Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CWDIllegalInDLLSearch |
object name not found |
533007851 |
System info queried |
Type: BasicInformation |
success or wait |
533013222 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 140000 Length: 12FB14 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533013712 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 140000 Length: 12FB18 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533016591 |
System info queried |
Type: BasicInformation |
success or wait |
533017107 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 240000 Length: 12FB14 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533017391 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 240000 Length: 12FB18 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533018742 |
File opened |
Path: C:\ Access: execute or traverse and synchronize Options: directory file and
synchronous io non alert Overwritten: false
|
success or wait |
533019679 |
File control set |
Path: C:\ Control Code: 90028 Input Buffer: |
success or wait |
533020899 |
Section loaded |
Path: \KnownDlls\kernel32.dll Access: write and read and execute Type: unknown Baseaddress:
7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid
|
success or wait |
533021774 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C801000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533025829 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C801000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533027055 |
Process information queried |
PID: 2332 Info Class: Cookie |
success or wait |
533030167 |
System info queried |
Type: RangeStartInformation |
success or wait |
533030463 |
System info queried |
Type: BasicInformation |
success or wait |
533030703 |
Section loaded |
Path: unknown Access: query and write and read and execute and extend size Type: reserve
Baseaddress: 7C800000 Size: 1007616 Protection: read write Mapped to pid: own pid
|
success or wait |
533031303 |
System info queried |
Type: BasicInformation |
success or wait |
533032976 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 250000 Length: 12F340 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533033503 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat |
success or wait |
533035752 |
Section loaded |
Path: \NLS\NlsSectionUnicode Access: read Type: unknown Baseaddress: 260000 Size:
90112 Protection: readonly Mapped to pid: own pid
|
success or wait |
533037252 |
Section loaded |
Path: \NLS\NlsSectionLocale Access: read Type: unknown Baseaddress: 280000 Size: 266240
Protection: readonly Mapped to pid: own pid
|
success or wait |
533040973 |
Section loaded |
Path: \NLS\NlsSectionSortkey Access: query and read Type: unknown Baseaddress: 2D0000
Size: 266240 Protection: readonly Mapped to pid: own pid
|
success or wait |
533042397 |
Section loaded |
Path: \NLS\NlsSectionSortTbls Access: read Type: unknown Baseaddress: 320000 Size:
24576 Protection: readonly Mapped to pid: own pid
|
success or wait |
533043349 |
Section loaded |
Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown
Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533045001 |
Section loaded |
Path: \NLS\NlsSectionSortkey00000409 Access: read Type: unknown Baseaddress: unknown
Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533045243 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: 251000 Length: 12F168 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533045930 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and write copy
|
success or wait |
533046918 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and write copy New Protection: page read and write
|
success or wait |
533048166 |
Section loaded |
Path: \KnownDlls\user32.dll Access: write and read and execute Type: unknown Baseaddress:
7E410000 Size: 593920 Protection: read write Mapped to pid: own pid
|
success or wait |
533049368 |
Section loaded |
Path: \KnownDlls\GDI32.dll Access: write and read and execute Type: unknown Baseaddress:
77F10000 Size: 299008 Protection: read write Mapped to pid: own pid
|
success or wait |
533050781 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533052315 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533052884 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533053231 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533053587 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533053968 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F11000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533054685 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533055046 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533055732 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533056055 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533056466 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533056780 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7E411000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533057235 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533057523 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533058659 |
Section loaded |
Path: \KnownDlls\ntprint.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533059858 |
File opened |
Path: C:\WINDOWS\system32\ntprint.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533062587 |
Section loaded |
Path: C:\WINDOWS\system32\ntprint.dll Access: query and write and read and execute
Type: image Baseaddress: 5F180000 Size: 98304 Protection: read write Mapped to pid:
own pid
|
success or wait |
533063613 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Name: TransparentEnabled
|
success or wait |
533093082 |
Section loaded |
Path: \KnownDlls\msvcrt.dll Access: write and read and execute Type: unknown Baseaddress:
77C10000 Size: 360448 Protection: read write Mapped to pid: own pid
|
success or wait |
533130639 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533132228 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533132821 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533133172 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C11000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533133512 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533137403 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533144617 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533144953 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533145270 |
Section loaded |
Path: \KnownDlls\SHELL32.dll Access: write and read and execute Type: unknown Baseaddress:
7C9C0000 Size: 8482816 Protection: read write Mapped to pid: own pid
|
success or wait |
533145709 |
Section loaded |
Path: \KnownDlls\ADVAPI32.dll Access: write and read and execute Type: unknown Baseaddress:
77DD0000 Size: 634880 Protection: read write Mapped to pid: own pid
|
success or wait |
533147392 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533149013 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533149634 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533150012 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533150609 |
Section loaded |
Path: \KnownDlls\RPCRT4.dll Access: write and read and execute Type: unknown Baseaddress:
77E70000 Size: 602112 Protection: read write Mapped to pid: own pid
|
success or wait |
533151050 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533152713 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533153421 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533153828 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533154460 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533154875 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533155362 |
Section loaded |
Path: \KnownDlls\Secur32.dll Access: write and read and execute Type: unknown Baseaddress:
77FE0000 Size: 69632 Protection: read write Mapped to pid: own pid
|
success or wait |
533155842 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533158592 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533159102 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533160072 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533160685 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533161133 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77FE1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533163752 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533164168 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77E71000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533164570 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533165588 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77DD1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533166202 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533166541 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533167392 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533167742 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533168126 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533172758 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533173324 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533173675 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533175631 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533176614 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533176975 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533177978 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533178374 |
Section loaded |
Path: \KnownDlls\SHLWAPI.dll Access: write and read and execute Type: unknown Baseaddress:
77F60000 Size: 483328 Protection: read write Mapped to pid: own pid
|
success or wait |
533178789 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533180681 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533182636 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533183129 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533183532 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533183910 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533184459 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533184834 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533185210 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533185582 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77F61000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533186107 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533186447 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533187084 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533187430 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 7C9C1000 Length: 2000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533188054 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533188380 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533188823 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533189145 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533189573 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533189892 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533190220 |
Section loaded |
Path: \KnownDlls\SETUPAPI.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533190606 |
File opened |
Path: C:\WINDOWS\system32\SETUPAPI.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533191359 |
Section loaded |
Path: C:\WINDOWS\system32\setupapi.dll Access: query and write and read and execute
Type: image Baseaddress: 77920000 Size: 995328 Protection: read write Mapped to pid:
own pid
|
success or wait |
533192413 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533194477 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533194984 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533195333 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533195678 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533196023 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533196668 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533197020 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533197459 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533197809 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533198171 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533198559 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77921000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533198900 |
Section loaded |
Path: \KnownDlls\WINSPOOL.DRV Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533199290 |
File opened |
Path: C:\WINDOWS\system32\WINSPOOL.DRV Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533200028 |
Section loaded |
Path: C:\WINDOWS\system32\winspool.drv Access: query and write and read and execute
Type: image Baseaddress: 73000000 Size: 155648 Protection: read write Mapped to pid:
own pid
|
success or wait |
533201073 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533204580 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533205108 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533205456 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533205793 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533206139 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533206567 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533206910 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533207253 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533207595 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533207930 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533208318 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73001000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533208660 |
Section loaded |
Path: \KnownDlls\mscms.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533209048 |
File opened |
Path: C:\WINDOWS\system32\mscms.dll Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533209784 |
Section loaded |
Path: C:\WINDOWS\system32\mscms.dll Access: query and write and read and execute Type:
image Baseaddress: 73B30000 Size: 86016 Protection: read write Mapped to pid: own
pid
|
success or wait |
533210810 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533217010 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533217432 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533217779 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533218221 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533218568 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533218961 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533219306 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533219643 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533219985 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 73B31000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533220375 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533220784 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5F181000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533221095 |
Section loaded |
Path: \KnownDlls\CRYPT32.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533221478 |
File opened |
Path: C:\WINDOWS\system32\CRYPT32.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533222219 |
Section loaded |
Path: C:\WINDOWS\system32\crypt32.dll Access: query and write and read and execute
Type: image Baseaddress: 77A80000 Size: 610304 Protection: read write Mapped to pid:
own pid
|
success or wait |
533223260 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533226917 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533227510 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533227864 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533228308 |
Section loaded |
Path: \KnownDlls\MSASN1.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533228722 |
File opened |
Path: C:\WINDOWS\system32\MSASN1.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533229487 |
Section loaded |
Path: C:\WINDOWS\system32\msasn1.dll Access: query and write and read and execute
Type: image Baseaddress: 77B20000 Size: 73728 Protection: read write Mapped to pid:
own pid
|
success or wait |
533230452 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533234229 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533234688 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533235066 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533235516 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533235894 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77B21000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533236262 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533236602 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533237121 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533237466 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533237815 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533238201 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77A81000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533238546 |
Section loaded |
Path: \KnownDlls\VERSION.dll Access: write and read and execute Type: unknown Baseaddress:
77C00000 Size: 32768 Protection: read write Mapped to pid: own pid
|
success or wait |
533238936 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533240507 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533241063 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533241414 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77C01000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533241782 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533242073 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533243216 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533244358 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533245494 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533246636 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533247772 |
Section loaded |
Path: \KnownDlls\comctl32.dll Access: write and read and execute Type: unknown Baseaddress:
5D090000 Size: 630784 Protection: read write Mapped to pid: own pid
|
success or wait |
533248979 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533250476 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533250903 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533251220 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533251572 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533251887 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533252287 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533252605 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533252913 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533253226 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 5D091000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533253673 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533254006 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533255798 |
Section loaded |
Path: \KnownDlls\oleaut32.dll Access: write and read and execute Type: unknown Baseaddress:
77120000 Size: 569344 Protection: read write Mapped to pid: own pid
|
success or wait |
533257007 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533258453 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533258953 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533259274 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533259613 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533259977 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533260437 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533260756 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533261088 |
Section loaded |
Path: \KnownDlls\ole32.dll Access: write and read and execute Type: unknown Baseaddress:
774E0000 Size: 1302528 Protection: read write Mapped to pid: own pid
|
success or wait |
533261467 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533263031 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533263511 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533263855 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533264221 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533264604 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533265110 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533265454 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533265801 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533266139 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533266497 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533266838 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533267292 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533267634 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 774E1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533268076 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533268389 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533268904 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533269445 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 77121000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533270027 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533270328 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533271606 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page read
and write New Protection: page execute and read and write
|
success or wait |
533272745 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 593000 Length: 59000 New Protection: page execute
and read and write New Protection: page read and write
|
success or wait |
533273877 |
Process information queried |
PID: 2332 Info Class: ImageInformation |
success or wait |
533275510 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat |
success or wait |
533276346 |
System info queried |
Type: BasicInformation |
success or wait |
533284521 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode |
object name not found |
533285669 |
File opened |
Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533286629 |
Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit
Baseaddress: 5F0000 Size: 110592 Protection: execute Mapped to pid: own pid
|
success or wait |
533287659 |
File opened |
Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533289839 |
Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: write and read and execute Type: commit
Baseaddress: 5F0000 Size: 110592 Protection: execute Mapped to pid: own pid
|
success or wait |
533290852 |
File opened |
Path: C:\WINDOWS\system32\IMM32.DLL Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533292531 |
Section loaded |
Path: C:\WINDOWS\system32\imm32.dll Access: query and write and read and execute Type:
image Baseaddress: 76390000 Size: 118784 Protection: read write Mapped to pid: own
pid
|
success or wait |
533293541 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533295249 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533295709 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533296056 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533296451 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533297563 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533297975 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533298322 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 76391000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533298691 |
System info queried |
Type: BasicInformation |
success or wait |
533299327 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
Name: DisableMetaFiles
|
object name not found |
533301211 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name:
AppInit_DLLs
|
success or wait |
533305008 |
System info queried |
Type: BasicInformation |
success or wait |
533307182 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A20000 Length: 12F91C Allocation Type: unknown
Protection: page read and write
|
success or wait |
533307500 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A20000 Length: 12F920 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533307780 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A21000 Length: 12F5FC Allocation Type: unknown
Protection: page read and write
|
success or wait |
533308161 |
Section loaded |
Path: \NLS\NlsSectionCType Access: read Type: unknown Baseaddress: A30000 Size: 12288
Protection: readonly Mapped to pid: own pid
|
success or wait |
533309094 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A23000 Length: 12F6B8 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533310996 |
Process information queried |
PID: 2332 Info Class: Cookie |
success or wait |
533312126 |
Process information queried |
PID: 2332 Info Class: Cookie |
success or wait |
533312390 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat |
success or wait |
533313289 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSUserEnabled |
success or wait |
533314277 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name:
LeakTrack
|
object name not found |
533315668 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress |
success or wait |
533317999 |
File opened |
Path: C:\WINDOWS\system32\SHELL32.dll Access: read data or list directory and read
ea and execute or traverse and read attributes and read control and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533319853 |
Section loaded |
Path: C:\WINDOWS\system32\shell32.dll Access: read Type: commit Baseaddress: A40000
Size: 8462336 Protection: readonly Mapped to pid: own pid
|
success or wait |
533320912 |
File opened |
Path: C:\WINDOWS\system32\SHELL32.dll.124.Manifest Access: read data or list directory
and read ea and execute or traverse and read attributes and read control and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533321791 |
File opened |
Path: C:\WINDOWS\system32\SHELL32.dll.124.Config Access: read data or list directory
and read ea and execute or traverse and read attributes and read control and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533323986 |
File opened |
Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
Access: execute or traverse and synchronize Options: directory file and synchronous
io non alert Overwritten: false
|
success or wait |
533365882 |
File opened |
Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
Access: execute or traverse and synchronize Options: synchronous io non alert and
non directory file Overwritten: false
|
success or wait |
533368100 |
Section loaded |
Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
Access: write and read and execute Type: commit Baseaddress: A40000 Size: 1056768
Protection: execute Mapped to pid: own pid
|
success or wait |
533369708 |
File opened |
Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
Access: execute or traverse and synchronize Options: synchronous io non alert and
non directory file Overwritten: false
|
success or wait |
533372259 |
Section loaded |
Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
Access: query and write and read and execute Type: image Baseaddress: 773D0000 Size:
1060864 Protection: read write Mapped to pid: own pid
|
success or wait |
533374181 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533376714 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533377150 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533379103 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533380102 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533380485 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533380826 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533382544 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533383825 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533384256 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533384722 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533385381 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533385751 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533386126 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 773D1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533387177 |
File opened |
Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533389336 |
Section loaded |
Path: C:\WINDOWS\WindowsShell.Manifest Access: write and read and execute Type: commit
Baseaddress: A40000 Size: 4096 Protection: execute Mapped to pid: own pid
|
success or wait |
533390610 |
File opened |
Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and
generic read Options: synchronous io non alert and non directory file Attributes:
none Content Overwritten: null
|
success or wait |
533393250 |
Section loaded |
Path: C:\WINDOWS\WindowsShell.Manifest Access: query and read Type: commit Baseaddress:
A40000 Size: 4096 Protection: readonly Mapped to pid: own pid
|
success or wait |
533394470 |
File opened |
Path: C:\WINDOWS\WindowsShell.Manifest Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533396577 |
Section loaded |
Path: C:\WINDOWS\WindowsShell.Manifest Access: read Type: commit Baseaddress: A40000
Size: 4096 Protection: readonly Mapped to pid: own pid
|
success or wait |
533397724 |
File opened |
Path: C:\WINDOWS\WindowsShell.Config Access: read data or list directory and read
ea and execute or traverse and read attributes and read control and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533398802 |
Key value queried |
Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll |
object name not found |
533436683 |
Key value queried |
Path: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name:
EnableBalloonTips
|
object name not found |
533439735 |
File opened |
Path: C:\Hermes_.exe Access: read data or list directory and read ea and execute
or traverse and read attributes and read control and synchronize Options: synchronous
io non alert and non directory file Overwritten: false
|
success or wait |
533444995 |
Section loaded |
Path: C:\Hermes_.exe Access: read Type: commit Baseaddress: A60000 Size: 409600 Protection:
readonly Mapped to pid: own pid
|
success or wait |
533445982 |
File opened |
Path: C:\Hermes_.exe.124.Manifest Access: read data or list directory and read ea
and execute or traverse and read attributes and read control and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533447248 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
533450290 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress |
success or wait |
533450724 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP Name: seed |
success or wait |
533451717 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath |
success or wait |
533452634 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OsLoaderPath |
success or wait |
533453164 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition |
success or wait |
533454023 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemPartition |
success or wait |
533454551 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath |
success or wait |
533455774 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: SourcePath |
success or wait |
533456309 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath |
success or wait |
533457200 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackSourcePath |
success or wait |
533457778 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath |
success or wait |
533458705 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: ServicePackCachePath |
success or wait |
533459238 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath |
success or wait |
533460178 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: DriverCachePath |
success or wait |
533460702 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Name: DevicePath |
success or wait |
533461696 |
Mutant created |
Name: unknown |
success or wait |
533462489 |
Mutant created |
Name: unknown |
success or wait |
533462775 |
Mutant created |
Name: unknown |
success or wait |
533463075 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel |
success or wait |
533463581 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogLevel |
success or wait |
533464118 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup Name: LogPath |
object name not found |
533464685 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
Name: ComputerName
|
success or wait |
533467506 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Hostname |
success or wait |
533468458 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters Name: Domain |
success or wait |
533469463 |
System info queried |
Type: BasicInformation |
success or wait |
533471126 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A40000 Length: 12F968 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533471442 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A40000 Length: 12F96C Allocation Type: unknown
Protection: page read and write
|
success or wait |
533471730 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A41000 Length: 12F648 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533472120 |
System info queried |
Type: BasicInformation |
success or wait |
533479217 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A60000 Length: 12F974 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533479544 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A60000 Length: 12F978 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533479833 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A61000 Length: 12F654 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533480188 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
533484822 |
System info queried |
Type: BasicInformation |
success or wait |
533485260 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A70000 Length: 12F904 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533485578 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A70000 Length: 12F908 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533485868 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A71000 Length: 12F5E4 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533486257 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A73000 Length: 12F698 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533486851 |
File opened |
Path: C:\WINDOWS\system32\comctl32.dll Access: read data or list directory and read
ea and execute or traverse and read attributes and read control and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533488204 |
Section loaded |
Path: C:\WINDOWS\system32\comctl32.dll Access: read Type: commit Baseaddress: A80000
Size: 618496 Protection: readonly Mapped to pid: own pid
|
success or wait |
533489265 |
File opened |
Path: C:\WINDOWS\system32\comctl32.dll.124.Manifest Access: read data or list directory
and read ea and execute or traverse and read attributes and read control and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533490141 |
File opened |
Path: C:\WINDOWS\system32\comctl32.dll.124.Config Access: read data or list directory
and read ea and execute or traverse and read attributes and read control and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
object name not found |
533491266 |
Process information queried |
PID: 2332 Info Class: SessionInformation |
success or wait |
533497474 |
Key value queried |
Path: HKEY_USERS\Control Panel\Desktop Name: SmoothScroll |
object name not found |
533499310 |
File opened |
Path: \Device\KsecDD Access: read data or list directory and synchronize Options:
synchronous io alert Overwritten: false
|
success or wait |
533501123 |
System info queried |
Type: BasicInformation |
success or wait |
533507021 |
System info queried |
Type: ProcessorInformation |
success or wait |
533507313 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout |
success or wait |
533507840 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut |
object name not found |
533508808 |
System info queried |
Type: BasicInformation |
success or wait |
533509537 |
System info queried |
Type: ProcessorInformation |
success or wait |
533509837 |
System info queried |
Type: BasicInformation |
success or wait |
533510105 |
System info queried |
Type: ProcessorInformation |
success or wait |
533510401 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll |
object name not found |
533510828 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32 |
object name not found |
533511147 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib |
object name not found |
533511454 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}
Name: InterfaceHelperDisableAll
|
object name not found |
533512166 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}
Name: InterfaceHelperDisableAllForOle32
|
object name not found |
533512520 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF80 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533520825 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533531462 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533533103 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533551502 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533554664 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533555820 |
Section loaded |
Path: \KnownDlls\wsock32.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533558367 |
File opened |
Path: C:\WINDOWS\system32\wsock32.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533559467 |
Section loaded |
Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute
Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid:
own pid
|
success or wait |
533560807 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AD1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533563285 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AD1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533563801 |
Section loaded |
Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533564249 |
File opened |
Path: C:\WINDOWS\system32\WS2_32.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533565052 |
Section loaded |
Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute
Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid:
own pid
|
success or wait |
533566069 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533568039 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533568491 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533568836 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533569248 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533569582 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533569917 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page read
and write New Protection: page execute read
|
success or wait |
533570251 |
Memory attributes changed |
PID: 2332 Path: C:\Hermes_.exe Base: 71AB1000 Length: 1000 New Protection: page execute
read New Protection: page read and write
|
success or wait |
533570587 |
Section loaded |
Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
533571098 |
File opened |
Path: C:\WINDOWS\system32\WS2HELP.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
533571845 |
Section loaded |
Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute
Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid:
own pid
|
success or wait |
533572942 |
System info queried |
Type: BasicInformation |
success or wait |
533577889 |
System info queried |
Type: ProcessorInformation |
success or wait |
533578198 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FE08 Allocation Type: unknown
Protection: page no access
|
success or wait |
533581123 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FDF8 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533581401 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: WinSock_Registry_Version |
success or wait |
533582832 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: WinSock_Registry_Version |
success or wait |
533583412 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Name: Serial_Access_Num
|
success or wait |
533584135 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Name: Serial_Access_Num
|
success or wait |
533584740 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Name: Next_Catalog_Entry_ID
|
success or wait |
533585543 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Name: Num_Catalog_Entries
|
success or wait |
533586062 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
Name: PackedCatalogItem
|
buffer overflow |
533587015 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
Name: PackedCatalogItem
|
buffer overflow |
533587552 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
Name: PackedCatalogItem
|
success or wait |
533588075 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
Name: PackedCatalogItem
|
buffer overflow |
533589947 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
Name: PackedCatalogItem
|
buffer overflow |
533590479 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
Name: PackedCatalogItem
|
success or wait |
533591077 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
Name: PackedCatalogItem
|
buffer overflow |
533592960 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
Name: PackedCatalogItem
|
buffer overflow |
533593491 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
Name: PackedCatalogItem
|
success or wait |
533594091 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
Name: PackedCatalogItem
|
buffer overflow |
533595958 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
Name: PackedCatalogItem
|
buffer overflow |
533596487 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
Name: PackedCatalogItem
|
success or wait |
533597008 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Name: PackedCatalogItem
|
buffer overflow |
533598857 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Name: PackedCatalogItem
|
buffer overflow |
533600163 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Name: PackedCatalogItem
|
success or wait |
533600727 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
Name: PackedCatalogItem
|
buffer overflow |
533602594 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
Name: PackedCatalogItem
|
buffer overflow |
533603124 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
Name: PackedCatalogItem
|
success or wait |
533603647 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
Name: PackedCatalogItem
|
buffer overflow |
533605628 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
Name: PackedCatalogItem
|
buffer overflow |
533606158 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
Name: PackedCatalogItem
|
success or wait |
533606680 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
Name: PackedCatalogItem
|
buffer overflow |
533608501 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
Name: PackedCatalogItem
|
buffer overflow |
533609029 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
Name: PackedCatalogItem
|
success or wait |
533609671 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
Name: PackedCatalogItem
|
buffer overflow |
533611494 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
Name: PackedCatalogItem
|
buffer overflow |
533612023 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
Name: PackedCatalogItem
|
success or wait |
533612545 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
Name: PackedCatalogItem
|
buffer overflow |
533614528 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
Name: PackedCatalogItem
|
buffer overflow |
533615057 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
Name: PackedCatalogItem
|
success or wait |
533615579 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
Name: PackedCatalogItem
|
buffer overflow |
533617399 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
Name: PackedCatalogItem
|
buffer overflow |
533617967 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
Name: PackedCatalogItem
|
success or wait |
533618486 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
Name: PackedCatalogItem
|
buffer overflow |
533620343 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
Name: PackedCatalogItem
|
buffer overflow |
533620872 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
Name: PackedCatalogItem
|
success or wait |
533621472 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
Name: PackedCatalogItem
|
buffer overflow |
533623331 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
Name: PackedCatalogItem
|
buffer overflow |
533623662 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
Name: PackedCatalogItem
|
success or wait |
533624226 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Name: Serial_Access_Num
|
success or wait |
533626540 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Name: Serial_Access_Num
|
success or wait |
533627163 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Name: Num_Catalog_Entries
|
success or wait |
533627718 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: LibraryPath
|
success or wait |
533628440 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: LibraryPath
|
success or wait |
533628966 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: DisplayString
|
success or wait |
533629481 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: DisplayString
|
success or wait |
533629995 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: DisplayString
|
success or wait |
533630513 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: DisplayString
|
success or wait |
533631031 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: ProviderId
|
success or wait |
533631590 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: AddressFamily
|
object name not found |
533632149 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: SupportedNameSpace
|
success or wait |
533632676 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: Enabled
|
success or wait |
533633194 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: Version
|
success or wait |
533633710 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
Name: StoresServiceClassInfo
|
success or wait |
533634232 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: LibraryPath
|
success or wait |
533635144 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: LibraryPath
|
success or wait |
533635666 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: DisplayString
|
success or wait |
533636183 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: DisplayString
|
success or wait |
533636696 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: DisplayString
|
success or wait |
533637254 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: DisplayString
|
success or wait |
533637773 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: ProviderId
|
success or wait |
533638291 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: AddressFamily
|
object name not found |
533638811 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: SupportedNameSpace
|
success or wait |
533639335 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: Enabled
|
success or wait |
533639852 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: Version
|
success or wait |
533640368 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
Name: StoresServiceClassInfo
|
success or wait |
533640889 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: LibraryPath
|
success or wait |
533642621 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: LibraryPath
|
success or wait |
533643186 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: DisplayString
|
success or wait |
533643705 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: DisplayString
|
success or wait |
533644221 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: DisplayString
|
success or wait |
533644735 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: DisplayString
|
success or wait |
533645251 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: ProviderId
|
success or wait |
533645769 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: AddressFamily
|
object name not found |
533646289 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: SupportedNameSpace
|
success or wait |
533646813 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: Enabled
|
success or wait |
533647333 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: Version
|
success or wait |
533647850 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
Name: StoresServiceClassInfo
|
success or wait |
533648412 |
System info queried |
Type: BasicInformation |
success or wait |
533649568 |
System info queried |
Type: ProcessorInformation |
success or wait |
533649848 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters Name: Ws2_32NumHandleBuckets |
object name not found |
533650292 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B34000 Length: 12FE8C Allocation Type: unknown
Protection: page read and write
|
success or wait |
533652737 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FEB4 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533710483 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: A90000 Length: 12FEB4 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533710924 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AA0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533711707 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B3C000 Length: 12FE24 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533712040 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AB0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533712383 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AC0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533712707 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AD0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533713029 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AE0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533713402 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B40000 Length: 12FE24 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533713815 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: AF0000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533714247 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B00000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533714612 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B10000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533714934 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C30000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533715258 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C40000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533715649 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C50000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533715973 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C60000 Length: 12FEE0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533716296 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FEAC Allocation Type: unknown
Protection: page read and write
|
success or wait |
533717174 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C70000 Length: 12FF2C Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533717480 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533717860 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533718230 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD68 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533718532 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533721669 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533722050 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD58 Allocation Type: unknown
Protection: page read and write
|
success or wait |
533722356 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533725522 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533725969 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1F0 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533726379 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533726750 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533727093 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533727433 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533728577 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533728969 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533729314 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533731089 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533731434 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533731774 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533732114 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533732452 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533732796 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533733338 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533733681 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533734022 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533734362 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533734700 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533735042 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533735469 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533735812 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533736151 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533736492 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533736829 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533737171 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533755644 |
Memory allocated |
PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown
Protection: page execute and read and write
|
success or wait |
533756049 |
File opened |
Path: Scsi0: Access: read attributes and synchronize and generic read and generic
write Options: synchronous io non alert and non directory file Attributes: none Content
Overwritten: true
|
success or wait |
533944177 |
Process information queried |
PID: 2332 Info Class: DeviceMap |
success or wait |
533969254 |
File opened |
Path: C:\ Access: execute or traverse and synchronize Options: directory file and
synchronous io non alert Overwritten: false
|
success or wait |
533969659 |
File opened |
Path: C:\ Access: execute or traverse and synchronize Options: directory file and
synchronous io non alert Overwritten: false
|
success or wait |
533973632 |
Key created |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key |
success or wait |
533992172 |
Key value replaced with new |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: NULL Type: unicode Data: Old
data:
|
success or wait |
534022596 |
Key value replaced with new |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: Type: unicode Data: regfile
Old data:
|
success or wait |
534027752 |
Foreground Window Got |
HWND: 10084 |
success |
534051990 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
534053095 |
Foreground Window Got |
HWND: 10084 |
success |
534447209 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
534447548 |
Foreground Window Got |
HWND: 10084 |
success |
534835880 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
534836181 |
Foreground Window Got |
HWND: 10084 |
success |
535227411 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
535227655 |
Foreground Window Got |
HWND: 10084 |
success |
535618895 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
535619139 |
Foreground Window Got |
HWND: 10084 |
success |
536010676 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
536010938 |
Foreground Window Got |
HWND: 10084 |
success |
536404860 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
536405120 |
Foreground Window Got |
HWND: 10084 |
success |
536796514 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
536796818 |
Foreground Window Got |
HWND: 10084 |
success |
537184965 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
537185270 |
Foreground Window Got |
HWND: 10084 |
success |
537576609 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
537576853 |
Foreground Window Got |
HWND: 10084 |
success |
537970784 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
537971076 |
Foreground Window Got |
HWND: 10084 |
success |
538361805 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
538362048 |
Foreground Window Got |
HWND: 10084 |
success |
538751083 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
538751330 |
Foreground Window Got |
HWND: 10084 |
success |
539142565 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
539142907 |
Foreground Window Got |
HWND: 10084 |
success |
539535872 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
539536221 |
Foreground Window Got |
HWND: 10084 |
success |
539925698 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
539925963 |
Foreground Window Got |
HWND: 10084 |
success |
540317423 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
540317667 |
Foreground Window Got |
HWND: 10084 |
success |
540708680 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
540708925 |
Foreground Window Got |
HWND: 10084 |
success |
541100731 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
541100986 |
Foreground Window Got |
HWND: 10084 |
success |
541491648 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
541493527 |
Foreground Window Got |
HWND: 10084 |
success |
541883110 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
541883492 |
Foreground Window Got |
HWND: 10084 |
success |
542274427 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
542274674 |
Foreground Window Got |
HWND: 10084 |
success |
542668297 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
542668543 |
Foreground Window Got |
HWND: 10084 |
success |
543065083 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
543067934 |
Foreground Window Got |
HWND: 10084 |
success |
543449522 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
543449785 |
Foreground Window Got |
HWND: 10084 |
success |
543840731 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
543841069 |
Foreground Window Got |
HWND: 10084 |
success |
544232184 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
544232482 |
Foreground Window Got |
HWND: 10084 |
success |
544623719 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
544623963 |
Foreground Window Got |
HWND: 10084 |
success |
545015261 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
545015507 |
Foreground Window Got |
HWND: 10084 |
success |
545407198 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
545407443 |
Foreground Window Got |
HWND: 10084 |
success |
545798831 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
545799099 |
Foreground Window Got |
HWND: 10084 |
success |
546189820 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
546190498 |
Foreground Window Got |
HWND: 10084 |
success |
546584983 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
546585286 |
Foreground Window Got |
HWND: 10084 |
success |
546977775 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
546980356 |
Foreground Window Got |
HWND: 10084 |
success |
547364291 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
547364534 |
Foreground Window Got |
HWND: 10084 |
success |
547756961 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
547757205 |
Foreground Window Got |
HWND: 10084 |
success |
548147454 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
548147703 |
Foreground Window Got |
HWND: 10084 |
success |
548541427 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
548541767 |
Foreground Window Got |
HWND: 10084 |
success |
548930338 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
548930637 |
Foreground Window Got |
HWND: 10084 |
success |
549321870 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
549322114 |
Foreground Window Got |
HWND: 10084 |
success |
549713362 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
549713605 |
Foreground Window Got |
HWND: 10084 |
success |
550105074 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
550105316 |
Foreground Window Got |
HWND: 10084 |
success |
550496522 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
550496787 |
Foreground Window Got |
HWND: 10084 |
success |
550887956 |
Thread delayed |
Time: 0 TID: 2336 |
success or wait |
550890563 |
Foreground Window Got |
HWND: 90086 |
success |
551279472 |
Section loaded |
Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
551285471 |
File opened |
Path: C:\WINDOWS\system32\MFC42.DLL Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
551289252 |
Section loaded |
Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type:
image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own
pid
|
success or wait |
551290299 |
Process information queried |
PID: 2332 Info Class: DefaultHardErrorMode |
success or wait |
551401721 |
Process information queried |
PID: 2332 Info Class: DefaultHardErrorMode |
success or wait |
551402017 |
Process information queried |
PID: 2332 Info Class: DefaultHardErrorMode |
success or wait |
551422707 |
Process information queried |
PID: 2332 Info Class: DefaultHardErrorMode |
success or wait |
551423005 |
Section loaded |
Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
551428776 |
File opened |
Path: C:\WINDOWS\system32\MSVCP60.dll Access: execute or traverse and synchronize
Options: synchronous io non alert and non directory file Overwritten: false
|
success or wait |
551429500 |
Section loaded |
Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute
Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid:
own pid
|
success or wait |
551430533 |
System info queried |
Type: ProcessInformation |
success or wait |
551442671 |
Section loaded |
Path: unknown Access: query and write and read Type: commit Baseaddress: AB0000 Size:
20480 Protection: read write Mapped to pid: own pid
|
success or wait |
551452636 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551467906 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551469044 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551469325 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551469598 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551469869 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551470140 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551470410 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551470680 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551470950 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551471221 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551471490 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551471760 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551472030 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551472301 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551472570 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551472840 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551473154 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551473425 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551473695 |
Process information queried |
PID: 2332 Info Class: Wow64Information |
success or wait |
551473965 |
System info queried |
Type: BasicInformation |
success or wait |
551477031 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize |
object name not found |
551477657 |
System time queried |
Time: 129718679940468750 |
success or wait |
551478752 |
System info queried |
Type: PerformanceInformation |
success or wait |
551479511 |
Process information queried |
PID: 2332 Info Class: QuotaLimits |
success or wait |
551480279 |
Process information queried |
PID: 2332 Info Class: VmCounters |
success or wait |
551480665 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName
Name: ComputerName
|
success or wait |
551481642 |
File opened |
Path: \pipe\lsarpc Access: read attributes and synchronize and generic read and generic
write Options: non directory file Attributes: none Content Overwritten: true
|
success or wait |
551483433 |
File other op |
Path: \lsarpc New path: Disposition: PipeInformation Data : unknown |
success or wait |
551484365 |
File other op |
Path: \lsarpc New path: Disposition: CompletionInformation Data : unknown |
success or wait |
551484828 |
File write |
Path: \lsarpc Offset: 0 Length: 72 Value: 05 00 0B 03 10 00 00 00 48 00 00 00 01 00
00 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 00 78 57 34 12 34 12 CD AB EF 00
01 23 45 67 89 AB 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00
00 00
|
success or wait |
551485352 |
File read |
Path: \lsarpc Offset: 0 Length: 1024 Value: 05 00 0C 03 10 00 00 00 44 00 00 00 01
00 00 00 B8 10 B8 10 5B 17 00 00 0C 00 5C 50 49 50 45 5C 6C 73 61 73 73 00 00 00 01
00 00 00 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00
|
success or wait |
551486016 |
File control set |
Path: \lsarpc Control Code: 11C017 Input Buffer: ........@.......(.....,......................................... |
pending |
551487971 |
File control set |
Path: \lsarpc Control Code: 11C017 Input Buffer: ........t.......\.....9.........;T0H.W.V.....................................CF..w.tC..2............................ |
pending |
551489670 |
File control set |
Path: \lsarpc Control Code: 11C017 Input Buffer: ........,.......................;T0H.W.V.... |
pending |
551491198 |
Section loaded |
Path: \KnownDlls\psapi.dll Access: write and read and execute Type: unknown Baseaddress:
unknown Size: unknown Protection: unknown Mapped to pid: unknown
|
object name not found |
551495209 |
File opened |
Path: C:\WINDOWS\system32\psapi.dll Access: execute or traverse and synchronize Options:
synchronous io non alert and non directory file Overwritten: false
|
success or wait |
551495968 |
Section loaded |
Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type:
image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own
pid
|
success or wait |
551497119 |
Process information queried |
PID: 1552 Info Class: ImageFileName |
success or wait |
551501084 |
File opened |
Path: C:\WINDOWS\explorer.exe Access: read data or list directory and read ea and
read attributes and read control and synchronize Options: synchronous io non alert
Overwritten: false
|
success or wait |
551502172 |
File read |
Path: C:\WINDOWS\explorer.exe Offset: 60 Length: 2 Value: D8 00 |
success or wait |
551502656 |
File read |
Path: C:\WINDOWS\explorer.exe Offset: 216 Length: 248 Value: 50 45 00 00 4C 01 04
00 30 5C 02 48 00 00 00 00 00 00 00 00 E0 00 0E 01 0B 01 07 0A 00 4E 04 00 00 7A 0B
00 00 00 00 00 5F A5 01 00 00 10 00 00 00 40 04 00 00 00 00 01 00 10 00 00 00 02 00
00 05 00 01 00 05 00 01 00 04 00 0A 00 00 00 00 00 00 F0 0F 00 00 04 00 00 2C 2B 10
00 02 00 00 80 00 00 04 00
|
success or wait |
551504994 |
Memory allocated |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 12FC3C Allocation Type:
unknown Protection: page execute and read and write
|
success or wait |
551505918 |
Memory allocated |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 12FC3C Allocation Type:
unknown Protection: page execute and read and write
|
success or wait |
551506221 |
Memory allocated |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 12FC3C Allocation Type:
unknown Protection: page read and write
|
success or wait |
551506510 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 36000 New Protection:
page execute and read and write New Protection: page execute and read and write
|
success or wait |
551508700 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 36000 New Protection:
page execute and read and write New Protection: page execute and read and write
|
success or wait |
551509009 |
Memory written |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 221184 Value: 4D 5A 90
00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67
72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64
65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A
F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E
F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A
F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05
|
success or wait |
559385601 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 1000 New Protection:
page execute and read and write New Protection: page read and write
|
success or wait |
559409746 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 1000 New Protection:
page read and write New Protection: page execute and read and write
|
success or wait |
559411764 |
Memory written |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 305 Value: 00 00 00 00
00 00 BE 00 00 00 BA 00 00 60 03 00 01 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
success or wait |
559423387 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 36000 New Protection:
page execute and read and write New Protection: page execute and read and write
|
success or wait |
559423503 |
Memory attributes changed |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 36000 New Protection:
page execute and read and write New Protection: page execute and read and write
|
success or wait |
559423800 |
Memory written |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 221184 Value: 4D 5A 90
00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67
72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64
65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A
F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E
F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A
F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05
|
success or wait |
559435803 |
Memory allocated |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2AF0000 Length: 12F7F0 Allocation Type:
unknown Protection: page read and write
|
success or wait |
559436147 |
Memory allocated |
PID: 1552 Path: C:\WINDOWS\explorer.exe Base: 2AF0000 Length: 12F7EC Allocation Type:
unknown Protection: page read and write
|
success or wait |
559436269 |
Thread created |
PID: 1552 TID: 4004 EIP: 7C8106F9 EAX: BA28C6 Imagepath: C:\WINDOWS\explorer.exe |
success or wait |
559446958 |
Thread resumed |
TID: 4004 PID: 1552 Path: C:\WINDOWS\explorer.exe |
success or wait |
559447323 |
Process terminated |
PID: 2332 Path: C:\Hermes_.exe |
success or wait |
559450681 |
Process information queried |
PID: 2332 Info Class: Cookie |
success or wait |
559481822 |
Process information queried |
PID: 2332 Info Class: Cookie |
success or wait |
559481922 |
Key value queried |
Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
Name: DisableMetaFiles
|
object name not found |
559482194 |