General Information

Start time: 11:26:53
Start date: 16/08/2012
Overall analysis duration: 0h 3m 26s
Sample file name: Hermes_.exe
Cookbook file name: Screen Action.jbs
Analysis system description: XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed: 1
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 3
Errors:
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtAllocateVirtualMemory calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Creates files inside the user directory
Creates temporary files
Printf formatting strings found in memory and binary data
Queries a list of all running processes
Urls found in memory or binary data
Changes the view of files in windows explorer (hides hidden files and folders)
Creates an autostart registry key
Creates mutexes \BaseNamedObjects\Global\NtKernelProc.1728 \BaseNamedObjects\Global\NtSys32AutoLock \BaseNamedObjects\Global\NtKernelTrusted \BaseNamedObjects\Global\NtKernelProc.1552 \BaseNamedObjects\NtKernelInjLock \BaseNamedObjects\Global\NtKernelProc.1924
Drops PE files
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Modifies the prolog of usermode functions (usermode inline hooks)
Writes to foreign memory regions

Startup

  • system is xp
  • Hermes_.exe (PID: 2332 MD5: 20BE4F07F9A12C35463361A7212CA5FF)
    • explorer.exe (PID: 1552 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
      • ctfmon.exe (PID: 1728 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
      • wscntfy.exe (PID: 1924 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
  • cleanup

Created / dropped Files

File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp 866A64601DEB0FCA0C21F8CEA5FD66B0
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe 20BE4F07F9A12C35463361A7212CA5FF
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat 313C023B6803F33A448814B60E1C964D
\Win64Expected 94A7BD08C204D6ECFE560A95862F8FC9

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name: Hermes_.exe
File size: 407040
MD5: 20be4f07f9a12c35463361a7212ca5ff
SHA1: 07b2a4af66c5de5f69a1efd175de3bff9d48ba8e
SHA256: f42e71f3e5121412e2c82d7ac982e5036f63d39c1c6591c3630f6b3fd8a48180
SHA512: 7adef3f325acda1c8babe9d5f1e03d36ee4fbd8fe2d6698fa8f70a301483ca34fe7fc62afce52e05a1615c77d4ae285e7378b259cfea6dfa1a9b5055a52c21bb

Static PE Info

General
Entrypoint: 0x401000
Entrypoint Section:
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x27E2A2D4 [Sat Mar 16 22:57:24 1991 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_ICON 0x18d478 0x10a8 data
RT_GROUP_ICON 0x18e520 0x14 MS Windows icon resource - 1 icon
RT_VERSION 0x18e534 0x384 data
RT_VERSION 0x18e8b8 0x384 data
RT_VERSION 0x18ec3c 0x384 data
RT_VERSION 0x18efc0 0x384 data
RT_VERSION 0x18f344 0x384 data
RT_VERSION 0x18f6c8 0x384 data
RT_VERSION 0x18fa4c 0x384 data
RT_VERSION 0x18fdd0 0x384 data
RT_VERSION 0x190154 0x384 data
RT_VERSION 0x1904d8 0x384 data
RT_VERSION 0x19085c 0x384 data
RT_VERSION 0x190be0 0x384 data
RT_VERSION 0x190f64 0x384 data
RT_VERSION 0x1912e8 0x384 data
RT_VERSION 0x19166c 0x384 data
RT_VERSION 0x1919f0 0x384 data
RT_VERSION 0x191d74 0x384 data
RT_VERSION 0x1920f8 0x384 data
RT_VERSION 0x19247c 0x384 data
RT_VERSION 0x192800 0x384 data
Imports
DLL Import
kernel32.dll GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll GetForegroundWindow
ntprint.dll PSetupSelectDeviceButtons
version.dll VerQueryValueA
gdi32.dll UnrealizeObject
comctl32.dll ImageList_SetIconSize
oleaut32.dll VariantChangeTypeEx
kernel32.dll RaiseException
Sections
Name Virtual Address Virtual Size Raw Size Entropy
0x1000 0x153000 0x4600 7.98945756036
0x154000 0x1000 0x400 7.83865363724
0x155000 0x1000 0x200 7.58564983137
0x156000 0x37000 0x36800 7.99918501105
.rsrc 0x18d000 0x6000 0x5c00 3.93367409359
.data 0x193000 0x59000 0x22000 7.82172434208
.adata 0x1ec000 0x1000 0x0 0.0
Version Infos
Description Data
LegalCopyright (c) 2000-2010 Martin Prikryl
InternalName winscp
FileVersion 4.2.9.938
CompanyName Martin Prikryl
ReleaseType stable
LegalTrademarks
WWW http://winscp.net/
ProductName WinSCP
ProductVersion 4.2.9.0
FileDescription WinSCP: SFTP, FTP and SCP client
OriginalFilename winscp.exe
OriginalFilename winscp.exe
Possible Origin
Language of compilation system Country where language is spoken Map

String Analysis

Formattings for printf style functions
String value Source
%SystemRoot%\System32\mswsock.dll Hermes_.exe
Ebp: %x Hermes_.exe
c30lO%EPX;1 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
|%SystemRoot%\system32\rsvpsp.dll Hermes_.exe
o#?0%pF ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Pw%n[w Hermes_.exe
n%fDF, ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\ApiHooker.cpp(64)] Init: 0x%x %d %d %d %d ctfmon.exe, wscntfy.exe
Ebx: %x Hermes_.exe
%n Options\Hermes Hermes_.exe
- [%s] Hermes_.exe
%d.%d.%d.%d Hermes_.exe
NT 4.%u Hermes_.exe
Ecx: %x Hermes_.exe
c30%O<E_X:1xz 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
The procedure entry point %s could not be located in the dynamic link library %s Hermes_.exe
Assertion failed: %s, file %s, line %d Hermes_.exe
[%d: huff+mtf wscntfy.exe
s#y%PS UpgradeHelper.exe.dr
O%i; O ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
zwcW0%O<EMX01 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
$%e+.Nb ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Esp: %x Hermes_.exe
Code = [%d] Hermes_.exe
/y C%cE ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
k%NM*L ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
NT 3.%u Hermes_.exe
p,g%Sq wscntfy.exe
@2(YfU5iqi*%c ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%Ph[7] Hermes_.exe
>=Q*pcV0lORE9XU1xz%XN ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Eip: %x Hermes_.exe
"I/%Sz/ ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Edi: %x Hermes_.exe
Edx: %x Hermes_.exe
[.\HermesCore.cpp(1971)] ProcessHandShakeMessage: %u %d explorer.exe
al\NtKernelProc.%u wscntfy.exe
0ZW0z%gI=%z 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
';%sW/!a8 wscntfy.exe
cDe%S7 ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\HermesCore.cpp(746)] MainCoreLoop: App Type: %d IL: %d ctfmon.exe, wscntfy.exe
Global\NtKernelProc.%u Hermes_.exe, ctfmon.exe, explorer.exe, wscntfy.exe
2+%l-% ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Esi: %x Hermes_.exe
lhaplpkbq%eiuw Hermes_.exe
%s.F@ 4V ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%5%cgc=z UpgradeHelper.exe.dr
Eax: %x Hermes_.exe
The ordinal %u could not be located in the dynamic link library %s Hermes_.exe
6]G%Nw ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
u8%e.s ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\HermesCore.cpp(1893)] PPM: %d explorer.exe
%S}n#>D UpgradeHelper.exe.dr
x],%dg ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
`H;5%ER ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
deb%s^ UpgradeHelper.exe.dr
DragDrop%lx Hermes_.exe
his=H%L UpgradeHelper.exe.dr
P6 (Model %d) Hermes_.exe
%XZN{,- wscntfy.exe
%SystemRoot%\system32\rsvpsp.dll Hermes_.exe
%SystemRoot%\System32\winrnr.dll Hermes_.exe
+%dd/2 ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%SystemRoot%\system32\mswsock.dll Hermes_.exe
URLs
String value Source
http://winscp.net/ UpgradeHelper.exe.dr
http://www.autoitscript.com/autoit3/ explorer.exe

Network Behavior

No network behavior found

Code Manipulation Behavior

User Modules
Hook Summary
Function Name Hook Type Active in Processes
CreateProcessW INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessA INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessAsUserW INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessAsUserA INLINE ctfmon.exe, wscntfy.exe, explorer.exe
Processes
Process: ctfmon.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x3F
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x1F
Process: ctfmon.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xF9
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xA9
Process: wscntfy.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x36
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x16
Process: wscntfy.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xF0
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xA0
Process: explorer.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x35
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x15
Process: explorer.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xFF
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xAF

System Behavior

General
Start time: 09:39:48
Start date: 24/01/2012
Path: C:\Hermes_.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 407040 bytes
MD5 hash: 20BE4F07F9A12C35463361A7212CA5FF

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\WINDOWS\explorer.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 4030D8 NtOpenFile
Scsi0: read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file true success or wait 1 5C70D8 CreateFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\user32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ntprint.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ntprint.dll query and write and read and execute image 5F180000 98304 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\KnownDlls\mscms.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\mscms.dll query and write and read and execute image 73B30000 86016 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 5F0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 5F0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown A30000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit A40000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A40000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A40000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit A40000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit A40000 4096 own pid readonly success or wait 1
C:\Hermes_.exe read commit A60000 409600 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit A80000 618496 own pid readonly success or wait 1
unknown query and write and read commit AB0000 20480 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\wsock32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\wsock32.dll query and write and read and execute image 71AD0000 36864 own pid read write success or wait 1 5E84B7
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 5E84B7
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 5E84B7
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 AA033A
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 AA033A
\KnownDlls\MSVCP60.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 AA033A
C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1 AA033A
\KnownDlls\psapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4021D4
C:\WINDOWS\system32\psapi.dll query and write and read and execute image 76BF0000 45056 own pid read write success or wait 1 4021D4

Registry Activites

Key Path Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key NULL unicode success or wait 1 5BF5D5 RegSetValueA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key unicode regfile success or wait 1 5BF636 RegSetValueExA
Key Path Name Completion Count Source Address Symbol

Mutex Activites

Name Completion Count Source Address Symbol

Process Activites

PID Process info class Completion Count Source Address Symbol
1552 ImageFileName success or wait 1 40221B GetProcessImageFileNameA
PID Filepath Completion Count Source Address Symbol
2332 C:\Hermes_.exe success or wait 1 40102D ExitProcess

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
4004 1552 7C8106F9 BA28C6 C:\WINDOWS\explorer.exe success or wait 1 402598 CreateRemoteThread
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
2336 0s success or wait 44 4016A7 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe BA0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 402532 WriteProcessMemory
1552 C:\WINDOWS\explorer.exe C90000 305 00 00 00 00 00 00 BE 00 00 00 BA 00 00 60 03 00 01 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 40254A WriteProcessMemory
1552 C:\WINDOWS\explorer.exe BE0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 40256A WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
2332 C:\Hermes_.exe A80000 12FF80 page execute and read and write success or wait 1 593186 VirtualAlloc
2332 C:\Hermes_.exe A80000 12FF48 page read and write success or wait 5 5E80CA VirtualAlloc
2332 C:\Hermes_.exe B30000 12FE08 page no access success or wait 1 5B63FC VirtualAlloc
2332 C:\Hermes_.exe B30000 12FDF8 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe B34000 12FE8C page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe A80000 12FEB4 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe A90000 12FEB4 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AA0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B3C000 12FE24 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe AB0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AC0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AD0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AE0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B40000 12FE24 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe AF0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B00000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B10000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C30000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C40000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C50000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C60000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FEAC page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe C70000 12FF2C page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1DC page execute and read and write success or wait 2 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F0BC page execute and read and write success or wait 5 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FD68 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FD58 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1F0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1CC page execute and read and write success or wait 21 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1D8 page execute and read and write success or wait 4 5D49DE VirtualAlloc
1552 C:\WINDOWS\explorer.exe BA0000 12FC3C page execute and read and write success or wait 1 40246B VirtualAllocEx
1552 C:\WINDOWS\explorer.exe BE0000 12FC3C page execute and read and write success or wait 1 402480 VirtualAllocEx
1552 C:\WINDOWS\explorer.exe C90000 12FC3C page read and write success or wait 1 402493 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:49 2 4 2
09:39:50 2 4 2
09:39:54 3 5 3

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 1 403A68 CreateToolhelp32Snapshot

Timing Activites

Time Completion Count Source Address Symbol

Windows UI Activites

HWND Completion Count Source Address Symbol
10084 success 44 40167D NtUserGetForegroundWindow
90086 success 1 4016BD NtUserGetForegroundWindow
Chronological Activities
Operation Data Completion Time
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF80 Allocation Type: unknown Protection: page execute and read and write success or wait 533520825
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533531462
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533533103
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533551502
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533554664
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533555820
Section loaded Path: \KnownDlls\wsock32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533558367
Section loaded Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 533560807
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533564249
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 533566069
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533571098
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 533572942
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FE08 Allocation Type: unknown Protection: page no access success or wait 533581123
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FDF8 Allocation Type: unknown Protection: page read and write success or wait 533581401
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B34000 Length: 12FE8C Allocation Type: unknown Protection: page read and write success or wait 533652737
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write success or wait 533710483
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A90000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write success or wait 533710924
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AA0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533711707
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B3C000 Length: 12FE24 Allocation Type: unknown Protection: page read and write success or wait 533712040
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AB0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533712383
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AC0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533712707
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AD0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533713029
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AE0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533713402
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B40000 Length: 12FE24 Allocation Type: unknown Protection: page read and write success or wait 533713815
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AF0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714247
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B00000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714612
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B10000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714934
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C30000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715258
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C40000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715649
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C50000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715973
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C60000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533716296
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FEAC Allocation Type: unknown Protection: page read and write success or wait 533717174
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C70000 Length: 12FF2C Allocation Type: unknown Protection: page execute and read and write success or wait 533717480
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write success or wait 533717860
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533718230
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD68 Allocation Type: unknown Protection: page read and write success or wait 533718532
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533721669
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533722050
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD58 Allocation Type: unknown Protection: page read and write success or wait 533722356
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533725522
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533725969
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1F0 Allocation Type: unknown Protection: page execute and read and write success or wait 533726379
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533726750
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533727093
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533727433
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533728577
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533728969
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533729314
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731089
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731434
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731774
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533732114
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533732452
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533732796
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533733338
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533733681
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734022
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734362
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734700
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533735042
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533735469
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533735812
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736151
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736492
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736829
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533737171
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write success or wait 533755644
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533756049
File opened Path: Scsi0: Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 533944177
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: NULL Type: unicode Data: Old data: success or wait 534022596
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: Type: unicode Data: regfile Old data: success or wait 534027752
Foreground Window Got HWND: 10084 success 534051990
Thread delayed Time: 0 TID: 2336 success or wait 534053095
Foreground Window Got HWND: 10084 success 534447209
Thread delayed Time: 0 TID: 2336 success or wait 534447548
Foreground Window Got HWND: 10084 success 534835880
Thread delayed Time: 0 TID: 2336 success or wait 534836181
Foreground Window Got HWND: 10084 success 535227411
Thread delayed Time: 0 TID: 2336 success or wait 535227655
Foreground Window Got HWND: 10084 success 535618895
Thread delayed Time: 0 TID: 2336 success or wait 535619139
Foreground Window Got HWND: 10084 success 536010676
Thread delayed Time: 0 TID: 2336 success or wait 536010938
Foreground Window Got HWND: 10084 success 536404860
Thread delayed Time: 0 TID: 2336 success or wait 536405120
Foreground Window Got HWND: 10084 success 536796514
Thread delayed Time: 0 TID: 2336 success or wait 536796818
Foreground Window Got HWND: 10084 success 537184965
Thread delayed Time: 0 TID: 2336 success or wait 537185270
Foreground Window Got HWND: 10084 success 537576609
Thread delayed Time: 0 TID: 2336 success or wait 537576853
Foreground Window Got HWND: 10084 success 537970784
Thread delayed Time: 0 TID: 2336 success or wait 537971076
Foreground Window Got HWND: 10084 success 538361805
Thread delayed Time: 0 TID: 2336 success or wait 538362048
Foreground Window Got HWND: 10084 success 538751083
Thread delayed Time: 0 TID: 2336 success or wait 538751330
Foreground Window Got HWND: 10084 success 539142565
Thread delayed Time: 0 TID: 2336 success or wait 539142907
Foreground Window Got HWND: 10084 success 539535872
Thread delayed Time: 0 TID: 2336 success or wait 539536221
Foreground Window Got HWND: 10084 success 539925698
Thread delayed Time: 0 TID: 2336 success or wait 539925963
Foreground Window Got HWND: 10084 success 540317423
Thread delayed Time: 0 TID: 2336 success or wait 540317667
Foreground Window Got HWND: 10084 success 540708680
Thread delayed Time: 0 TID: 2336 success or wait 540708925
Foreground Window Got HWND: 10084 success 541100731
Thread delayed Time: 0 TID: 2336 success or wait 541100986
Foreground Window Got HWND: 10084 success 541491648
Thread delayed Time: 0 TID: 2336 success or wait 541493527
Foreground Window Got HWND: 10084 success 541883110
Thread delayed Time: 0 TID: 2336 success or wait 541883492
Foreground Window Got HWND: 10084 success 542274427
Thread delayed Time: 0 TID: 2336 success or wait 542274674
Foreground Window Got HWND: 10084 success 542668297
Thread delayed Time: 0 TID: 2336 success or wait 542668543
Foreground Window Got HWND: 10084 success 543065083
Thread delayed Time: 0 TID: 2336 success or wait 543067934
Foreground Window Got HWND: 10084 success 543449522
Thread delayed Time: 0 TID: 2336 success or wait 543449785
Foreground Window Got HWND: 10084 success 543840731
Thread delayed Time: 0 TID: 2336 success or wait 543841069
Foreground Window Got HWND: 10084 success 544232184
Thread delayed Time: 0 TID: 2336 success or wait 544232482
Foreground Window Got HWND: 10084 success 544623719
Thread delayed Time: 0 TID: 2336 success or wait 544623963
Foreground Window Got HWND: 10084 success 545015261
Thread delayed Time: 0 TID: 2336 success or wait 545015507
Foreground Window Got HWND: 10084 success 545407198
Thread delayed Time: 0 TID: 2336 success or wait 545407443
Foreground Window Got HWND: 10084 success 545798831
Thread delayed Time: 0 TID: 2336 success or wait 545799099
Foreground Window Got HWND: 10084 success 546189820
Thread delayed Time: 0 TID: 2336 success or wait 546190498
Foreground Window Got HWND: 10084 success 546584983
Thread delayed Time: 0 TID: 2336 success or wait 546585286
Foreground Window Got HWND: 10084 success 546977775
Thread delayed Time: 0 TID: 2336 success or wait 546980356
Foreground Window Got HWND: 10084 success 547364291
Thread delayed Time: 0 TID: 2336 success or wait 547364534
Foreground Window Got HWND: 10084 success 547756961
Thread delayed Time: 0 TID: 2336 success or wait 547757205
Foreground Window Got HWND: 10084 success 548147454
Thread delayed Time: 0 TID: 2336 success or wait 548147703
Foreground Window Got HWND: 10084 success 548541427
Thread delayed Time: 0 TID: 2336 success or wait 548541767
Foreground Window Got HWND: 10084 success 548930338
Thread delayed Time: 0 TID: 2336 success or wait 548930637
Foreground Window Got HWND: 10084 success 549321870
Thread delayed Time: 0 TID: 2336 success or wait 549322114
Foreground Window Got HWND: 10084 success 549713362
Thread delayed Time: 0 TID: 2336 success or wait 549713605
Foreground Window Got HWND: 10084 success 550105074
Thread delayed Time: 0 TID: 2336 success or wait 550105316
Foreground Window Got HWND: 10084 success 550496522
Thread delayed Time: 0 TID: 2336 success or wait 550496787
Foreground Window Got HWND: 10084 success 550887956
Thread delayed Time: 0 TID: 2336 success or wait 550890563
Foreground Window Got HWND: 90086 success 551279472
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551285471
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 551290299
Section loaded Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551428776
Section loaded Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid success or wait 551430533
System info queried Type: ProcessInformation success or wait 551442671
Section loaded Path: \KnownDlls\psapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551495209
Section loaded Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid success or wait 551497119
Process information queried PID: 1552 Info Class: ImageFileName success or wait 551501084
File opened Path: C:\WINDOWS\explorer.exe Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert Overwritten: false success or wait 551502172
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 12FC3C Allocation Type: unknown Protection: page execute and read and write success or wait 551505918
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 12FC3C Allocation Type: unknown Protection: page execute and read and write success or wait 551506221
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 12FC3C Allocation Type: unknown Protection: page read and write success or wait 551506510
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 559385601
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 305 Value: 00 00 00 00 00 00 BE 00 00 00 BA 00 00 60 03 00 01 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 559423387
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 559435803
Thread created PID: 1552 TID: 4004 EIP: 7C8106F9 EAX: BA28C6 Imagepath: C:\WINDOWS\explorer.exe success or wait 559446958
Process terminated PID: 2332 Path: C:\Hermes_.exe success or wait 559450681
General
Start time: 09:39:54
Start date: 24/01/2012
Path: C:\WINDOWS\explorer.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\Explorer.EXE
Imagebase: 0x1000000
File size: 1033728 bytes
MD5 hash: 12896823FB95BFB3DC9B46BCAEDC9923

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\WINDOWS\system32\ctfmon.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 BA30D8 NtOpenFile
C:\WINDOWS\system32\wscntfy.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 BA30D8 NtOpenFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 11 D72204 CreateFileA
C:\Hermes_.exe read attributes and synchronize and generic read synchronous io non alert and non directory file true success or wait 1 D7217D CreateFileA
File Path Access Attributes Options Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 D80C4C GetTempFileNameA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LM73.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 D80C4C GetTempFileNameA
C:\Documents and Settings\Administrator\Application Data\TeamViewer read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D755F9 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE} read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D75636 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 D72204 CreateFileA
C:\Documents and Settings\Administrator\Application Data\Dropbox read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D74CB2 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031} read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D74CEF CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 D72204 CreateFileA
File Path Completion Count Source Address Symbol
C:\Hermes_.exe cannot delete 1 D74A08 DeleteFileA
C:\Hermes_.exe success or wait 1 D74A08 DeleteFileA
File Path Offset Length Value Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 374 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 127 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0F 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 09 0B 0F 17 63 1E 73 5F 57 50 7D 51 4C 5B 72 51 51 4E 04 1E 7C 4B 57 52 5A 04 1E 0B 0E 0F 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 success or wait 1 D7223A WriteFile
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat unknown 407040 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 148 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 09 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0C 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 08 08 0C 17 63 1E 79 5B 4A 7F 4B 4A 51 6C 4B 50 68 5F 52 4B 5B 70 5F 53 5B 04 1E 6B 50 5F 5C 52 5B 1E 4A 51 1E 4F 4B 5B 4C 47 1E success or wait 1 D7223A WriteFile
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe unknown 407040 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 135 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 09 0C 06 1E 0C 63 04 65 0F 06 0D success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 396 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 135 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 07 0C 0A 1E 0C 63 04 65 0F 06 0D success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 399 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
C:\Hermes_.exe unknown 407040 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 D721B4 ReadFile
File Path Disposition Data Ascii Data Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 0 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 374 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 501 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 649 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 759 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 894 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1004 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1400 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1510 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1645 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1755 success or wait 1 D72225 SetFilePointer

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\WINDOWS\system32\xpsp1res.dll query and read commit D30000 188416 own pid readonly success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 BA46BE
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 BA46BE

Registry Activites

Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrId dword 114 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrMask dword 62 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainId dword 115 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainMask dword 126 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu binary 12 40 2C 27 39 53 19 22 37 2B 4D 2B 75 50 16 1E 45 0B 2B 44 2E 3E 5E 1D 3E 3B 7C 59 3C 13 1E 0A 25 44 1E 2E 26 2A 4B 04 14 41 08 16 0C 3B 2F 44 33 38 5E 5A 09 06 49 5C 0D 2E 15 02 3B 66 05 2A 25 20 4B 04 2E 75 4E 4E 55 6E 0F 08 6A 7A 00 3C 79 21 10 09 12 48 42 4E 14 05 2E 0E 7F 73 0B 68 64 05 4A 4C 23 60 0A 73 1F 2A 6C 49 7A 23 04 0F 64 4F 33 52 15 72 2F 7B 6A 72 7F 61 16 70 49 48 55 6A 0B 07 19 60 71 3C 7B 26 09 13 35 1B 04 success or wait 1 D75288 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile dword 3 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFolder dword 18 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run UpgradeHelper unicode C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe success or wait 1 D7FEC0 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMenuMask dword 77654 success or wait 1 BA1565 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartProcIrq dword 6 success or wait 1 D80016 RegSetValueExA
Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMenuMask object name not found 1 BA1426 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage AdvancedImages object name not found 1 D7FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrId object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrMask object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainId object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainMask object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile success or wait 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run UpgradeHelper buffer overflow 4 D7FEE9 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage ModulesCache object name not found 1 D7FF75 RegQueryValueExA

Mutex Activites

Name Completion Count Source Address Symbol
\BaseNamedObjects\Global\NtKernelProc.1552 success or wait 1 BA2CF8 CreateMutexA
\BaseNamedObjects\Global\NtKernelTrusted success or wait 1 D74595 CreateMutexA
\BaseNamedObjects\NtKernelInjLock success or wait 88 BA2BAA CreateMutexA
\BaseNamedObjects\Global\NtSys32AutoLock success or wait 1 D7ABD9 CreateMutexA

Process Activites

PID Process info class Completion Count Source Address Symbol
1552 Wow64Information success or wait 1 D72835 IsWow64Process
1728 ImageFileName success or wait 1 BA221B GetProcessImageFileNameA
1924 ImageFileName success or wait 1 BA221B GetProcessImageFileNameA

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
4020 1552 7C8106F9 D74458 C:\WINDOWS\explorer.exe success or wait 1 D74364 CreateThread
4024 1552 7C8106F9 BA2B47 C:\WINDOWS\explorer.exe success or wait 1 BA2AFC CreateThread
484 1552 7C8106F9 D75D48 C:\WINDOWS\explorer.exe success or wait 1 D75D0F CreateThread
988 1552 7C8106F9 D879B3 C:\WINDOWS\explorer.exe success or wait 1 D878FB CreateThread
3052 1728 7C8106F9 D628C6 C:\WINDOWS\system32\ctfmon.exe success or wait 1 BA2598 CreateRemoteThread
3080 1552 7C8106F9 D87FBA C:\WINDOWS\explorer.exe success or wait 1 D87BCB CreateThread
3560 1924 7C8106F9 AE28C6 C:\WINDOWS\system32\wscntfy.exe success or wait 1 BA2598 CreateRemoteThread
3580 1552 7C8106F9 D87FBA C:\WINDOWS\explorer.exe success or wait 1 D87BCB CreateThread
TID PID Path Completion Count Source Address Symbol
3080 1552 C:\WINDOWS\explorer.exe success or wait 1 D87C7B ResumeThread
3580 1552 C:\WINDOWS\explorer.exe success or wait 1 D87C7B ResumeThread
TID Delay Completion Count Source Address Symbol
4024 -1s success or wait 89 BA27F4 Sleep
4024 -10s success or wait 4 BA2804 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 7C80236B 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 7C802336 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 77E10CE8 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 77DEA8A9 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 7C80236B 5 E9 BC F1 56 84 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 7C802336 5 E9 07 F3 56 84 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 77E10CE8 5 E9 6B 0A F6 88 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 77DEA8A9 5 E9 C3 6F F8 88 success or wait 1 D7110E WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe D60000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA2532 WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe A30000 305 00 00 00 00 00 00 DA 00 00 00 D6 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 BA254A WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe DA0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA256A WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe AE0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA2532 WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe B60000 305 00 00 00 00 00 00 B2 00 00 00 AE 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 BA254A WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe B20000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA256A WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 30C8000 D6FB6C page read and write success or wait 1 BA5200 malloc
1552 C:\WINDOWS\explorer.exe 39F0000 D6FD00 page read and write success or wait 1 BA5200 malloc
1552 C:\WINDOWS\explorer.exe D70000 D6FE5C page read and write success or wait 1 BA4999 VirtualAlloc
1552 C:\WINDOWS\explorer.exe CA0000 D6FE1C page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CA0000 D6FE20 page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CA1000 D6FAFC page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CB0000 D6FE28 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DD0000 D6FE28 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DE0000 D6FE08 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DF0000 D6FE00 page execute and read and write success or wait 1 D710AD VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe D60000 199FCA8 page execute and read and write success or wait 1 BA246B VirtualAllocEx
1728 C:\WINDOWS\system32\ctfmon.exe DA0000 199FCA8 page execute and read and write success or wait 1 BA2480 VirtualAllocEx
1728 C:\WINDOWS\system32\ctfmon.exe A30000 199FCA8 page read and write success or wait 1 BA2493 VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe AE0000 199FCA8 page execute and read and write success or wait 1 BA246B VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe B20000 199FCA8 page execute and read and write success or wait 1 BA2480 VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe B60000 199FCA8 page read and write success or wait 1 BA2493 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe D71000 3A000 page execute read page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DAB000 C000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DB7000 3000 page read and write page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DBC000 1000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DBD000 5000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C80236B 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C80236B 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C802336 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C802336 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77E10CE8 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77E10CE8 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77DEA8A9 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77DEA8A9 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:54 20 28 20
09:39:55 20 34 20
09:39:56 23 38 23
09:39:57 22 37 22
09:39:58 22 37 22
09:40:01 22 37 22
09:40:15 23 37 23
09:40:16 23 37 23
09:40:18 23 37 23
09:40:33 23 36 23
09:40:37 23 36 23

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 4 BA3A68 CreateToolhelp32Snapshot

Windows UI Activites

Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 0 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 5 1002587 EnumWindows
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
0 464 0 0 error 2 D7382F PostThreadMessageA
FB4 467 1728 2 success 1 D7B200 PostThreadMessageA
FB4 467 1924 2 success 1 D7B200 PostThreadMessageA
Chronological Activities
Operation Data Completion Time
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 559448059
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 559448692
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 559476520
Mutant created Name: \BaseNamedObjects\Global\NtKernelProc.1552 success or wait 559479300
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMenuMask object name not found 559480026
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 30C8000 Length: D6FB6C Allocation Type: unknown Protection: page read and write success or wait 559604905
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 39F0000 Length: D6FD00 Allocation Type: unknown Protection: page read and write success or wait 559605044
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: D70000 Length: D6FE5C Allocation Type: unknown Protection: page read and write success or wait 559681059
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: D71000 Length: 3A000 New Protection: page execute read New Protection: page read and write success or wait 559683069
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DAB000 Length: C000 New Protection: page readonly New Protection: page read and write success or wait 559683527
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DB7000 Length: 3000 New Protection: page read and write New Protection: page read and write success or wait 559683796
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DBC000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 559688886
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DBD000 Length: 5000 New Protection: page readonly New Protection: page read and write success or wait 559689072
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: CA0000 Length: D6FE1C Allocation Type: unknown Protection: page read and write success or wait 559690402
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: CA0000 Length: D6FE20 Allocation Type: unknown Protection: page read and write success or wait 559690552
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: CA1000 Length: D6FAFC Allocation Type: unknown Protection: page read and write success or wait 559691083
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: AdvancedImages object name not found 559742817
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: CB0000 Length: D6FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 559744134
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C80236B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 559745013
Memory read PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C80236B Length: 5 Value: 8B FF 55 8B EC success or wait 559745118
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C80236B Length: 5 Value: E9 BC F1 56 84 success or wait 559745771
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C80236B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 559745882
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DD0000 Length: D6FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 559745987
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C802336 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 559746929
Memory read PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C802336 Length: 5 Value: 8B FF 55 8B EC success or wait 559747031
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C802336 Length: 5 Value: E9 07 F3 56 84 success or wait 559748181
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 7C802336 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 559748271
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DE0000 Length: D6FE08 Allocation Type: unknown Protection: page execute and read and write success or wait 559748686
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77E10CE8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 559748791
Memory read PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77E10CE8 Length: 5 Value: 8B FF 55 8B EC success or wait 559748893
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77E10CE8 Length: 5 Value: E9 6B 0A F6 88 success or wait 559750696
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77E10CE8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 559751619
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: DF0000 Length: D6FE00 Allocation Type: unknown Protection: page execute and read and write success or wait 559751735
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 559751844
Memory read PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77DEA8A9 Length: 5 Value: 8B FF 55 8B EC success or wait 559752238
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77DEA8A9 Length: 5 Value: E9 C3 6F F8 88 success or wait 559755814
Memory attributes changed PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 559755930
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 559757540
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 559758908
Thread created PID: 1552 TID: 4020 EIP: 7C8106F9 EAX: D74458 Imagepath: C:\WINDOWS\explorer.exe success or wait 559759480
Process information queried PID: 1552 Info Class: Wow64Information success or wait 559762728
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartCurrId object name not found 559763625
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 559765084
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartCurrId Type: dword Data: 114 Old data: success or wait 559768453
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartCurrMask object name not found 559770460
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartCurrMask Type: dword Data: 62 Old data: success or wait 559770907
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMainId object name not found 559771548
File created Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LM73.tmp Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 559771924
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMainId Type: dword Data: 115 Old data: success or wait 559774820
Thread created PID: 1552 TID: 4024 EIP: 7C8106F9 EAX: BA2B47 Imagepath: C:\WINDOWS\explorer.exe success or wait 559776126
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMainMask object name not found 559777427
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMainMask Type: dword Data: 126 Old data: success or wait 559777877
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 559779323
System info queried Type: ProcessInformation success or wait 559780913
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 0 success or wait 559785448
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 374 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 559785724
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 559786689
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 374 success or wait 559787090
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 127 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0F 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 09 0B 0F 17 63 1E 73 5F 57 50 7D 51 4C 5B 72 51 51 4E 04 1E 7C 4B 57 52 5A 04 1E 0B 0E 0F 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 success or wait 559787240
Mutant created Name: \BaseNamedObjects\Global\NtKernelTrusted success or wait 559787715
File opened Path: C:\Hermes_.exe Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 559787882
File read Path: C:\Hermes_.exe Offset: unknown Length: 407040 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 559788480
File created Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: true success or wait 560003029
File created Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE} Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: true success or wait 560005643
File created Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 560007121
File write Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Offset: unknown Length: 407040 Value: 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 560504915
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 560514809
Thread delayed Time: -1 TID: 4024 success or wait 560517728
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu Type: binary Data: 12 40 2C 27 39 53 19 22 37 2B 4D 2B 75 50 16 1E 45 0B 2B 44 2E 3E 5E 1D 3E 3B 7C 59 3C 13 1E 0A 25 44 1E 2E 26 2A 4B 04 14 41 08 16 0C 3B 2F 44 33 38 5E 5A 09 06 49 5C 0D 2E 15 02 3B 66 05 2A 25 20 4B 04 2E 75 4E 4E 55 6E 0F 08 6A 7A 00 3C 79 21 10 09 12 48 42 4E 14 05 2E 0E 7F 73 0B 68 64 05 4A 4C 23 60 0A 73 1F 2A 6C 49 7A 23 04 0F 64 4F 33 52 15 72 2F 7B 6A 72 7F 61 16 70 49 48 55 6A 0B 07 19 60 71 3C 7B 26 09 13 35 1B 04 Old data: success or wait 560596975
File deleted Path: C:\Hermes_.exe New path: Disposition: Data : cannot delete 560598242
Thread delayed Time: -1 TID: 4024 success or wait 560600975
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 563081709
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 564087672
Thread delayed Time: -1 TID: 4024 success or wait 564088387
File deleted Path: C:\Hermes_.exe New path: Disposition: Data : success or wait 564155385
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: PersistFile object name not found 564158325
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 564159206
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 501 success or wait 564160751
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 148 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 09 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0C 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 08 08 0C 17 63 1E 79 5B 4A 7F 4B 4A 51 6C 4B 50 68 5F 52 4B 5B 70 5F 53 5B 04 1E 6B 50 5F 5C 52 5B 1E 4A 51 1E 4F 4B 5B 4C 47 1E success or wait 564161227
File created Path: C:\Documents and Settings\Administrator\Application Data\Dropbox Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: true success or wait 564163107
File created Path: C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031} Access: read data or list directory and synchronize Options: directory file and synchronous io non alert and open for backup ident Attributes: normal Content Overwritten: true success or wait 564165975
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: PersistFile Type: dword Data: 3 Old data: success or wait 564171237
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: PersistFolder Type: dword Data: 18 Old data: success or wait 564171978
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: UpgradeHelper Type: unicode Data: C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe Old data: success or wait 564173391
File created Path: C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 564190372
File write Path: C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe Offset: unknown Length: 407040 Value: 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 565604560
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartMenuMask Type: dword Data: 77654 Old data: success or wait 565848875
Thread created PID: 1552 TID: 484 EIP: 7C8106F9 EAX: D75D48 Imagepath: C:\WINDOWS\explorer.exe success or wait 565851032
Key value set Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartProcIrq Type: dword Data: 6 Old data: success or wait 565852286
Mutant created Name: \BaseNamedObjects\Global\NtSys32AutoLock success or wait 565856092
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: PersistFile success or wait 565857165
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: UpgradeHelper buffer overflow 565858086
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: UpgradeHelper buffer overflow 565858600
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: UpgradeHelper buffer overflow 565859708
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run Name: UpgradeHelper buffer overflow 565860189
Thread created PID: 1552 TID: 988 EIP: 7C8106F9 EAX: D879B3 Imagepath: C:\WINDOWS\explorer.exe success or wait 565861970
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: ModulesCache object name not found 565863090
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 566716322
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 567667152
Thread delayed Time: -1 TID: 4024 success or wait 567667883
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 570351808
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 571246598
Thread delayed Time: -1 TID: 4024 success or wait 571247323
Windows enumerated Desktop: 0 Parent: 0 Enum Children: false TID: 0 HWNDs: 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 573932729
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 574826258
Thread delayed Time: -1 TID: 4024 success or wait 574826953
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 578405766
Thread delayed Time: -1 TID: 4024 success or wait 578406465
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 581988021
Thread delayed Time: -1 TID: 4024 success or wait 581988769
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 585564825
Thread delayed Time: -1 TID: 4024 success or wait 585565566
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 589144335
Thread delayed Time: -1 TID: 4024 success or wait 589145059
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 592723910
Thread delayed Time: -1 TID: 4024 success or wait 592724604
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 596306217
Thread delayed Time: -1 TID: 4024 success or wait 596306962
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 599885839
Thread delayed Time: -1 TID: 4024 success or wait 599886526
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 603462606
Thread delayed Time: -1 TID: 4024 success or wait 603463321
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 607042076
Thread delayed Time: -1 TID: 4024 success or wait 607042772
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 610621681
Thread delayed Time: -1 TID: 4024 success or wait 610622403
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 614201175
Thread delayed Time: -1 TID: 4024 success or wait 614201851
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 617780694
Thread delayed Time: -1 TID: 4024 success or wait 617781415
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 621360201
Thread delayed Time: -1 TID: 4024 success or wait 621360896
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 624939931
Thread delayed Time: -1 TID: 4024 success or wait 624940649
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 628519320
Process information queried PID: 1728 Info Class: ImageFileName success or wait 628525720
File opened Path: C:\WINDOWS\system32\ctfmon.exe Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert Overwritten: false success or wait 628578632
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: D60000 Length: 199FCA8 Allocation Type: unknown Protection: page execute and read and write success or wait 628602052
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: DA0000 Length: 199FCA8 Allocation Type: unknown Protection: page execute and read and write success or wait 628602342
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 199FCA8 Allocation Type: unknown Protection: page read and write success or wait 628602620
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: D60000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 630373270
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A30000 Length: 305 Value: 00 00 00 00 00 00 DA 00 00 00 D6 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 630392943
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: DA0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 630416559
Thread created PID: 1728 TID: 3052 EIP: 7C8106F9 EAX: D628C6 Imagepath: C:\WINDOWS\system32\ctfmon.exe success or wait 630435828
Thread delayed Time: -1 TID: 4024 success or wait 630437584
Thread created PID: 1552 TID: 3080 EIP: 7C8106F9 EAX: D87FBA Imagepath: C:\WINDOWS\explorer.exe success or wait 631503811
Thread resumed TID: 3080 PID: 1552 Path: C:\WINDOWS\explorer.exe success or wait 631504617
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 631542493
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 649 success or wait 631552354
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 110 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 631552757
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 631557170
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 759 success or wait 631558313
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 135 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 09 0C 06 1E 0C 63 04 65 0F 06 0D success or wait 631558830
Message posted TID: FB4 Message: 467 WParam: 1728 LParam: 2 success 631560172
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 631566451
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 894 success or wait 631567570
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 110 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 631567965
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 631569385
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 1004 success or wait 631570485
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 396 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 631571255
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 634000459
Thread delayed Time: -1 TID: 4024 success or wait 634001085
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 637580068
Process information queried PID: 1924 Info Class: ImageFileName success or wait 637585950
File opened Path: C:\WINDOWS\system32\wscntfy.exe Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert Overwritten: false success or wait 637587006
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 199FCA8 Allocation Type: unknown Protection: page execute and read and write success or wait 637591519
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: B20000 Length: 199FCA8 Allocation Type: unknown Protection: page execute and read and write success or wait 637591888
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: B60000 Length: 199FCA8 Allocation Type: unknown Protection: page read and write success or wait 637592240
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: AE0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 639025091
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: B60000 Length: 305 Value: 00 00 00 00 00 00 B2 00 00 00 AE 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 639051706
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: B20000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 639077654
Thread created PID: 1924 TID: 3560 EIP: 7C8106F9 EAX: AE28C6 Imagepath: C:\WINDOWS\system32\wscntfy.exe success or wait 639095012
Thread delayed Time: -1 TID: 4024 success or wait 639097027
Thread created PID: 1552 TID: 3580 EIP: 7C8106F9 EAX: D87FBA Imagepath: C:\WINDOWS\explorer.exe success or wait 640030581
Thread resumed TID: 3580 PID: 1552 Path: C:\WINDOWS\explorer.exe success or wait 640031360
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 640065063
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 1400 success or wait 640066240
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 110 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 640066637
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 640068394
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 1510 success or wait 640069630
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 135 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 07 0C 0A 1E 0C 63 04 65 0F 06 0D success or wait 640070080
Message posted TID: FB4 Message: 467 WParam: 1924 LParam: 2 success 640071597
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 640077669
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 1645 success or wait 640078794
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 110 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 640079191
File opened Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Access: read attributes and synchronize and generic write Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 640080535
File other op Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp New path: Disposition: PositionInformation Data : Offset: 1755 success or wait 640081644
File write Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp Offset: unknown Length: 399 Value: 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 640082770
Thread delayed Time: -10 TID: 4024 success or wait 642669666
System info queried Type: ProcessInformation success or wait 678465587
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 678488478
Thread delayed Time: -1 TID: 4024 success or wait 678489167
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 682047735
Thread delayed Time: -1 TID: 4024 success or wait 682048417
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 685627693
Thread delayed Time: -1 TID: 4024 success or wait 685628368
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 689208750
Thread delayed Time: -1 TID: 4024 success or wait 689209539
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 692786169
Thread delayed Time: -1 TID: 4024 success or wait 692786852
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 696366201
Thread delayed Time: -1 TID: 4024 success or wait 696366888
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 699945385
Thread delayed Time: -1 TID: 4024 success or wait 699946069
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 703522040
Thread delayed Time: -1 TID: 4024 success or wait 703522734
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 707104726
Thread delayed Time: -1 TID: 4024 success or wait 707105412
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 710681163
Thread delayed Time: -1 TID: 4024 success or wait 710681847
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 714260645
Thread delayed Time: -1 TID: 4024 success or wait 714261355
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 717840115
Thread delayed Time: -1 TID: 4024 success or wait 717840789
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 721419749
Thread delayed Time: -1 TID: 4024 success or wait 721420451
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 724999222
Thread delayed Time: -1 TID: 4024 success or wait 724999903
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 728582214
Thread delayed Time: -1 TID: 4024 success or wait 728582924
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 732158300
Thread delayed Time: -1 TID: 4024 success or wait 732159030
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 735742941
Thread delayed Time: -1 TID: 4024 success or wait 735743651
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 739317448
Thread delayed Time: -1 TID: 4024 success or wait 739318125
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 742896967
Thread delayed Time: -1 TID: 4024 success or wait 742897670
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 746476501
Thread delayed Time: -1 TID: 4024 success or wait 746477365
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 750056064
Thread delayed Time: -1 TID: 4024 success or wait 750056784
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 753635578
Thread delayed Time: -1 TID: 4024 success or wait 753636436
Thread delayed Time: -10 TID: 4024 success or wait 757215120
System info queried Type: ProcessInformation success or wait 793010862
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 793031804
Thread delayed Time: -1 TID: 4024 success or wait 793032505
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 796596064
Thread delayed Time: -1 TID: 4024 success or wait 796596751
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 800169715
Thread delayed Time: -1 TID: 4024 success or wait 800170428
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 803749323
Thread delayed Time: -1 TID: 4024 success or wait 803750080
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 807331616
Thread delayed Time: -1 TID: 4024 success or wait 807332377
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 810908497
Thread delayed Time: -10 TID: 4024 success or wait 871760558
System info queried Type: ProcessInformation success or wait 907556437
Thread delayed Time: -10 TID: 4024 success or wait 986980137
General
Start time: 09:40:15
Start date: 24/01/2012
Path: C:\WINDOWS\system32\ctfmon.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\system32\ctfmon.exe
Imagebase: 0x400000
File size: 15360 bytes
MD5 hash: 5F1D5F88303D4A4DBC8E5F97BA967CC3

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat read attributes and synchronize and generic read synchronous io non alert and non directory file true success or wait 1 177217D CreateFileA
\pipe\Win64Expected read attributes and synchronize and generic read and generic write non directory file true success or wait 1 1788450 CreateFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat unknown 407040 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 1 17721B4 ReadFile
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
unknown query and write and read commit CB0000 16384 own pid read write success or wait 1
unknown query and write and read commit CB0000 16384 own pid read write success or wait 1
unknown query and write and read commit CB0000 16384 own pid read write success or wait 1
unknown query and write and read commit CB0000 16384 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 D646BE
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 D646BE
\KnownDlls\MSVCP60.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 D646BE
C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1 D646BE

Registry Activites

Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage AdvancedImages object name not found 1 177FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu buffer overflow 2 177FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu success or wait 1 177FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartProcIrq success or wait 1 177FF43 RegQueryValueExA

Mutex Activites

Name Completion Count Source Address Symbol
\BaseNamedObjects\Global\NtKernelProc.1728 success or wait 1 D62CF8 CreateMutexA
\BaseNamedObjects\Global\NtSys32AutoLock object name exists 1 177ABD9 CreateMutexA
\BaseNamedObjects\NtKernelInjLock success or wait 70 D62BAA CreateMutexA
\BaseNamedObjects\NtKernelInjLock object name exists 1 D62BAA CreateMutexA

Process Activites

PID Process info class Completion Count Source Address Symbol
1728 Wow64Information success or wait 1 1772835 IsWow64Process

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
3064 1728 7C8106F9 1774458 C:\WINDOWS\system32\ctfmon.exe success or wait 1 1774364 CreateThread
3068 1728 7C8106F9 D62B47 C:\WINDOWS\system32\ctfmon.exe success or wait 1 D62AFC CreateThread
3072 1728 7C8106F9 1775D48 C:\WINDOWS\system32\ctfmon.exe success or wait 1 1775D0F CreateThread
868 1728 7C8106F9 1787FBA C:\WINDOWS\system32\ctfmon.exe success or wait 1 17885BF CreateThread
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
3068 -1s success or wait 71 D627F4 Sleep
3068 -10s success or wait 3 D62804 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1728 C:\WINDOWS\system32\ctfmon.exe 7C80236B 5 8B FF 55 8B EC success or wait 1 17710D5 ReadProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 7C802336 5 8B FF 55 8B EC success or wait 1 17710D5 ReadProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 77E10CE8 5 8B FF 55 8B EC success or wait 1 17710D5 ReadProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 77DEA8A9 5 8B FF 55 8B EC success or wait 1 17710D5 ReadProcessMemory
PID Filepath Base Length Value Completion Count Source Address Symbol
1728 C:\WINDOWS\system32\ctfmon.exe 7C80236B 5 E9 BC F1 F6 84 success or wait 1 177110E WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 7C802336 5 E9 07 F3 F6 84 success or wait 1 177110E WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 77E10CE8 5 E9 6B 0A 96 89 success or wait 1 177110E WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe 77DEA8A9 5 E9 C3 6F 98 89 success or wait 1 177110E WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
1728 C:\WINDOWS\system32\ctfmon.exe 14DE000 E1FB6C page read and write success or wait 1 D65200 malloc
1728 C:\WINDOWS\system32\ctfmon.exe 1770000 E1FD00 page read and write success or wait 1 D65200 malloc
1728 C:\WINDOWS\system32\ctfmon.exe 1770000 E1FE5C page read and write success or wait 1 D64999 VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe A50000 E1FE1C page read and write success or wait 1 179AC87 HeapCreate
1728 C:\WINDOWS\system32\ctfmon.exe A50000 E1FE20 page read and write success or wait 1 179AC87 HeapCreate
1728 C:\WINDOWS\system32\ctfmon.exe A51000 E1FAFC page read and write success or wait 1 179AC87 HeapCreate
1728 C:\WINDOWS\system32\ctfmon.exe A60000 E1FE28 page execute and read and write success or wait 1 17710AD VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe A70000 E1FE28 page execute and read and write success or wait 1 17710AD VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe B10000 E1FE08 page execute and read and write success or wait 1 17710AD VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe C20000 E1FE00 page execute and read and write success or wait 1 17710AD VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1728 C:\WINDOWS\system32\ctfmon.exe 1771000 3A000 page execute read page read and write success or wait 1 D648A0 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 17AB000 C000 page readonly page read and write success or wait 1 D648A0 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 17B7000 3000 page read and write page read and write success or wait 1 D648A0 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 17BC000 1000 page readonly page read and write success or wait 1 D648A0 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 17BD000 5000 page readonly page read and write success or wait 1 D648A0 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 7C80236B 1000 page execute and read and write page execute read success or wait 1 17710C2 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 7C80236B 1000 page execute read page execute and read and write success or wait 1 1771122 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 7C802336 1000 page execute and read and write page execute read success or wait 1 17710C2 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 7C802336 1000 page execute read page execute and read and write success or wait 1 1771122 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 77E10CE8 1000 page execute and read and write page execute read success or wait 1 17710C2 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 77E10CE8 1000 page execute read page execute and read and write success or wait 1 1771122 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 77DEA8A9 1000 page execute and read and write page execute read success or wait 1 17710C2 VirtualProtect
1728 C:\WINDOWS\system32\ctfmon.exe 77DEA8A9 1000 page execute read page execute and read and write success or wait 1 1771122 VirtualProtect
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:40:15 1 5 1
09:40:16 3 7 3
09:40:33 3 7 3

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 4 D63A68 CreateToolhelp32Snapshot

Windows UI Activites

TID Message LParam WParam Completion Count Source Address Symbol
0 464 0 0 error 2 177382F PostThreadMessageA
BF8 464 0 0 success 1 177382F PostThreadMessageA
Chronological Activities
Operation Data Completion Time
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 630441063
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 630442647
Section loaded Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 630453250
Section loaded Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid success or wait 630454967
Mutant created Name: \BaseNamedObjects\Global\NtKernelProc.1728 success or wait 630464532
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 14DE000 Length: E1FB6C Allocation Type: unknown Protection: page read and write success or wait 630490044
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1770000 Length: E1FD00 Allocation Type: unknown Protection: page read and write success or wait 630490365
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1770000 Length: E1FE5C Allocation Type: unknown Protection: page read and write success or wait 630704007
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 1771000 Length: 3A000 New Protection: page execute read New Protection: page read and write success or wait 630709179
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 17AB000 Length: C000 New Protection: page readonly New Protection: page read and write success or wait 630710126
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 17B7000 Length: 3000 New Protection: page read and write New Protection: page read and write success or wait 630710577
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 17BC000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 630710917
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 17BD000 Length: 5000 New Protection: page readonly New Protection: page read and write success or wait 630711233
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50000 Length: E1FE1C Allocation Type: unknown Protection: page read and write success or wait 630712018
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A50000 Length: E1FE20 Allocation Type: unknown Protection: page read and write success or wait 630712342
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A51000 Length: E1FAFC Allocation Type: unknown Protection: page read and write success or wait 630712736
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: AdvancedImages object name not found 630736048
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A60000 Length: E1FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 630736999
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C80236B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 630737286
Memory read PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C80236B Length: 5 Value: 8B FF 55 8B EC success or wait 630737576
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C80236B Length: 5 Value: E9 BC F1 F6 84 success or wait 630738508
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C80236B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 630738819
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: A70000 Length: E1FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 630739116
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C802336 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 630739395
Memory read PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C802336 Length: 5 Value: 8B FF 55 8B EC success or wait 630739672
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C802336 Length: 5 Value: E9 07 F3 F6 84 success or wait 630740704
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 7C802336 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 630740963
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: B10000 Length: E1FE08 Allocation Type: unknown Protection: page execute and read and write success or wait 630741284
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77E10CE8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 630741570
Memory read PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77E10CE8 Length: 5 Value: 8B FF 55 8B EC success or wait 630741860
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77E10CE8 Length: 5 Value: E9 6B 0A 96 89 success or wait 630742793
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77E10CE8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 630743106
Memory allocated PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: C20000 Length: E1FE00 Allocation Type: unknown Protection: page execute and read and write success or wait 630743420
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 630743706
Memory read PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77DEA8A9 Length: 5 Value: 8B FF 55 8B EC success or wait 630744055
Memory written PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77DEA8A9 Length: 5 Value: E9 C3 6F 98 89 success or wait 630745022
Memory attributes changed PID: 1728 Path: C:\WINDOWS\system32\ctfmon.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 630745334
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 630746419
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 630746844
Thread created PID: 1728 TID: 3064 EIP: 7C8106F9 EAX: 1774458 Imagepath: C:\WINDOWS\system32\ctfmon.exe success or wait 630748394
Process information queried PID: 1728 Info Class: Wow64Information success or wait 630751583
Message posted TID: BF8 Message: 464 WParam: 0 LParam: 0 success 630752086
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu buffer overflow 630752600
Thread created PID: 1728 TID: 3068 EIP: 7C8106F9 EAX: D62B47 Imagepath: C:\WINDOWS\system32\ctfmon.exe success or wait 630753389
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu buffer overflow 630754775
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu success or wait 630755269
System info queried Type: ProcessInformation success or wait 630756249
File opened Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 630765210
File read Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Offset: unknown Length: 407040 Value: 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 630767903
Thread created PID: 1728 TID: 3072 EIP: 7C8106F9 EAX: 1775D48 Imagepath: C:\WINDOWS\system32\ctfmon.exe success or wait 631491724
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartProcIrq success or wait 631501057
File opened Path: \pipe\Win64Expected Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: true success or wait 631501977
Mutant created Name: \BaseNamedObjects\Global\NtSys32AutoLock object name exists 631510634
Thread created PID: 1728 TID: 868 EIP: 7C8106F9 EAX: 1787FBA Imagepath: C:\WINDOWS\system32\ctfmon.exe success or wait 631528648
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 631572823
Thread delayed Time: -1 TID: 3068 success or wait 631573503
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 635119363
Thread delayed Time: -1 TID: 3068 success or wait 635121183
Mutant created Name: \BaseNamedObjects\NtKernelInjLock object name exists 639052183
Thread delayed Time: -1 TID: 3068 success or wait 639103492
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 642669860
Thread delayed Time: -1 TID: 3068 success or wait 642670168
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 646249356
Thread delayed Time: -1 TID: 3068 success or wait 646250074
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 649828986
Thread delayed Time: -1 TID: 3068 success or wait 649829666
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 653474621
Thread delayed Time: -1 TID: 3068 success or wait 653475614
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 657044152
Thread delayed Time: -1 TID: 3068 success or wait 657046279
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 660683573
Thread delayed Time: -1 TID: 3068 success or wait 660745257
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 664316272
Thread delayed Time: -1 TID: 3068 success or wait 664316956
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 667957103
Thread delayed Time: -1 TID: 3068 success or wait 668017309
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 671585926
Thread delayed Time: -1 TID: 3068 success or wait 671588046
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 675287637
Thread delayed Time: -1 TID: 3068 success or wait 675288397
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 678856792
Thread delayed Time: -1 TID: 3068 success or wait 678858546
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 682494447
Thread delayed Time: -1 TID: 3068 success or wait 682560897
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 686128902
Thread delayed Time: -1 TID: 3068 success or wait 686129678
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 689777439
Thread delayed Time: -1 TID: 3068 success or wait 689874649
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 693454910
Thread delayed Time: -1 TID: 3068 success or wait 693456915
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 697157876
Thread delayed Time: -1 TID: 3068 success or wait 697158616
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 700725694
Thread delayed Time: -1 TID: 3068 success or wait 700728146
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 704431515
Thread delayed Time: -1 TID: 3068 success or wait 704432456
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 707996508
Thread delayed Time: -1 TID: 3068 success or wait 708000552
Thread delayed Time: -10 TID: 3068 success or wait 711698247
System info queried Type: ProcessInformation success or wait 747483878
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 747504422
Thread delayed Time: -1 TID: 3068 success or wait 747505098
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 751062972
Thread delayed Time: -1 TID: 3068 success or wait 751063784
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 754642496
Thread delayed Time: -1 TID: 3068 success or wait 754643793
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 758222265
Thread delayed Time: -1 TID: 3068 success or wait 758222977
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 761801584
Thread delayed Time: -1 TID: 3068 success or wait 761802426
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 765381169
Thread delayed Time: -1 TID: 3068 success or wait 765382439
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 768963719
Thread delayed Time: -1 TID: 3068 success or wait 768964406
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 772541186
Thread delayed Time: -1 TID: 3068 success or wait 772541887
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 776119763
Thread delayed Time: -1 TID: 3068 success or wait 776121093
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 779699448
Thread delayed Time: -1 TID: 3068 success or wait 779700161
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 783278854
Thread delayed Time: -1 TID: 3068 success or wait 783279634
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 786858478
Thread delayed Time: -1 TID: 3068 success or wait 786859871
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 790441360
Thread delayed Time: -1 TID: 3068 success or wait 790442240
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 794017668
Thread delayed Time: -1 TID: 3068 success or wait 794018359
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 797600754
Thread delayed Time: -1 TID: 3068 success or wait 797601436
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 801179811
Thread delayed Time: -1 TID: 3068 success or wait 801180486
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 804759079
Thread delayed Time: -1 TID: 3068 success or wait 804759751
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 808336235
Thread delayed Time: -1 TID: 3068 success or wait 808336920
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 811915241
Thread delayed Time: -1 TID: 3068 success or wait 811915910
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 815494859
Thread delayed Time: -1 TID: 3068 success or wait 815495722
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 819074804
Thread delayed Time: -1 TID: 3068 success or wait 819075484
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 822657302
Thread delayed Time: -1 TID: 3068 success or wait 822658162
Thread delayed Time: -10 TID: 3068 success or wait 826233442
System info queried Type: ProcessInformation success or wait 862032175
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 862052543
Thread delayed Time: -1 TID: 3068 success or wait 862053214
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 865611837
Thread delayed Time: -1 TID: 3068 success or wait 865614702
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 869189195
Thread delayed Time: -1 TID: 3068 success or wait 869190612
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 872767502
Thread delayed Time: -1 TID: 3068 success or wait 872768207
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 876347183
Thread delayed Time: -1 TID: 3068 success or wait 876347871
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 879929379
Thread delayed Time: -1 TID: 3068 success or wait 879930089
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 883509411
Thread delayed Time: -10 TID: 3068 success or wait 940778861
System info queried Type: ProcessInformation success or wait 976574496
General
Start time: 09:40:18
Start date: 24/01/2012
Path: C:\WINDOWS\system32\wscntfy.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\system32\wscntfy.exe
Imagebase: 0x1000000
File size: 13824 bytes
MD5 hash: F92E1076C42FCD6DB3D72D8CFE9816D5

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat read attributes and synchronize and generic read synchronous io non alert and non directory file true success or wait 1 E3217D CreateFileA
\pipe\Win64Expected read attributes and synchronize and generic read and generic write non directory file true success or wait 1 E48450 CreateFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat unknown 407040 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 1 E321B4 ReadFile
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
unknown query and write and read commit F60000 16384 own pid read write success or wait 1
unknown query and write and read commit F60000 16384 own pid read write success or wait 1
unknown query and write and read commit F60000 16384 own pid read write success or wait 1
unknown query and write and read commit F60000 16384 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 AE46BE
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 AE46BE
\KnownDlls\MSVCP60.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 AE46BE
C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1 AE46BE
\KnownDlls\OLEAUT32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1 AE46BE

Registry Activites

Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage AdvancedImages object name not found 1 E3FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu buffer overflow 2 E3FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu success or wait 1 E3FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartProcIrq success or wait 1 E3FF43 RegQueryValueExA

Mutex Activites

Name Completion Count Source Address Symbol
\BaseNamedObjects\Global\NtKernelProc.1924 success or wait 1 AE2CF8 CreateMutexA
\BaseNamedObjects\Global\NtSys32AutoLock object name exists 1 E3ABD9 CreateMutexA
\BaseNamedObjects\NtKernelInjLock success or wait 69 AE2BAA CreateMutexA

Process Activites

PID Process info class Completion Count Source Address Symbol
1924 Wow64Information success or wait 1 E32835 IsWow64Process

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
3568 1924 7C8106F9 E34458 C:\WINDOWS\system32\wscntfy.exe success or wait 1 E34364 CreateThread
3572 1924 7C8106F9 AE2B47 C:\WINDOWS\system32\wscntfy.exe success or wait 1 AE2AFC CreateThread
3576 1924 7C8106F9 E35D48 C:\WINDOWS\system32\wscntfy.exe success or wait 1 E35D0F CreateThread
3584 1924 7C8106F9 E47FBA C:\WINDOWS\system32\wscntfy.exe success or wait 1 E485BF CreateThread
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
3572 -1s success or wait 69 AE27F4 Sleep
3572 -10s success or wait 3 AE2804 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1924 C:\WINDOWS\system32\wscntfy.exe 7C80236B 5 8B FF 55 8B EC success or wait 1 E310D5 ReadProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 7C802336 5 8B FF 55 8B EC success or wait 1 E310D5 ReadProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 77E10CE8 5 8B FF 55 8B EC success or wait 1 E310D5 ReadProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 77DEA8A9 5 8B FF 55 8B EC success or wait 1 E310D5 ReadProcessMemory
PID Filepath Base Length Value Completion Count Source Address Symbol
1924 C:\WINDOWS\system32\wscntfy.exe 7C80236B 5 E9 BC F1 62 84 success or wait 1 E3110E WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 7C802336 5 E9 07 F3 62 84 success or wait 1 E3110E WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 77E10CE8 5 E9 6B 0A 02 89 success or wait 1 E3110E WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe 77DEA8A9 5 E9 C3 6F 04 89 success or wait 1 E3110E WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
1924 C:\WINDOWS\system32\wscntfy.exe D5E000 E2FB6C page read and write success or wait 1 AE5200 malloc
1924 C:\WINDOWS\system32\wscntfy.exe 1210000 E2FD00 page read and write success or wait 1 AE5200 malloc
1924 C:\WINDOWS\system32\wscntfy.exe E30000 E2FE5C page read and write success or wait 1 AE4999 VirtualAlloc
1924 C:\WINDOWS\system32\wscntfy.exe E90000 E2FE1C page read and write success or wait 1 E5AC87 HeapCreate
1924 C:\WINDOWS\system32\wscntfy.exe E90000 E2FE20 page read and write success or wait 1 E5AC87 HeapCreate
1924 C:\WINDOWS\system32\wscntfy.exe E91000 E2FAFC page read and write success or wait 1 E5AC87 HeapCreate
1924 C:\WINDOWS\system32\wscntfy.exe EA0000 E2FE28 page execute and read and write success or wait 1 E310AD VirtualAlloc
1924 C:\WINDOWS\system32\wscntfy.exe EB0000 E2FE28 page execute and read and write success or wait 1 E310AD VirtualAlloc
1924 C:\WINDOWS\system32\wscntfy.exe EC0000 E2FE08 page execute and read and write success or wait 1 E310AD VirtualAlloc
1924 C:\WINDOWS\system32\wscntfy.exe ED0000 E2FE00 page execute and read and write success or wait 1 E310AD VirtualAlloc
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1924 C:\WINDOWS\system32\wscntfy.exe E31000 3A000 page execute read page read and write success or wait 1 AE48A0 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe E6B000 C000 page readonly page read and write success or wait 1 AE48A0 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe E77000 3000 page read and write page read and write success or wait 1 AE48A0 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe E7C000 1000 page readonly page read and write success or wait 1 AE48A0 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe E7D000 5000 page readonly page read and write success or wait 1 AE48A0 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 7C80236B 1000 page execute and read and write page execute read success or wait 1 E310C2 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 7C80236B 1000 page execute read page execute and read and write success or wait 1 E31122 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 7C802336 1000 page execute and read and write page execute read success or wait 1 E310C2 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 7C802336 1000 page execute read page execute and read and write success or wait 1 E31122 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 77E10CE8 1000 page execute and read and write page execute read success or wait 1 E310C2 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 77E10CE8 1000 page execute read page execute and read and write success or wait 1 E31122 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 77DEA8A9 1000 page execute and read and write page execute read success or wait 1 E310C2 VirtualProtect
1924 C:\WINDOWS\system32\wscntfy.exe 77DEA8A9 1000 page execute read page execute and read and write success or wait 1 E31122 VirtualProtect
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:40:18 3 6 3
09:40:33 3 6 3

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 4 AE3A68 CreateToolhelp32Snapshot

Windows UI Activites

TID Message LParam WParam Completion Count Source Address Symbol
0 464 0 0 error 2 E3382F PostThreadMessageA
DF0 464 0 0 success 1 E3382F PostThreadMessageA
Chronological Activities
Operation Data Completion Time
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 639100348
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 639101925
Section loaded Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 639114027
Section loaded Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid success or wait 639115553
Mutant created Name: \BaseNamedObjects\Global\NtKernelProc.1924 success or wait 639125563
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: D5E000 Length: E2FB6C Allocation Type: unknown Protection: page read and write success or wait 639156226
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 1210000 Length: E2FD00 Allocation Type: unknown Protection: page read and write success or wait 639156576
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E30000 Length: E2FE5C Allocation Type: unknown Protection: page read and write success or wait 639372612
Section loaded Path: \KnownDlls\OLEAUT32.dll Access: write and read and execute Type: unknown Baseaddress: 77120000 Size: 569344 Protection: read write Mapped to pid: own pid success or wait 639381199
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E31000 Length: 3A000 New Protection: page execute read New Protection: page read and write success or wait 639389961
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E6B000 Length: C000 New Protection: page readonly New Protection: page read and write success or wait 639390808
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E77000 Length: 3000 New Protection: page read and write New Protection: page read and write success or wait 639391186
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E7C000 Length: 1000 New Protection: page readonly New Protection: page read and write success or wait 639391466
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E7D000 Length: 5000 New Protection: page readonly New Protection: page read and write success or wait 639391727
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E90000 Length: E2FE1C Allocation Type: unknown Protection: page read and write success or wait 639392397
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E90000 Length: E2FE20 Allocation Type: unknown Protection: page read and write success or wait 639392682
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: E91000 Length: E2FAFC Allocation Type: unknown Protection: page read and write success or wait 639393071
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: AdvancedImages object name not found 639416012
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: EA0000 Length: E2FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 639417045
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C80236B Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 639417331
Memory read PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C80236B Length: 5 Value: 8B FF 55 8B EC success or wait 639417614
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C80236B Length: 5 Value: E9 BC F1 62 84 success or wait 639418536
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C80236B Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 639418844
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: EB0000 Length: E2FE28 Allocation Type: unknown Protection: page execute and read and write success or wait 639419140
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C802336 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 639419415
Memory read PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C802336 Length: 5 Value: 8B FF 55 8B EC success or wait 639419690
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C802336 Length: 5 Value: E9 07 F3 62 84 success or wait 639420597
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 7C802336 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 639420852
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: EC0000 Length: E2FE08 Allocation Type: unknown Protection: page execute and read and write success or wait 639421171
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77E10CE8 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 639421455
Memory read PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77E10CE8 Length: 5 Value: 8B FF 55 8B EC success or wait 639421742
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77E10CE8 Length: 5 Value: E9 6B 0A 02 89 success or wait 639422663
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77E10CE8 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 639422972
Memory allocated PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: ED0000 Length: E2FE00 Allocation Type: unknown Protection: page execute and read and write success or wait 639423282
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute and read and write New Protection: page execute read success or wait 639423568
Memory read PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77DEA8A9 Length: 5 Value: 8B FF 55 8B EC success or wait 639423852
Memory written PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77DEA8A9 Length: 5 Value: E9 C3 6F 04 89 success or wait 639424846
Memory attributes changed PID: 1924 Path: C:\WINDOWS\system32\wscntfy.exe Base: 77DEA8A9 Length: 1000 New Protection: page execute read New Protection: page execute and read and write success or wait 639425798
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 639426735
Message posted TID: 0 Message: 464 WParam: 0 LParam: 0 error 639427113
Thread created PID: 1924 TID: 3568 EIP: 7C8106F9 EAX: E34458 Imagepath: C:\WINDOWS\system32\wscntfy.exe success or wait 639428564
Process information queried PID: 1924 Info Class: Wow64Information success or wait 639431663
Message posted TID: DF0 Message: 464 WParam: 0 LParam: 0 success 639432168
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu buffer overflow 639432671
Thread created PID: 1924 TID: 3572 EIP: 7C8106F9 EAX: AE2B47 Imagepath: C:\WINDOWS\system32\wscntfy.exe success or wait 639433451
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu buffer overflow 639434859
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage Name: CustomBarMenu success or wait 639435351
System info queried Type: ProcessInformation success or wait 639436668
File opened Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Access: read attributes and synchronize and generic read Options: synchronous io non alert and non directory file Attributes: normal Content Overwritten: true success or wait 639445546
File read Path: C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat Offset: unknown Length: 407040 Value: 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 639448312
Thread created PID: 1924 TID: 3576 EIP: 7C8106F9 EAX: E35D48 Imagepath: C:\WINDOWS\system32\wscntfy.exe success or wait 640023991
Key value queried Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: StartProcIrq success or wait 640027793
File opened Path: \pipe\Win64Expected Access: read attributes and synchronize and generic read and generic write Options: non directory file Attributes: none Content Overwritten: true success or wait 640028757
Mutant created Name: \BaseNamedObjects\Global\NtSys32AutoLock object name exists 640038690
Thread created PID: 1924 TID: 3584 EIP: 7C8106F9 EAX: E47FBA Imagepath: C:\WINDOWS\system32\wscntfy.exe success or wait 640050598
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 640083370
Thread delayed Time: -1 TID: 3572 success or wait 640084538
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 643623386
Thread delayed Time: -1 TID: 3572 success or wait 643624104
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 647200267
Thread delayed Time: -1 TID: 3572 success or wait 647200949
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 650779926
Thread delayed Time: -1 TID: 3572 success or wait 650780640
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 654362697
Thread delayed Time: -1 TID: 3572 success or wait 654363420
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 657938881
Thread delayed Time: -1 TID: 3572 success or wait 657939559
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 661518417
Thread delayed Time: -1 TID: 3572 success or wait 661519140
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 665097949
Thread delayed Time: -1 TID: 3572 success or wait 665098662
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 668677482
Thread delayed Time: -1 TID: 3572 success or wait 668678181
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 672257553
Thread delayed Time: -1 TID: 3572 success or wait 672258304
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 675837527
Thread delayed Time: -1 TID: 3572 success or wait 675838262
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 679419593
Thread delayed Time: -1 TID: 3572 success or wait 679420260
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 682995677
Thread delayed Time: -1 TID: 3572 success or wait 682996415
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 686574898
Thread delayed Time: -1 TID: 3572 success or wait 686575615
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 690154882
Thread delayed Time: -1 TID: 3572 success or wait 690155594
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 693734801
Thread delayed Time: -1 TID: 3572 success or wait 693735567
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 697316578
Thread delayed Time: -1 TID: 3572 success or wait 697317301
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 700896961
Thread delayed Time: -1 TID: 3572 success or wait 700897649
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 704473359
Thread delayed Time: -1 TID: 3572 success or wait 704474123
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 708052243
Thread delayed Time: -1 TID: 3572 success or wait 708056239
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 711698614
Thread delayed Time: -1 TID: 3572 success or wait 711699505
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 715272275
Thread delayed Time: -1 TID: 3572 success or wait 715273563
Thread delayed Time: -10 TID: 3572 success or wait 718961583
System info queried Type: ProcessInformation success or wait 754754540
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 754775748
Thread delayed Time: -1 TID: 3572 success or wait 754776418
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 758333835
Thread delayed Time: -1 TID: 3572 success or wait 758334520
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 761913424
Thread delayed Time: -1 TID: 3572 success or wait 761914093
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 765493104
Thread delayed Time: -1 TID: 3572 success or wait 765493788
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 769072489
Thread delayed Time: -1 TID: 3572 success or wait 769073162
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 772652072
Thread delayed Time: -1 TID: 3572 success or wait 772652753
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 776231585
Thread delayed Time: -1 TID: 3572 success or wait 776232257
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 779811149
Thread delayed Time: -1 TID: 3572 success or wait 779811828
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 783390737
Thread delayed Time: -1 TID: 3572 success or wait 783391408
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 786970239
Thread delayed Time: -1 TID: 3572 success or wait 786970925
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 790550352
Thread delayed Time: -1 TID: 3572 success or wait 790553768
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 794129346
Thread delayed Time: -1 TID: 3572 success or wait 794132045
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 797708875
Thread delayed Time: -1 TID: 3572 success or wait 797709560
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 801288416
Thread delayed Time: -1 TID: 3572 success or wait 801289101
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 804867958
Thread delayed Time: -1 TID: 3572 success or wait 804868633
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 808447512
Thread delayed Time: -1 TID: 3572 success or wait 808448188
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 812029866
Thread delayed Time: -1 TID: 3572 success or wait 812031132
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 815606792
Thread delayed Time: -1 TID: 3572 success or wait 815607470
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 819189170
Thread delayed Time: -1 TID: 3572 success or wait 819189945
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 822765690
Thread delayed Time: -1 TID: 3572 success or wait 822766549
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 826345230
Thread delayed Time: -1 TID: 3572 success or wait 826346130
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 829924786
Thread delayed Time: -1 TID: 3572 success or wait 829925536
Thread delayed Time: -10 TID: 3572 success or wait 833504218
System info queried Type: ProcessInformation success or wait 869301382
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 869336405
Thread delayed Time: -1 TID: 3572 success or wait 869337463
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 872882069
Thread delayed Time: -1 TID: 3572 success or wait 872882760
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 876458839
Thread delayed Time: -1 TID: 3572 success or wait 876459515
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 880038426
Thread delayed Time: -1 TID: 3572 success or wait 880039111
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 883617983
Thread delayed Time: -1 TID: 3572 success or wait 883618660
Mutant created Name: \BaseNamedObjects\NtKernelInjLock success or wait 887197501
Thread delayed Time: -1 TID: 3572 success or wait 887198179
Thread delayed Time: -10 TID: 3572 success or wait 948049720
System info queried Type: ProcessInformation success or wait 983845446