:06.473887000 W. Europe Daylight Time	1137	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:06.474442000 W. Europe Daylight Time	1138	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:09.371764000 W. Europe Daylight Time	1136	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:09.371893000 W. Europe Daylight Time	1137	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:09.371939000 W. Europe Daylight Time	1138	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:09.700734000 W. Europe Daylight Time	1124	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.027902000 W. Europe Daylight Time	1125	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.028006000 W. Europe Daylight Time	1126	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.028049000 W. Europe Daylight Time	1127	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.028089000 W. Europe Daylight Time	1128	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.028125000 W. Europe Daylight Time	1129	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.793643000 W. Europe Daylight Time	1130	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.793766000 W. Europe Daylight Time	1131	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.793811000 W. Europe Daylight Time	1132	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.793854000 W. Europe Daylight Time	1133	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.793905000 W. Europe Daylight Time	1134	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:10.903010000 W. Europe Daylight Time	1135	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:15.387394000 W. Europe Daylight Time	1136	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:15.387521000 W. Europe Daylight Time	1137	80	10.0.2.15	69.50.212.157
Jul 26, 2011 14:34:15.387565000 W. Europe Daylight Time	1138	80	10.0.2.15	69.50.212.157

Hooks

IRP Handler
Handler Function	Driver	Address	Type
IRP_MJ_SET_VOLUME_INFORMATION	\Driver\1254331455	FF8F32FC	new
IRP_MJ_QUERY_QUOTA	\Driver\1254331455	FF8F32FC	new
IRP_MJ_PNP	\Driver\1254331455	FF8F32FC	new
IRP_MJ_CREATE_MAILSLOT	\Driver\1254331455	FF8F32FC	new
IRP_MJ_POWER	\Driver\1254331455	FF8F32FC	new
IRP_MJ_DEVICE_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_READ	\Driver\1254331455	FF8F32FC	new
IRP_MJ_DIRECTORY_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_QUERY_VOLUME_INFORMATION	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SET_SECURITY	\Driver\1254331455	FF8F32FC	new
IRP_MJ_WRITE	\Driver\1254331455	FF8F32FC	new
IRP_MJ_LOCK_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_CLEANUP	\Driver\1254331455	FF8F32FC	new
IRP_MJ_CLOSE	\Driver\1254331455	FF8F32FC	new
IRP_MJ_INTERNAL_DEVICE_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_CREATE	\Driver\1254331455	FF8F32FC	new
IRP_MJ_CREATE_NAMED_PIPE	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SET_INFORMATION	\Driver\1254331455	FF8F32FC	new
IRP_MJ_DEVICE_CHANGE	\Driver\1254331455	FF8F32FC	new
IRP_MJ_QUERY_EA	\Driver\1254331455	FF8F32FC	new
IRP_MJ_FILE_SYSTEM_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_FLUSH_BUFFERS	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SET_EA	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SYSTEM_CONTROL	\Driver\1254331455	FF8F32FC	new
IRP_MJ_QUERY_SECURITY	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SET_QUOTA	\Driver\1254331455	FF8F32FC	new
IRP_MJ_QUERY_INFORMATION	\Driver\1254331455	FF8F32FC	new
IRP_MJ_SHUTDOWN	\Driver\1254331455	FF8F32FC	new

New Devices
Driver	Device	Attached to (lower)	Attached to (upper)
\Driver\1254331455	\Device\svchost.exe
\Driver\1254331455	\Device\{BF4B1315-B293-4d02-BBFE-42EF72DD1C8E}

Device Extensions
Driver	Device	Extension Before	Extension After
\Driver\Disk	\Device\Harddisk0\DR0	00 00 00 03 81 AC 1A B8 81 AF 9B 58 81 AC 1B 70 81 AF 94 D0 00 00 00 01	00 00 00 03 81 AC 1A B8 FF B4 6D 78 81 AC 1B 70 81 AF 94 D0 00 00 00 01

Kernel Callback Routines
Notifier	Address
Registry	FF8F260E
Shutdown	FF8F32FC

Analysis File: contacts_053.exe PID: 656 Parent PID: 904

Sections

General
Start time:	04:48:55
Start date:	26/07/2011
Path:	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe
Commandline:	not known
Imagebase:	0x400000
File size:	221022 bytes
MD5 hash:	5FD25E5B07DCEF95B5A33788F587CCB1

File Activities:

File opened
File Path	Access	Options	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	delete	no options	success or wait	1	401450

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	320000	24576	own pid	readonly	success or wait	1
\KnownDlls\user32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\shlwapi.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	598016	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\shell32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
C:\WINDOWS\system32\inseng.dll	query and write and read and execute	image	61000000	110592	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1298432	own pid	read write	success or wait	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1253376	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	1998848	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	330000	36864	own pid	read write	image not at base	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	330000	36864	own pid	read write	conflicting addresses	1
C:\WINDOWS\system32\advpack.dll	query and write and read and execute	image	65000000	188416	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
C:\WINDOWS\system32\setupapi.dll	query and write and read and execute	image	77920000	995328	own pid	read write	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	340000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	370000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	960000	8462336	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	write and read and execute	commit	960000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	390000	4096	own pid	execute	success or wait	1
unknown	unknown	unknown	390000	4096	own pid	readonly	success or wait	2
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	960000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\BaseNamedObjects\ShimSharedMemory	write	unknown	CA0000	57344	own pid	read write	success or wait	1	40136C
C:\WINDOWS\system32\apphelp.dll	write and read and execute	commit	CB0000	126976	own pid	execute	success or wait	1	40136C
C:\WINDOWS\system32\apphelp.dll	query and write and read and execute	image	77B40000	139264	own pid	read write	success or wait	1	40136C
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	CB0000	1208320	own pid	readonly	success or wait	1	40136C
C:\WINDOWS\explorer.exe	write and read and execute	commit	DE0000	1036288	own pid	execute	success or wait	2	40136C
unknown	unknown	unknown	DE0000	1036288	own pid	readonly	success or wait	2	40136C
unknown	unknown	unknown	CB0000	1036288	own pid	readonly	success or wait	1	40136C

Registry Activities:

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\Setup	MachineGuid	success or wait	1	4010D9

Process Activities:

Process started
PID	Filepath	Cmdline	Flags	Completion	Count	Source Address
772	C:\WINDOWS\explorer.exe	A4*	suspended	success or wait	1	40136C

Process terminated
PID	Filepath	Completion	Count	Source Address
not known	not known	success or wait	1	401458
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	success or wait	0	401458

Thread Activities:

Thread context set
TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count	Source Address
668	772	0	0	0	0	0	200	90000	success or wait	1	40137D

Thread resumed
TID	PID	Completion	Count	Source Address
668	772	success or wait	1	40137D

Memory Activities:

Memory written
PID	Filepath	Base	Length	Value	Completion	Count	Source Address
772	C:\WINDOWS\explorer.exe	90000	88928	64 A1 18 00 00 00 8D 88 A8 01 00 00 83 39 00 75 08 8D 90 18 0F 00 00 89 11 8B 40 30 8B 40 0C 8B 40 1C FF 74 24 04 83 E8 10 FF 70 18 E8 64 03 00 00 C2 0C 00 8B 00 8B 09 3B C8 76 04 83 C8 FF C3 1B C0 F7 D8 C3 55 8B EC 64 A1 18 00 00 00 8B 48 2C 8B 45 08 53 56 8B 71 04 57 33 FF BB 8A DE 67 35 8A 10 6B DB 21 88 55 0B 0F BE D2 33 DA 40 80 7D 0B 00 75 EC 8D 04 3E D1 E8 8B 54 C1 08 3B D3 74 16 73 05 8D 78 01 EB 02 8B F0 3B FE 72 E6 33 C0 5F 5E 5B 5D C2 04 00 8B 44 C1 0C 03 01 EB F1 55 8B EC 81 EC CC 02 00 00 56 57 6A 10 58 E8 4D 5A 01 00 8B 75 10 83 3E 00 74 29 33 C0 8D BD 34 FD FF FF B9 B3 00 00 00 F3 AB 8D 85 34 FD FF FF 50 6A FE C7 85 34 FD FF FF 10 00 01 00 E8 62 58 01 00 59 59 6A 10 58 E8 14 5A 01 00 E8 67 59 01 00 EB 0B 81 38 78 56 4F 23 74 18 8B 40 04 85	success or wait	1	40137D

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	B60000	12FE74	page read and write	success or wait	1	422475
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	3E0000	12FE74	page read and write	success or wait	1	422507
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	3F0000	12FE74	page read and write	success or wait	1	422475
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	B90000	12FE74	page read and write	success or wait	1	422507
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	BA0000	12FF0C	page read and write	success or wait	1	422A96
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	BC0000	12FE84	page read and write	success or wait	2	421FEA
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	BC0000	12FEFC	page execute and read and write	success or wait	1	422EB1
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	BF0000	12FCEC	page execute and read and write	success or wait	1	423241
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	C20000	12FF00	page execute and read and write	success or wait	1	423A41
772	C:\WINDOWS\explorer.exe	90000	12FE5C	page execute and read and write	success or wait	1	40137D

Memory attributes changed
PID	Filepath	Base	Length	New Protection	Old Protection	Completion	Count	Source Address
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	400000	2B000	page execute and read and write	page readonly	success or wait	1	423B25
656	C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	415B78	1000	page execute and read and write	page execute and read and write	success or wait	1	401450

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	964960620
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	964964823
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	964965311
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	964965953
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	964966220
Section loaded	Path: \KnownDlls\user32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	964968638
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	964969048
Section loaded	Path: \KnownDlls\shlwapi.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	964972068
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	964972596
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 598016 Protection: read write Mapped to pid: own pid	success or wait	964973774
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	964975436
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	964978519
Section loaded	Path: \KnownDlls\shell32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	964982077
Section loaded	Path: C:\WINDOWS\system32\inseng.dll Access: query and write and read and execute Type: image Baseaddress: 61000000 Size: 110592 Protection: read write Mapped to pid: own pid	success or wait	964989437
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	964993307
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1298432 Protection: read write Mapped to pid: own pid	success or wait	964995092
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1253376 Protection: read write Mapped to pid: own pid	success or wait	964998557
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 1998848 Protection: read write Mapped to pid: own pid	success or wait	965002087
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	965005123
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	image not at base	965007842
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 330000 Size: 36864 Protection: read write Mapped to pid: own pid	conflicting addresses	965008651
Section loaded	Path: C:\WINDOWS\system32\advpack.dll Access: query and write and read and execute Type: image Baseaddress: 65000000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	965015295
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	965025439
Section loaded	Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid: own pid	success or wait	965027862
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	965037906
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	965039019
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	965040096
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	965049220
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 960000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	965052635
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 960000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	965070633
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	965071543
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 390000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	965075314
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	965076781
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 390000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	965077951
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	965093648
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 960000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	965100939
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: B60000 Length: 12FE74 Allocation Type: null Protection: page read and write	success or wait	965899937
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: 3E0000 Length: 12FE74 Allocation Type: null Protection: page read and write	success or wait	965904731
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: 3F0000 Length: 12FE74 Allocation Type: null Protection: page read and write	success or wait	965905055
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: B90000 Length: 12FE74 Allocation Type: null Protection: page read and write	success or wait	965905291
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: BA0000 Length: 12FF0C Allocation Type: null Protection: page read and write	success or wait	965905494
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: BC0000 Length: 12FE84 Allocation Type: null Protection: page read and write	success or wait	965905600
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: BC0000 Length: 12FE84 Allocation Type: null Protection: page read and write	success or wait	965916636
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: BC0000 Length: 12FEFC Allocation Type: null Protection: page execute and read and write	success or wait	965939056
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: BF0000 Length: 12FCEC Allocation Type: null Protection: page execute and read and write	success or wait	965944869
Memory allocated	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: C20000 Length: 12FF00 Allocation Type: null Protection: page execute and read and write	success or wait	965947236
Memory attributes changed	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: 400000 Length: 2B000 New Protection: page execute and read and write New Protection: page readonly	success or wait	965952939
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: MachineGuid	success or wait	965954223
Memory attributes changed	PID: 656 Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Base: 415B78 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write	success or wait	965954741
File opened	Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe Access: delete Options: no options	success or wait	965954905
Section loaded	Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: CA0000 Size: 57344 Protection: read write Mapped to pid: own pid	success or wait	965956347
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: CB0000 Size: 126976 Protection: execute Mapped to pid: own pid	success or wait	965957595
Section loaded	Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid	success or wait	965958554
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: CB0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	965960336
Section loaded	Path: C:\WINDOWS\explorer.exe Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 1036288 Protection: execute Mapped to pid: own pid	success or wait	965968804
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: DE0000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	965970787
Section loaded	Path: C:\WINDOWS\explorer.exe Access: write and read and execute Type: commit Baseaddress: DE0000 Size: 1036288 Protection: execute Mapped to pid: own pid	success or wait	965975802
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: DE0000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	965976692
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: CB0000 Size: 1036288 Protection: readonly Mapped to pid: own pid	success or wait	965989363
Process created	PID: 772 Path: C:\WINDOWS\explorer.exe Cmdline: A4* Createflags: suspended	success or wait	965992331
Memory allocated	PID: 772 Path: C:\WINDOWS\explorer.exe Base: 90000 Length: 12FE5C Allocation Type: null Protection: page execute and read and write	success or wait	966252935
Memory written	PID: 772 Path: C:\WINDOWS\explorer.exe Base: 90000 Length: 88928 Value: 64 A1 18 00 00 00 8D 88 A8 01 00 00 83 39 00 75 08 8D 90 18 0F 00 00 89 11 8B 40 30 8B 40 0C 8B 40 1C FF 74 24 04 83 E8 10 FF 70 18 E8 64 03 00 00 C2 0C 00 8B 00 8B 09 3B C8 76 04 83 C8 FF C3 1B C0 F7 D8 C3 55 8B EC 64 A1 18 00 00 00 8B 48 2C 8B 45 08 53 56 8B 71 04 57 33 FF BB 8A DE 67 35 8A 10 6B DB 21 88 55 0B 0F BE D2 33 DA 40 80 7D 0B 00 75 EC 8D 04 3E D1 E8 8B 54 C1 08 3B D3 74 16 73 05 8D 78 01 EB 02 8B F0 3B FE 72 E6 33 C0 5F 5E 5B 5D C2 04 00 8B 44 C1 0C 03 01 EB F1 55 8B EC 81 EC CC 02 00 00 56 57 6A 10 58 E8 4D 5A 01 00 8B 75 10 83 3E 00 74 29 33 C0 8D BD 34 FD FF FF B9 B3 00 00 00 F3 AB 8D 85 34 FD FF FF 50 6A FE C7 85 34 FD FF FF 10 00 01 00 E8 62 58 01 00 59 59 6A 10 58 E8 14 5A 01 00 E8 67 59 01 00 EB 0B 81 38 78 56 4F 23 74 18 8B 40 04 85	success or wait	966265898
Thread context set	TID: 668 PID: 772 DR0: 0 DR1: 0 DR2: 0 DR3: 0 DR7: 0 EIP: 90000 EFLAGS: 200 Imagepath: C:\WINDOWS\explorer.exe	success or wait	966281113
Thread resumed	TID: 668 PID: 772 Path: C:\WINDOWS\explorer.exe	success or wait	966281972
Process terminated	PID: not known Path: not known	success or wait	966284824

Analysis File: explorer.exe PID: 772 Parent PID: 656

Sections

General
Start time:	04:48:55
Start date:	26/07/2011
Path:	C:\WINDOWS\explorer.exe
Commandline:	A4*
Imagebase:	0x1000000
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

File Activities:

File opened
File Path	Access	Options	Completion	Count	Source Address
ACPI#PNP0303#2&da1a3ff&0	synchronize	10000	object name not found	1	B54332
C:\WINDOWS	read data or list directory and read ea and read attributes and read control and synchronize	synchronous io non alert	success or wait	17	B51DE2
C:\WINDOWS\system	read attributes	no options	success or wait	1	B53981
C:\WINDOWS\$NtUninstallKB22351$\1740621400	read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize	synchronous io non alert and open reparse point	success or wait	1	B537B6
C:\WINDOWS\$NtUninstallKB22351$\3522328898	read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and read attributes and write attributes and read control and synchronize	directory file and synchronous io non alert	success or wait	1	B53981
C:\WINDOWS\$NtUninstallKB22351$\:SummaryInformation	read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize	synchronous io non alert and open reparse point	success or wait	1	B53820
C:\WINDOWS\$NtUninstallKB22351$	write dac	directory file and open reparse point	success or wait	1	B53981
C:\WINDOWS\system32\drivers\i8042prt.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\cdrom.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\intelppm.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\termdd.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\ipsec.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\tcpip.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\netbt.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\afd.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\netbios.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\VBoxSF.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\rdbss.sys	write owner	open reparse point	success or wait	3	B53125
C:\WINDOWS\system32\drivers\mrxsmb.sys	write owner	open reparse point	success or wait	5	B53125
C:\WINDOWS\system32\drivers\Fips.SYS	write owner	open reparse point	success or wait	3	B53125
ACPI#PNP0303#2&da1a3ff&0\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}	append data or add subdirectory or create pipe instance and synchronize	synchronous io non alert	success or wait	1	B51F1B

File created
File Path	Access	Attributes	Options	Completion	Count	Source Address
C:\WINDOWS\$NtUninstallKB22351$	read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and read attributes and write attributes and read control and synchronize	hidden and system	directory file and synchronous io non alert	success or wait	1	B53981
C:\WINDOWS\$NtUninstallKB22351$\3522328898\U	synchronize	none	directory file	success or wait	1	B53981
C:\WINDOWS\$NtUninstallKB22351$\3522328898\L	synchronize	none	directory file	success or wait	1	B53981
ACPI#PNP0303#2&da1a3ff&0\L\gkaiogto	append data or add subdirectory or create pipe instance and synchronize	none	synchronous io non alert	success or wait	1	B539A0
C:\WINDOWS\system32\drivers\1254331455.sys	append data or add subdirectory or create pipe instance and synchronize	none	synchronous io non alert	success or wait	1	B53A02

File deleted
File Path	Completion	Count	Source Address
C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	success or wait	1	B5432B
C:\Documents and Settings\Administrator\wevtapi.dll	object name not found	1	B5406B
C:\Documents and Settings\Administrator\taskmgr.exe	object name not found	1	B5407E

File written
File Path	Offset	Length	Value	Completion	Count	Source Address
\L\gkaiogto	0	455424	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 5E B2 BD 26 1A D3 D3 75 1A D3 D3 75 1A D3 D3 75 1A D3 D2 75 56 D2 D3 75 D9 DC 8E 75 11 D3 D3 75 D9 DC DC 75 1F D3 D3 75 D9 DC 8F 75 1B D3 D3 75 D9 DC 8D 75 1B D3 D3 75 D9 DC 8C 75 76 D3 D3 75 D9 DC 89 75 1B D3 D3 75 52 69 63 68 1A D3 D3 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 0B 00 5C 53 19 4B 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 80 28 06	success or wait	1	B539A0
\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}	none	2048	4C CE 1D 73 2D C6 CA D1 B8 09 DB 19 2D C6 CA D1 58 B0 7A E3 2D C6 CA D1 CB 43 36 84 2D C6 CA D1 29 61 6D 85 2D C6 CA D1 98 0E E8 69 2D C6 CA D1 56 37 EF 66 2D C6 CA D1 7B C9 62 63 2D C6 CA D1 DC 75 65 E3 2D C6 CA D1 A4 84 9A 50 2D C6 CA D1 44 C0 12 E2 2D C6 CA D1 54 FC 31 AA 2D C6 CA D1 56 7B C1 AD 2D C6 CA D1 63 FE B1 F1 2D C6 CA D1 62 A5 83 DD 2D C6 CA D1 48 D1 3F 33 2D C6 CA D1 5A A9 23 BD 2D C6 CA D1 A3 01 E6 CC 2D C6 CA D1 C8 5C 42 08 2D C6 CA D1 62 0F 88 F4 2D C6 CA D1 C9 EB 84 0C 2D C6 CA D1 45 89 A0 17 2D C6 CA D1 55 98 71 2F 2C C6 CA D1 BE 19 76 F3 2C C6 CA D1 47 C0 A5 CB 2C C6 CA D1 BE A0 85 BF 2C C6 CA D1 18 F7 9E D6 2C C6 CA D1 D8 33 BC F1 2C C6 CA D1 42 8D 17 43 2C C6 CA D1 62 D3 CB 46 2C C6 CA D1 BA 0C 96 A9 2C C6 CA D1 44 79 A2 97 2C C6 CA	success or wait	1	B51F1B
C:\WINDOWS\system32\drivers\1254331455.sys	none	17408	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 B9 CF 0B 33 FD AE 65 60 FD AE 65 60 FD AE 65 60 7E A6 6A 60 FE AE 65 60 7E A6 38 60 EC AE 65 60 FD AE 64 60 12 AE 65 60 7E A6 39 60 FC AE 65 60 73 A6 3A 60 EE AE 65 60 7E A6 3B 60 FC AE 65 60 7E A6 3F 60 FC AE 65 60 52 69 63 68 FD AE 65 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 00 FC 4F 1D 4E 00 00 00 00 00 00 00 00 E0 00 02	success or wait	1	B53A02

File read
File Path	Offset	Length	Value	Completion	Count	Source Address
C:\WINDOWS\system32\drivers\i8042prt.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\cdrom.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\intelppm.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\termdd.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\ipsec.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\tcpip.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\netbt.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\afd.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\netbios.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\VBoxSF.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\rdbss.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	2	B539A0
C:\WINDOWS\system32\drivers\mrxsmb.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	3	B539A0
C:\WINDOWS\system32\drivers\fips.sys	0	64	4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	2	B539A0

Other file operations
File Path	Disposition	Data	Ascii Data	Completion	Count	Source Address
C:\WINDOWS\$NtUninstallKB22351$	Ctrl code set: set compression	01 00	..	success or wait	1	B53981
C:\WINDOWS\$NtUninstallKB22351$\1740621400	Ctrl code set: set reparse point	0C 00 00 A0 74 00 00 00 00 00 32 00 34 00 32 00 00 00 00 00 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 73 00 76 00 63 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 5C 00 73 00 65 00 74 00 75 00 70 00 00 00 63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 65 00 74 00 75 00 70 00 00 00	....t.....2.4.2.....\.D.e.v.i.c.e.\.s.v.c.h.o.s.t...e.x.e.\.s.e.t.u.p...c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.e.t.u.p...	success or wait	1	B537B6
C:\WINDOWS\$NtUninstallKB22351$:SummaryInformation	Ctrl code set: set reparse point	0C 00 00 A0 66 00 00 00 00 00 24 00 26 00 32 00 00 00 00 00 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00 6E 00 75 00 6C 00 6C 00 5C 00 73 00 65 00 74 00 75 00 70 00 00 00 63 00 3A 00 5C 00 77 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 73 00 65 00 74 00 75 00 70 00 00 00	....f.....$.&.2.....\.D.e.v.i.c.e.\.n.u.l.l.\.s.e.t.u.p...c.:.\.w.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.e.t.u.p...	success or wait	1	B53820
C:\WINDOWS\$NtUninstallKB22351$	BasicInformation	Creation Time: 08:27 05-05-1796 Last Access Time: 08:43 15-05-1771 Last Write Time: 21:32 12-08-1810 Change Time: 21:32 12-08-1810 File Attributes: hidden and system		success or wait	1	B53981
C:\WINDOWS\system32\drivers\mrxsmb.sys	Ctrl code set: set compression	00 00	..	success or wait	1	B5338C
C:\WINDOWS\system32\drivers\mrxsmb.sys	SymbolicLinkCreate	Symbolic link name: \*		success or wait	1	B5338C

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	1D0000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	1F0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	240000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	290000	24576	own pid	readonly	success or wait	1
\KnownDlls\ADVAPI32.dll	write and read and execute	unknown	77DD0000	634880	own pid	read write	success or wait	1
\KnownDlls\RPCRT4.dll	write and read and execute	unknown	77E70000	598016	own pid	read write	success or wait	1
\KnownDlls\Secur32.dll	write and read and execute	unknown	77FE0000	69632	own pid	read write	success or wait	1
C:\WINDOWS\system32\browseui.dll	query and write and read and execute	image	75F80000	1036288	own pid	read write	success or wait	1
\KnownDlls\GDI32.dll	write and read and execute	unknown	77F10000	299008	own pid	read write	success or wait	1
\KnownDlls\USER32.dll	write and read and execute	unknown	7E410000	593920	own pid	read write	success or wait	1
\KnownDlls\msvcrt.dll	write and read and execute	unknown	77C10000	360448	own pid	read write	success or wait	1
\KnownDlls\ole32.dll	write and read and execute	unknown	774E0000	1298432	own pid	read write	success or wait	1
\KnownDlls\SHLWAPI.dll	write and read and execute	unknown	77F60000	483328	own pid	read write	success or wait	1
\KnownDlls\OLEAUT32.dll	write and read and execute	unknown	77120000	569344	own pid	read write	success or wait	1
C:\WINDOWS\system32\shdocvw.dll	query and write and read and execute	image	7E290000	1511424	own pid	read write	success or wait	1
C:\WINDOWS\system32\crypt32.dll	query and write and read and execute	image	77A80000	610304	own pid	read write	success or wait	1
C:\WINDOWS\system32\msasn1.dll	query and write and read and execute	image	77B20000	73728	own pid	read write	success or wait	1
C:\WINDOWS\system32\cryptui.dll	query and write and read and execute	image	754D0000	524288	own pid	read write	success or wait	1
C:\WINDOWS\system32\netapi32.dll	query and write and read and execute	image	5B860000	348160	own pid	read write	success or wait	1
\KnownDlls\VERSION.dll	write and read and execute	unknown	77C00000	32768	own pid	read write	success or wait	1
\KnownDlls\WININET.dll	write and read and execute	unknown	3D930000	942080	own pid	read write	success or wait	1
\KnownDlls\Normaliz.dll	write and read and execute	unknown	400000	36864	own pid	read write	success or wait	1
\KnownDlls\urlmon.dll	write and read and execute	unknown	78130000	1253376	own pid	read write	success or wait	1
\KnownDlls\iertutil.dll	write and read and execute	unknown	3DFD0000	1998848	own pid	read write	success or wait	1
C:\WINDOWS\system32\wintrust.dll	query and write and read and execute	image	76C30000	188416	own pid	read write	success or wait	1
\KnownDlls\IMAGEHLP.dll	write and read and execute	unknown	76C90000	163840	own pid	read write	success or wait	1
\KnownDlls\WLDAP32.dll	write and read and execute	unknown	76F60000	180224	own pid	read write	success or wait	1
\KnownDlls\SHELL32.dll	write and read and execute	unknown	7C9C0000	8482816	own pid	read write	success or wait	1
C:\WINDOWS\system32\uxtheme.dll	query and write and read and execute	image	5AD70000	229376	own pid	read write	success or wait	1
C:\WINDOWS\system32\shimeng.dll	query and write and read and execute	image	5CB70000	155648	own pid	read write	success or wait	1
C:\WINDOWS\AppPatch\sysmain.sdb	read	commit	2B0000	1208320	own pid	readonly	success or wait	1
C:\WINDOWS\AppPatch\acgenral.dll	write and read and execute	commit	410000	1855488	own pid	execute	success or wait	2
C:\WINDOWS\AppPatch\acgenral.dll	query and write and read and execute	image	6F880000	1875968	own pid	read write	success or wait	1
C:\WINDOWS\system32\winmm.dll	query and write and read and execute	image	76B40000	184320	own pid	read write	success or wait	1
C:\WINDOWS\system32\msacm32.dll	query and write and read and execute	image	77BE0000	86016	own pid	read write	success or wait	1
\KnownDlls\USERENV.dll	write and read and execute	unknown	769C0000	737280	own pid	read write	success or wait	1
\NLS\NlsSectionCType	read	unknown	410000	12288	own pid	readonly	success or wait	1
C:\WINDOWS\system32\imm32.dll	write and read and execute	commit	380000	110592	own pid	execute	success or wait	2
C:\WINDOWS\system32\imm32.dll	query and write and read and execute	image	76390000	118784	own pid	read write	success or wait	1
C:\WINDOWS\system32\browseui.dll	read	commit	870000	1028096	own pid	readonly	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	write and read and execute	commit	870000	1056768	own pid	execute	success or wait	1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	query and write and read and execute	image	773D0000	1060864	own pid	read write	success or wait	1
C:\WINDOWS\WindowsShell.Manifest	write and read and execute	commit	3B0000	4096	own pid	execute	success or wait	1
unknown	unknown	unknown	3B0000	4096	own pid	readonly	success or wait	2
C:\WINDOWS\system32\riched20.dll	query and write and read and execute	image	74E30000	446464	own pid	read write	success or wait	1
C:\WINDOWS\system32\shdocvw.dll	read	commit	AB0000	1499136	own pid	readonly	success or wait	1
C:\WINDOWS\system32\shell32.dll	read	commit	1100000	8462336	own pid	readonly	success or wait	1
\KnownDlls\comctl32.dll	write and read and execute	unknown	5D090000	630784	own pid	read write	success or wait	1
C:\WINDOWS\system32\comctl32.dll	read	commit	AD0000	618496	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
none	query and write and read and execute and extend size	commit	B50000	98304	own pid	execute and read and write	success or wait	1	9046F
C:\WINDOWS\system32\ws2_32.dll	query and write and read and execute	image	71AB0000	94208	own pid	read write	success or wait	1	90314
C:\WINDOWS\system32\ws2help.dll	query and write and read and execute	image	71AA0000	32768	own pid	read write	success or wait	1	90314
C:\WINDOWS\system32\mswsock.dll	write and read and execute	commit	B80000	245760	own pid	execute	success or wait	1	B520A7
C:\WINDOWS\system32\mswsock.dll	query and write and read and execute	image	71A50000	258048	own pid	read write	success or wait	1	B520A7
C:\WINDOWS\system32\hnetcfg.dll	query and write and read and execute	image	662B0000	360448	own pid	read write	success or wait	1	B520A7
C:\WINDOWS\system32\wshtcpip.dll	write and read and execute	commit	90000	20480	own pid	execute	success or wait	1	B520A7
C:\WINDOWS\system32\wshtcpip.dll	query and write and read and execute	image	71A90000	32768	own pid	read write	success or wait	1	B520A7
\.mrxsmb	query and write and read and execute and extend size	commit	C30000	458752	own pid	read write	success or wait	1	B539A0
none	query and write and read and execute and extend size	reserve	C30000	262144	own pid	read write	success or wait	1	B52A8A
none	query and write and read and execute and extend size	reserve	C30000	262144	608	read write	conflicting addresses	1	B52A9C
none	query and write and read and execute and extend size	reserve	AB0000	262144	608	read write	success or wait	1	B52A9C
C:\WINDOWS\system32\drivers\mrxsmb.sys	write and read	commit	C30000	458752	own pid	read write	success or wait	1	B5338C
\.mrxsmb	query and write and read and execute and extend size	commit	C30000	458752	own pid	readonly	success or wait	1	B539A0

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	u	Dword	68	success or wait	1	B51ED3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	cid	Other	97 BA 42 0F 98 88 93 72	success or wait	1	B51ED3
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb	Type	Dword	1	success or wait	1	B5338C
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb	Start	Dword	3	success or wait	1	B5338C
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb	ImagePath	String	\*	success or wait	1	B5338C
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455	Start	Dword	3	success or wait	1	B54607
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455	Type	Dword	1	success or wait	1	B54607
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455	ErrorControl	Dword	1	success or wait	1	B54607
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455	DisplayName	String	Virtual Bus for Microsoft ACPI-Compliant System	success or wait	1	B54607
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	Service	String	1254331455	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	ClassGUID	String	{4D36E97D-E325-11CE-BFC1-08002BE10318}	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	Class	String	System	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	DeviceDesc	String	PCI bus	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	Mfg	String	Technologies Inc	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	LocationInformation	String	on Microsoft ACPI-Compliant System	success or wait	1	B54613
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	ConfigFlags	Dword	0	success or wait	1	B54613

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	InstallDate	success or wait	1	B51DE2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc	MachineGuid	success or wait	1	B51D10
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	InstallDate	success or wait	7	B51DE2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	Start	success or wait	7	B530EF
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	Start	success or wait	2	B530EF
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	Start	success or wait	13	B530EF
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278}	Start	success or wait	12	B530EF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	InstallDate	success or wait	7	B51DE2

Process Activities:

Process terminated
PID	Filepath	Completion	Count	Source Address
not known	not known	success or wait	1	B52045
772	C:\WINDOWS\explorer.exe	success or wait	0	B52045

Thread Activities:

Thread context set
TID	PID	DR0	DR1	DR2	DR3	DR7	EFLAGS	EIP	Completion	Count	Source Address
668	772	0	0	0	7C90D51E	40	0	0	success or wait	1	9046F

Thread resumed
TID	PID	Completion	Count	Source Address
404	608	success or wait	1	B52A9C

Thread suspended
TID	PID	Completion	Count	Source Address
1572	608	success or wait	2	B52AAF
1576	608	success or wait	2	B52AAF
1580	608	success or wait	2	B52AAF

Thread delayed
TID	Delay	Completion	Count	Source Address
1640	1s	success or wait	1	B5432B

Memory Activities:

Memory allocated
PID	Filepath	Base	Length	Protection	Completion	Count	Source Address
772	C:\WINDOWS\explorer.exe	C30000	6F858	page read and write	success or wait	1	B52A8A

Driver Activities:

Driver loaded
Service name path	Completion	Count	Source Address
\registry\MACHINE\SYSTEM\CurrentControlSet\services\.mrxsmb	success or wait	1	B5338C

System Activities:

System information queried
System info class	Completion	Count	Source Address
ProcessInformation	info length mismatch	1	B5436F
ProcessInformation	success or wait	1	B5436F
ModuleInformation	info length mismatch	1	B539A0
ModuleInformation	success or wait	1	B539A0
ProcessInformation	info length mismatch	1	B52D32
ProcessInformation	success or wait	1	B52D32

Chronological sections
Operation	Data	Completion	Time
Process terminated	PID: not known Path: not known	success or wait	1059158966
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	966287139
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 1D0000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	966292686
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 1F0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	966293250
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 240000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	966293741
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 290000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	966294031
Section loaded	Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid	success or wait	966295334
Section loaded	Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 598016 Protection: read write Mapped to pid: own pid	success or wait	966296683
Section loaded	Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid	success or wait	966298283
Section loaded	Path: C:\WINDOWS\system32\browseui.dll Access: query and write and read and execute Type: image Baseaddress: 75F80000 Size: 1036288 Protection: read write Mapped to pid: own pid	success or wait	966303725
Section loaded	Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid	success or wait	966306535
Section loaded	Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid	success or wait	966307733
Section loaded	Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	966310863
Section loaded	Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1298432 Protection: read write Mapped to pid: own pid	success or wait	966312633
Section loaded	Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid	success or wait	966315291
Section loaded	Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid	success or wait	966319048
Section loaded	Path: C:\WINDOWS\system32\shdocvw.dll Access: query and write and read and execute Type: image Baseaddress: 7E290000 Size: 1511424 Protection: read write Mapped to pid: own pid	success or wait	966321992
Section loaded	Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid	success or wait	966325503
Section loaded	Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid	success or wait	966329424
Section loaded	Path: C:\WINDOWS\system32\cryptui.dll Access: query and write and read and execute Type: image Baseaddress: 754D0000 Size: 524288 Protection: read write Mapped to pid: own pid	success or wait	966333839
Section loaded	Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid	success or wait	966353202
Section loaded	Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	966356291
Section loaded	Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid	success or wait	966357569
Section loaded	Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 400000 Size: 36864 Protection: read write Mapped to pid: own pid	success or wait	966360343
Section loaded	Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1253376 Protection: read write Mapped to pid: own pid	success or wait	966362508
Section loaded	Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 1998848 Protection: read write Mapped to pid: own pid	success or wait	966367828
Section loaded	Path: C:\WINDOWS\system32\wintrust.dll Access: query and write and read and execute Type: image Baseaddress: 76C30000 Size: 188416 Protection: read write Mapped to pid: own pid	success or wait	966373957
Section loaded	Path: \KnownDlls\IMAGEHLP.dll Access: write and read and execute Type: unknown Baseaddress: 76C90000 Size: 163840 Protection: read write Mapped to pid: own pid	success or wait	966375648
Section loaded	Path: \KnownDlls\WLDAP32.dll Access: write and read and execute Type: unknown Baseaddress: 76F60000 Size: 180224 Protection: read write Mapped to pid: own pid	success or wait	966379287
Section loaded	Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid	success or wait	966382892
Section loaded	Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid	success or wait	966387233
Section loaded	Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid	success or wait	966390350
Section loaded	Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 2B0000 Size: 1208320 Protection: readonly Mapped to pid: own pid	success or wait	966392324
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	966397048
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 1855488 Protection: execute Mapped to pid: own pid	success or wait	966397975
Section loaded	Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid	success or wait	966398753
Section loaded	Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid	success or wait	966400974
Section loaded	Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid	success or wait	966403909
Section loaded	Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid	success or wait	966406478
Section loaded	Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 410000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	966409803
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 380000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	966430266
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 380000 Size: 110592 Protection: execute Mapped to pid: own pid	success or wait	966431257
Section loaded	Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid	success or wait	966432027
Section loaded	Path: C:\WINDOWS\system32\browseui.dll Access: read Type: commit Baseaddress: 870000 Size: 1028096 Protection: readonly Mapped to pid: own pid	success or wait	966443944
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 870000 Size: 1056768 Protection: execute Mapped to pid: own pid	success or wait	966461984
Section loaded	Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid	success or wait	966463048
Section loaded	Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3B0000 Size: 4096 Protection: execute Mapped to pid: own pid	success or wait	966467714
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	966468947
Section loaded	Path: unknown Access: unknown Type: unknown Baseaddress: 3B0000 Size: 4096 Protection: readonly Mapped to pid: own pid	success or wait	966469815
Section loaded	Path: C:\WINDOWS\system32\riched20.dll Access: query and write and read and execute Type: image Baseaddress: 74E30000 Size: 446464 Protection: read write Mapped to pid: own pid	success or wait	966529256
Section loaded	Path: C:\WINDOWS\system32\shdocvw.dll Access: read Type: commit Baseaddress: AB0000 Size: 1499136 Protection: readonly Mapped to pid: own pid	success or wait	966536565
Section loaded	Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 1100000 Size: 8462336 Protection: readonly Mapped to pid: own pid	success or wait	966559281
Section loaded	Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid	success or wait	966573952
Section loaded	Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: AD0000 Size: 618496 Protection: readonly Mapped to pid: own pid	success or wait	966578199
Section loaded	Path: none Access: query and write and read and execute and extend size Type: commit Baseaddress: B50000 Size: 98304 Protection: execute and read and write Mapped to pid: own pid	success or wait	966629926
Thread context set	TID: 668 PID: 772 DR0: 0 DR1: 0 DR2: 0 DR3: 7C90D51E DR7: 40 EIP: 0 EFLAGS: 0 Imagepath: C:\WINDOWS\explorer.exe	success or wait	966630888
Section loaded	Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid	success or wait	966658364
Section loaded	Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	966660944
Thread delayed	Time: 1 TID: 1640	success or wait	966689812
File deleted	Path: C:\Documents and Settings\Administrator\Desktop\contacts_053.exe	success or wait	970225533
File opened	Path: ACPI#PNP0303#2&da1a3ff&0 Access: synchronize Options: 10000	object name not found	970226897
Privilege adjusted	Privilege: Debug On or off: on	success or wait	970227088
System info queried	Type: ProcessInformation	info length mismatch	970227243
System info queried	Type: ProcessInformation	success or wait	970229851
Privilege adjusted	Privilege: Tcb On or off: on	success or wait	970232374
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: B80000 Size: 245760 Protection: execute Mapped to pid: own pid	success or wait	970233250
Section loaded	Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid	success or wait	970236238
Section loaded	Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid	success or wait	970241894
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 90000 Size: 20480 Protection: execute Mapped to pid: own pid	success or wait	970255196
Section loaded	Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid	success or wait	970257090
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970262782
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: InstallDate	success or wait	970263258
File deleted	Path: C:\Documents and Settings\Administrator\wevtapi.dll	object name not found	970265744
File deleted	Path: C:\Documents and Settings\Administrator\taskmgr.exe	object name not found	970265938
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MachineGuid	success or wait	970266260
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: u Type: Dword Data: 68	success or wait	970276512
Key value set	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: cid Type: Other Data: 97 BA 42 0F 98 88 93 72	success or wait	970277211
Privilege adjusted	Privilege: Create Symbolic Link On or off: on	not all assigned	970279228
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970282008
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970282381
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970284512
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970285756
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970286136
File opened	Path: C:\WINDOWS\system Access: read attributes Options: no options	success or wait	970288722
File created	Path: C:\WINDOWS\$NtUninstallKB22351$ Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and read attributes and write attributes and read control and synchronize Options: directory file and synchronous io non alert Attributes: hidden and system	success or wait	970289297
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970292945
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970293562
File control set	Path: C:\WINDOWS\$NtUninstallKB22351$ Control Code: set compression Input Buffer: 0100	success or wait	970295209
File opened	Path: C:\WINDOWS\$NtUninstallKB22351$\1740621400 Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Options: synchronous io non alert and open reparse point Attributes: none	success or wait	970302044
File control set	Path: C:\WINDOWS\$NtUninstallKB22351$\1740621400 Control Code: set reparse point Input Buffer: 0C0000A0740000000000320034003200000000005C004400650076006900630065005C0073007600630068006F00730074002E006500780065005C0073006500740075007000000063003A005C00770069006E0064006F00770073005C00730079007300740065006D00330032005C00730065007400750070000000	success or wait	970303878
File opened	Path: C:\WINDOWS\$NtUninstallKB22351$\3522328898 Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and read attributes and write attributes and read control and synchronize Options: directory file and synchronous io non alert Attributes: hidden and system	success or wait	970304401
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970305873
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970306449
File opened	Path: C:\WINDOWS\$NtUninstallKB22351$\:SummaryInformation Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Options: synchronous io non alert and open reparse point Attributes: none	success or wait	970308742
File control set	Path: C:\WINDOWS\$NtUninstallKB22351$:SummaryInformation Control Code: set reparse point Input Buffer: 0C0000A0660000000000240026003200000000005C004400650076006900630065005C006E0075006C006C005C0073006500740075007000000063003A005C00770069006E0064006F00770073005C00730079007300740065006D00330032005C00730065007400750070000000	success or wait	970309996
File created	Path: C:\WINDOWS\$NtUninstallKB22351$\3522328898\U Access: synchronize Options: directory file Attributes: none	success or wait	970319212
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970320792
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970321291
File created	Path: C:\WINDOWS\$NtUninstallKB22351$\3522328898\L Access: synchronize Options: directory file Attributes: none	success or wait	970323694
File other operation	Disposition: BasicInformation Data : Creation Time: 08:27 05-05-1796 Last Access Time: 08:43 15-05-1771 Last Write Time: 21:32 12-08-1810 Change Time: 21:32 12-08-1810 File Attributes: hidden and system Path: C:\WINDOWS\$NtUninstallKB22351$	success or wait	970324680
File opened	Path: C:\WINDOWS\$NtUninstallKB22351$ Access: write dac Options: directory file and open reparse point	success or wait	970325440
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970329929
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970330272
System info queried	Type: ModuleInformation	info length mismatch	970332307
System info queried	Type: ModuleInformation	success or wait	970334718
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970336821
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970337061
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970337293
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970337476
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970337652
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970337836
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970338014
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970338197
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970338369
File opened	Path: C:\WINDOWS\system32\drivers\i8042prt.sys Access: write owner Options: open reparse point	success or wait	970338535
File opened	Path: C:\WINDOWS\system32\drivers\i8042prt.sys Access: write owner Options: open reparse point	success or wait	970339976
File opened	Path: C:\WINDOWS\system32\drivers\i8042prt.sys Access: write owner Options: open reparse point	success or wait	970342115
File read	Path: C:\WINDOWS\system32\drivers\i8042prt.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970342380
File read	Path: C:\WINDOWS\system32\drivers\i8042prt.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970342884
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970343204
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970343380
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970343547
File opened	Path: C:\WINDOWS\system32\drivers\cdrom.sys Access: write owner Options: open reparse point	success or wait	970343693
File opened	Path: C:\WINDOWS\system32\drivers\cdrom.sys Access: write owner Options: open reparse point	success or wait	970344416
File opened	Path: C:\WINDOWS\system32\drivers\cdrom.sys Access: write owner Options: open reparse point	success or wait	970345216
File read	Path: C:\WINDOWS\system32\drivers\cdrom.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970345491
File read	Path: C:\WINDOWS\system32\drivers\cdrom.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970345869
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970346197
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970346436
File opened	Path: C:\WINDOWS\system32\drivers\intelppm.sys Access: write owner Options: open reparse point	success or wait	970346595
File opened	Path: C:\WINDOWS\system32\drivers\intelppm.sys Access: write owner Options: open reparse point	success or wait	970347510
File opened	Path: C:\WINDOWS\system32\drivers\intelppm.sys Access: write owner Options: open reparse point	success or wait	970348164
File read	Path: C:\WINDOWS\system32\drivers\intelppm.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970348418
File read	Path: C:\WINDOWS\system32\drivers\intelppm.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970349228
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970349567
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970349743
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970349919
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970350110
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970350291
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970350568
File opened	Path: C:\WINDOWS\system32\drivers\termdd.sys Access: write owner Options: open reparse point	success or wait	970350715
File opened	Path: C:\WINDOWS\system32\drivers\termdd.sys Access: write owner Options: open reparse point	success or wait	970351439
File opened	Path: C:\WINDOWS\system32\drivers\termdd.sys Access: write owner Options: open reparse point	success or wait	970352078
File read	Path: C:\WINDOWS\system32\drivers\termdd.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970352419
File read	Path: C:\WINDOWS\system32\drivers\termdd.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970352773
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970353094
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970353256
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970353423
File opened	Path: C:\WINDOWS\system32\drivers\ipsec.sys Access: write owner Options: open reparse point	success or wait	970353583
File opened	Path: C:\WINDOWS\system32\drivers\ipsec.sys Access: write owner Options: open reparse point	success or wait	970354430
File opened	Path: C:\WINDOWS\system32\drivers\ipsec.sys Access: write owner Options: open reparse point	success or wait	970355073
File read	Path: C:\WINDOWS\system32\drivers\ipsec.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970355324
File read	Path: C:\WINDOWS\system32\drivers\ipsec.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970355677
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970356112
File opened	Path: C:\WINDOWS\system32\drivers\tcpip.sys Access: write owner Options: open reparse point	success or wait	970356266
File opened	Path: C:\WINDOWS\system32\drivers\tcpip.sys Access: write owner Options: open reparse point	success or wait	970357020
File opened	Path: C:\WINDOWS\system32\drivers\tcpip.sys Access: write owner Options: open reparse point	success or wait	970357692
File read	Path: C:\WINDOWS\system32\drivers\tcpip.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00	success or wait	970358218
File read	Path: C:\WINDOWS\system32\drivers\tcpip.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00	success or wait	970358596
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970358899
File opened	Path: C:\WINDOWS\system32\drivers\netbt.sys Access: write owner Options: open reparse point	success or wait	970359043
File opened	Path: C:\WINDOWS\system32\drivers\netbt.sys Access: write owner Options: open reparse point	success or wait	970359881
File opened	Path: C:\WINDOWS\system32\drivers\netbt.sys Access: write owner Options: open reparse point	success or wait	970360537
File read	Path: C:\WINDOWS\system32\drivers\netbt.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970360790
File read	Path: C:\WINDOWS\system32\drivers\netbt.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00	success or wait	970361139
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970361580
File opened	Path: C:\WINDOWS\system32\drivers\afd.sys Access: write owner Options: open reparse point	success or wait	970361758
File opened	Path: C:\WINDOWS\system32\drivers\afd.sys Access: write owner Options: open reparse point	success or wait	970362538
File opened	Path: C:\WINDOWS\system32\drivers\afd.sys Access: write owner Options: open reparse point	success or wait	970363326
File read	Path: C:\WINDOWS\system32\drivers\afd.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	970363693
File read	Path: C:\WINDOWS\system32\drivers\afd.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	970364082
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970364462
File opened	Path: C:\WINDOWS\system32\drivers\netbios.sys Access: write owner Options: open reparse point	success or wait	970364622
File opened	Path: C:\WINDOWS\system32\drivers\netbios.sys Access: write owner Options: open reparse point	success or wait	970365490
File opened	Path: C:\WINDOWS\system32\drivers\netbios.sys Access: write owner Options: open reparse point	success or wait	970366224
File read	Path: C:\WINDOWS\system32\drivers\netbios.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970366498
File read	Path: C:\WINDOWS\system32\drivers\netbios.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970366880
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970367324
File opened	Path: C:\WINDOWS\system32\drivers\VBoxSF.sys Access: write owner Options: open reparse point	success or wait	970367482
File opened	Path: C:\WINDOWS\system32\drivers\VBoxSF.sys Access: write owner Options: open reparse point	success or wait	970368774
File opened	Path: C:\WINDOWS\system32\drivers\VBoxSF.sys Access: write owner Options: open reparse point	success or wait	970371333
File read	Path: C:\WINDOWS\system32\drivers\VBoxSF.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00	success or wait	970371605
File read	Path: C:\WINDOWS\system32\drivers\VBoxSF.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F0 00 00 00	success or wait	970371957
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970372259
File opened	Path: C:\WINDOWS\system32\drivers\rdbss.sys Access: write owner Options: open reparse point	success or wait	970372510
File opened	Path: C:\WINDOWS\system32\drivers\rdbss.sys Access: write owner Options: open reparse point	success or wait	970373249
File opened	Path: C:\WINDOWS\system32\drivers\rdbss.sys Access: write owner Options: open reparse point	success or wait	970373889
File read	Path: C:\WINDOWS\system32\drivers\rdbss.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	970374141
File read	Path: C:\WINDOWS\system32\drivers\rdbss.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00	success or wait	970374607
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970374898
File opened	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write owner Options: open reparse point	success or wait	970375057
File opened	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write owner Options: open reparse point	success or wait	970375765
File opened	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write owner Options: open reparse point	success or wait	970376514
File read	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970376768
File read	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970377118
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970377423
File opened	Path: C:\WINDOWS\system32\drivers\Fips.SYS Access: write owner Options: open reparse point	success or wait	970377570
File opened	Path: C:\WINDOWS\system32\drivers\Fips.SYS Access: write owner Options: open reparse point	success or wait	970378720
File opened	Path: C:\WINDOWS\system32\drivers\Fips.SYS Access: write owner Options: open reparse point	success or wait	970379417
File read	Path: C:\WINDOWS\system32\drivers\fips.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970379676
File read	Path: C:\WINDOWS\system32\drivers\fips.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970380111
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970380423
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970380611
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: Start	success or wait	970380796
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970381684
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{677540da-d7f5-bb7f-efc6-f7ab3c6a1278} Name: InstallDate	success or wait	970382069
Section loaded	Path: \.mrxsmb Access: query and write and read and execute and extend size Type: commit Baseaddress: C30000 Size: 458752 Protection: read write Mapped to pid: own pid	success or wait	970384534
File opened	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write owner Options: open reparse point	success or wait	970384682
File read	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Offset: 0 Length: 64 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00	success or wait	970384966
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970963595
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	970964186
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	970971677
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	970972317
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb Name: Type Type: Dword Data: 1	success or wait	970975199
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb Name: Start Type: Dword Data: 3	success or wait	970976291
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb Name: ImagePath Type: String Data: \*	success or wait	970977358
System info queried	Type: ProcessInformation	info length mismatch	970978564
System info queried	Type: ProcessInformation	success or wait	970981591
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: C30000 Size: 262144 Protection: read write Mapped to pid: own pid	success or wait	970984430
Memory allocated	PID: 772 Path: C:\WINDOWS\explorer.exe Base: C30000 Length: 6F858 Allocation Type: null Protection: page read and write	success or wait	970984555
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: C30000 Size: 262144 Protection: read write Mapped to pid: 608	conflicting addresses	972480582
Section loaded	Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: AB0000 Size: 262144 Protection: read write Mapped to pid: 608	success or wait	972527621
Thread resumed	TID: 404 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972576779
Thread suspended	TID: 1572 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972579573
Thread suspended	TID: 1576 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972580543
Thread suspended	TID: 1580 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972581640
File opened	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write owner Options: open reparse point	success or wait	972582560
File control set	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Control Code: set compression Input Buffer: 0000	success or wait	972582868
Section loaded	Path: C:\WINDOWS\system32\drivers\mrxsmb.sys Access: write and read Type: commit Baseaddress: C30000 Size: 458752 Protection: read write Mapped to pid: own pid	success or wait	972583156
Symbolic link created	Symbolic link name: \* File path: C:\WINDOWS\system32\drivers\mrxsmb.sys	success or wait	972601520
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	972602604
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	972603078
Driver loaded	Service Name: \registry\MACHINE\SYSTEM\CurrentControlSet\services\.mrxsmb	success or wait	972605494
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	972958367
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	972958805
Thread suspended	TID: 1580 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972961199
Thread suspended	TID: 1576 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972961323
Thread suspended	TID: 1572 PID: 608 Path: C:\WINDOWS\system32\winlogon.exe	success or wait	972961437
Section loaded	Path: \.mrxsmb Access: query and write and read and execute and extend size Type: commit Baseaddress: C30000 Size: 458752 Protection: readonly Mapped to pid: own pid	success or wait	972961567
File created	Path: ACPI#PNP0303#2&da1a3ff&0\L\gkaiogto Access: append data or add subdirectory or create pipe instance and synchronize Options: synchronous io non alert Attributes: none	success or wait	972961784
File write	Path: \L\gkaiogto Offset: 0 Length: 455424 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 5E B2 BD 26 1A D3 D3 75 1A D3 D3 75 1A D3 D3 75 1A D3 D2 75 56 D2 D3 75 D9 DC 8E 75 11 D3 D3 75 D9 DC DC 75 1F D3 D3 75 D9 DC 8F 75 1B D3 D3 75 D9 DC 8D 75 1B D3 D3 75 D9 DC 8C 75 76 D3 D3 75 D9 DC 89 75 1B D3 D3 75 52 69 63 68 1A D3 D3 75 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 0B 00 5C 53 19 4B 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 80 28 06	success or wait	973193071
File opened	Path: ACPI#PNP0303#2&da1a3ff&0\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} Access: append data or add subdirectory or create pipe instance and synchronize Options: synchronous io non alert Attributes: none	success or wait	973398816
File write	Path: \{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} Offset: none Length: 2048 Value: 4C CE 1D 73 2D C6 CA D1 B8 09 DB 19 2D C6 CA D1 58 B0 7A E3 2D C6 CA D1 CB 43 36 84 2D C6 CA D1 29 61 6D 85 2D C6 CA D1 98 0E E8 69 2D C6 CA D1 56 37 EF 66 2D C6 CA D1 7B C9 62 63 2D C6 CA D1 DC 75 65 E3 2D C6 CA D1 A4 84 9A 50 2D C6 CA D1 44 C0 12 E2 2D C6 CA D1 54 FC 31 AA 2D C6 CA D1 56 7B C1 AD 2D C6 CA D1 63 FE B1 F1 2D C6 CA D1 62 A5 83 DD 2D C6 CA D1 48 D1 3F 33 2D C6 CA D1 5A A9 23 BD 2D C6 CA D1 A3 01 E6 CC 2D C6 CA D1 C8 5C 42 08 2D C6 CA D1 62 0F 88 F4 2D C6 CA D1 C9 EB 84 0C 2D C6 CA D1 45 89 A0 17 2D C6 CA D1 55 98 71 2F 2C C6 CA D1 BE 19 76 F3 2C C6 CA D1 47 C0 A5 CB 2C C6 CA D1 BE A0 85 BF 2C C6 CA D1 18 F7 9E D6 2C C6 CA D1 D8 33 BC F1 2C C6 CA D1 42 8D 17 43 2C C6 CA D1 62 D3 CB 46 2C C6 CA D1 BA 0C 96 A9 2C C6 CA D1 44 79 A2 97 2C C6 CA	success or wait	973401317
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	973411617
File created	Path: C:\WINDOWS\system32\drivers\1254331455.sys Access: append data or add subdirectory or create pipe instance and synchronize Options: synchronous io non alert Attributes: none	success or wait	973412437
File write	Path: C:\WINDOWS\system32\drivers\1254331455.sys Offset: none Length: 17408 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 B9 CF 0B 33 FD AE 65 60 FD AE 65 60 FD AE 65 60 7E A6 6A 60 FE AE 65 60 7E A6 38 60 EC AE 65 60 FD AE 64 60 12 AE 65 60 7E A6 39 60 FC AE 65 60 73 A6 3A 60 EE AE 65 60 7E A6 3B 60 FC AE 65 60 7E A6 3F 60 FC AE 65 60 52 69 63 68 FD AE 65 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 00 FC 4F 1D 4E 00 00 00 00 00 00 00 00 E0 00 02	success or wait	973429258
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455 Name: Start Type: Dword Data: 3	success or wait	973430770
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455 Name: Type Type: Dword Data: 1	success or wait	973431258
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455 Name: ErrorControl Type: Dword Data: 1	success or wait	973431715
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455 Name: DisplayName Type: String Data: Virtual Bus for Microsoft ACPI-Compliant System	success or wait	973432051
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: Service Type: String Data: 1254331455	success or wait	973433534
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: ClassGUID Type: String Data: {4D36E97D-E325-11CE-BFC1-08002BE10318}	success or wait	973433911
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: Class Type: String Data: System	success or wait	973434580
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: DeviceDesc Type: String Data: PCI bus	success or wait	973434915
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: Mfg Type: String Data: Technologies Inc	success or wait	973435708
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: LocationInformation Type: String Data: on Microsoft ACPI-Compliant System	success or wait	973436211
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: ConfigFlags Type: Dword Data: 0	success or wait	973437206
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	984025783
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	984026328
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	984065618
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	984066049
File opened	Path: C:\WINDOWS Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert	success or wait	984078680
Key value queried	Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Name: InstallDate	success or wait	984079060

Analysis File: winlogon.exe PID: 608 Parent PID: 772

Sections

General
Start time:	04:48:57
Start date:	26/07/2011
Path:	C:\WINDOWS\system32\winlogon.exe
Commandline:	winlogon.exe
Imagebase:	0x1000000
File size:	507904 bytes
MD5 hash:	ED0EF0A136DEC83DF69F04118870003E

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\system32\msctf.dll	write and read and execute	commit	15D0000	299008	own pid	execute	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: C:\WINDOWS\system32\msctf.dll Access: write and read and execute Type: commit Baseaddress: 15D0000 Size: 299008 Protection: execute Mapped to pid: own pid	success or wait	972578889

Analysis File: * PID: 4 Parent PID: -1

Sections

General
Start time:	04:48:57
Start date:	26/07/2011
Path:	\*
Commandline:	not known
Imagebase:
File size:	455424 bytes
MD5 hash:	C7C653B9CE1B9177200372816B560E64

File Activities:

File opened
File Path	Access	Options	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	generic read	no options	success or wait	1

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	read	commit	40000	12288	own pid	readonly	success or wait	1

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_.MRXSMB\0000\Control	ActiveService	String	.mrxsmb	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum	Count	Dword	1	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum	NextInstance	Dword	1	success or wait	1

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum	Count	object name not found	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb	ImagePath	success or wait	1

Driver Activities:

Device created
Device name	Device type	Completion	Count	Source Address
\??\ACPI#PNP0303#2&da1a3ff&0	unknown	success or wait	1

Chronological sections
Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum Name: Count	object name not found	972829718
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_.MRXSMB\0000\Control Name: ActiveService Type: String Data: .mrxsmb	success or wait	972838566
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum Name: Count Type: Dword Data: 1	success or wait	972838752
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb\Enum Name: NextInstance Type: Dword Data: 1	success or wait	972838897
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.mrxsmb Name: ImagePath	success or wait	972839040
File opened	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: generic read Options: no options	success or wait	972839239
Section loaded	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: read Type: commit Baseaddress: 40000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	972839839
Device created	Device Name: \??\ACPI#PNP0303#2&da1a3ff&0 Device Type: unknown	success or wait	972862045

Analysis File: 1254331455.SYS PID: 4 Parent PID: -1

Sections

General
Start time:	04:49:00
Start date:	26/07/2011
Path:	C:\WINDOWS\System32\Drivers\1254331455.SYS
Commandline:	not known
Imagebase:
File size:	17408 bytes
MD5 hash:	88473C7FF4698E92BC7177415E14D666

File Activities:

File opened
File Path	Access	Options	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	generic read	no options	success or wait	1

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
C:\WINDOWS\AppPatch\drvmain.sdb	read	commit	40000	12288	own pid	readonly	success or wait	1

Registry Activities:

Key value set
Key Path	Name	Type	Data	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000\Control	ActiveService	String	1254331455	success or wait	1

Key value queried
Key Path	Name	Completion	Count	Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455\Enum	Count	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	ConfigFlags	success or wait	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	Legacy	object name not found	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455	ImagePath	object name not found	1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000	Count	success or wait	1

Chronological sections
Operation	Data	Completion	Time
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455\Enum Name: Count	success or wait	981160532
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: ConfigFlags	success or wait	981161973
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: Legacy	object name not found	981162429
Key value set	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000\Control Name: ActiveService Type: String Data: 1254331455	success or wait	981162829
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1254331455 Name: ImagePath	object name not found	981163119
File opened	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: generic read Options: no options	success or wait	981163318
Section loaded	Path: C:\WINDOWS\AppPatch\drvmain.sdb Access: read Type: commit Baseaddress: 40000 Size: 12288 Protection: readonly Mapped to pid: own pid	success or wait	981163896
Key value queried	Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\*PNP2103\0000 Name: Count	success or wait	981174751

Analysis File: svchost.exe PID: 1560 Parent PID: 652

Sections

General
Start time:	04:49:00
Start date:	26/07/2011
Path:	\Device\svchost.exe
Commandline:	not known
Imagebase:	0x400000
File size:	bytes
MD5 hash:

Section Activities:

Section loaded by Windows
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address
\KnownDlls\kernel32.dll	write and read and execute	unknown	7C800000	1007616	own pid	read write	success or wait	1
\NLS\NlsSectionUnicode	read	unknown	260000	90112	own pid	readonly	success or wait	1
\NLS\NlsSectionLocale	read	unknown	280000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortkey	query and read	unknown	2D0000	266240	own pid	readonly	success or wait	1
\NLS\NlsSectionSortTbls	read	unknown	320000	24576	own pid	readonly	success or wait	1

Section loaded by program
File Path	Access	Type	Base	Size	Mapped to pid	Protection	Completion	Count	Source Address

Chronological sections
Operation	Data	Completion	Time
Section loaded	Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid	success or wait	982137316
Section loaded	Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size: 90112 Protection: readonly Mapped to pid: own pid	success or wait	982142935
Section loaded	Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	982143766
Section loaded	Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000 Size: 266240 Protection: readonly Mapped to pid: own pid	success or wait	982144463
Section loaded	Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size: 24576 Protection: readonly Mapped to pid: own pid	success or wait	982144881