General Information

Start time: 11:26:53
Start date: 16/08/2012
Overall analysis duration: 0h 3m 26s
Sample file name: Hermes_.exe
Cookbook file name: Screen Action.jbs
Analysis system description: XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed: 1
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 3
Errors:
  • Too many NtProtectVirtualMemory calls (excessive behavior)
  • Too many NtAllocateVirtualMemory calls (excessive behavior)

Classification / Threat Score

Persistence, Installation, Boot Survival :
Hiding, Stealthiness, Detection and Removal Protection :
Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection :
Spreading :
Exploiting :
Networking :
Data spying, Sniffing, Keylogging, Ebanking Fraud :

Matching Signatures

Creates files inside the user directory
Creates temporary files
Printf formatting strings found in memory and binary data
Queries a list of all running processes
Urls found in memory or binary data
Changes the view of files in windows explorer (hides hidden files and folders)
Creates an autostart registry key
Creates mutexes \BaseNamedObjects\Global\NtKernelProc.1728 \BaseNamedObjects\Global\NtSys32AutoLock \BaseNamedObjects\Global\NtKernelTrusted \BaseNamedObjects\Global\NtKernelProc.1552 \BaseNamedObjects\NtKernelInjLock \BaseNamedObjects\Global\NtKernelProc.1924
Drops PE files
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Modifies the prolog of usermode functions (usermode inline hooks)
Writes to foreign memory regions

Startup

  • system is xp
  • Hermes_.exe (PID: 2332 MD5: 20BE4F07F9A12C35463361A7212CA5FF)
    • explorer.exe (PID: 1552 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)
      • ctfmon.exe (PID: 1728 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)
      • wscntfy.exe (PID: 1924 MD5: F92E1076C42FCD6DB3D72D8CFE9816D5)
  • cleanup

Created / dropped Files

File Path MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp 866A64601DEB0FCA0C21F8CEA5FD66B0
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe 20BE4F07F9A12C35463361A7212CA5FF
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat 313C023B6803F33A448814B60E1C964D
\Win64Expected 94A7BD08C204D6ECFE560A95862F8FC9

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

File type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
File name: Hermes_.exe
File size: 407040
MD5: 20be4f07f9a12c35463361a7212ca5ff
SHA1: 07b2a4af66c5de5f69a1efd175de3bff9d48ba8e
SHA256: f42e71f3e5121412e2c82d7ac982e5036f63d39c1c6591c3630f6b3fd8a48180
SHA512: 7adef3f325acda1c8babe9d5f1e03d36ee4fbd8fe2d6698fa8f70a301483ca34fe7fc62afce52e05a1615c77d4ae285e7378b259cfea6dfa1a9b5055a52c21bb

Static PE Info

General
Entrypoint: 0x401000
Entrypoint Section:
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp: 0x27E2A2D4 [Sat Mar 16 22:57:24 1991 UTC]
TLS Callbacks:
Resources
Name RVA Size Type Language Country
RT_ICON 0x18d478 0x10a8 data
RT_GROUP_ICON 0x18e520 0x14 MS Windows icon resource - 1 icon
RT_VERSION 0x18e534 0x384 data
RT_VERSION 0x18e8b8 0x384 data
RT_VERSION 0x18ec3c 0x384 data
RT_VERSION 0x18efc0 0x384 data
RT_VERSION 0x18f344 0x384 data
RT_VERSION 0x18f6c8 0x384 data
RT_VERSION 0x18fa4c 0x384 data
RT_VERSION 0x18fdd0 0x384 data
RT_VERSION 0x190154 0x384 data
RT_VERSION 0x1904d8 0x384 data
RT_VERSION 0x19085c 0x384 data
RT_VERSION 0x190be0 0x384 data
RT_VERSION 0x190f64 0x384 data
RT_VERSION 0x1912e8 0x384 data
RT_VERSION 0x19166c 0x384 data
RT_VERSION 0x1919f0 0x384 data
RT_VERSION 0x191d74 0x384 data
RT_VERSION 0x1920f8 0x384 data
RT_VERSION 0x19247c 0x384 data
RT_VERSION 0x192800 0x384 data
Imports
DLL Import
kernel32.dll GetProcAddress, GetModuleHandleA, LoadLibraryA
user32.dll GetForegroundWindow
ntprint.dll PSetupSelectDeviceButtons
version.dll VerQueryValueA
gdi32.dll UnrealizeObject
comctl32.dll ImageList_SetIconSize
oleaut32.dll VariantChangeTypeEx
kernel32.dll RaiseException
Sections
Name Virtual Address Virtual Size Raw Size Entropy
0x1000 0x153000 0x4600 7.98945756036
0x154000 0x1000 0x400 7.83865363724
0x155000 0x1000 0x200 7.58564983137
0x156000 0x37000 0x36800 7.99918501105
.rsrc 0x18d000 0x6000 0x5c00 3.93367409359
.data 0x193000 0x59000 0x22000 7.82172434208
.adata 0x1ec000 0x1000 0x0 0.0
Version Infos
Description Data
LegalCopyright (c) 2000-2010 Martin Prikryl
InternalName winscp
FileVersion 4.2.9.938
CompanyName Martin Prikryl
ReleaseType stable
LegalTrademarks
WWW http://winscp.net/
ProductName WinSCP
ProductVersion 4.2.9.0
FileDescription WinSCP: SFTP, FTP and SCP client
OriginalFilename winscp.exe
OriginalFilename winscp.exe
Possible Origin
Language of compilation system Country where language is spoken Map

String Analysis

Formattings for printf style functions
String value Source
%SystemRoot%\System32\mswsock.dll Hermes_.exe
Ebp: %x Hermes_.exe
c30lO%EPX;1 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
|%SystemRoot%\system32\rsvpsp.dll Hermes_.exe
o#?0%pF ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Pw%n[w Hermes_.exe
n%fDF, ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\ApiHooker.cpp(64)] Init: 0x%x %d %d %d %d ctfmon.exe, wscntfy.exe
Ebx: %x Hermes_.exe
%n Options\Hermes Hermes_.exe
- [%s] Hermes_.exe
%d.%d.%d.%d Hermes_.exe
NT 4.%u Hermes_.exe
Ecx: %x Hermes_.exe
c30%O<E_X:1xz 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
The procedure entry point %s could not be located in the dynamic link library %s Hermes_.exe
Assertion failed: %s, file %s, line %d Hermes_.exe
[%d: huff+mtf wscntfy.exe
s#y%PS UpgradeHelper.exe.dr
O%i; O ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
zwcW0%O<EMX01 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
$%e+.Nb ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Esp: %x Hermes_.exe
Code = [%d] Hermes_.exe
/y C%cE ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
k%NM*L ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
NT 3.%u Hermes_.exe
p,g%Sq wscntfy.exe
@2(YfU5iqi*%c ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%Ph[7] Hermes_.exe
>=Q*pcV0lORE9XU1xz%XN ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Eip: %x Hermes_.exe
"I/%Sz/ ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Edi: %x Hermes_.exe
Edx: %x Hermes_.exe
[.\HermesCore.cpp(1971)] ProcessHandShakeMessage: %u %d explorer.exe
al\NtKernelProc.%u wscntfy.exe
0ZW0z%gI=%z 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
';%sW/!a8 wscntfy.exe
cDe%S7 ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\HermesCore.cpp(746)] MainCoreLoop: App Type: %d IL: %d ctfmon.exe, wscntfy.exe
Global\NtKernelProc.%u Hermes_.exe, ctfmon.exe, explorer.exe, wscntfy.exe
2+%l-% ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
Esi: %x Hermes_.exe
lhaplpkbq%eiuw Hermes_.exe
%s.F@ 4V ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%5%cgc=z UpgradeHelper.exe.dr
Eax: %x Hermes_.exe
The ordinal %u could not be located in the dynamic link library %s Hermes_.exe
6]G%Nw ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
u8%e.s ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
[.\HermesCore.cpp(1893)] PPM: %d explorer.exe
%S}n#>D UpgradeHelper.exe.dr
x],%dg ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
`H;5%ER ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
deb%s^ UpgradeHelper.exe.dr
DragDrop%lx Hermes_.exe
his=H%L UpgradeHelper.exe.dr
P6 (Model %d) Hermes_.exe
%XZN{,- wscntfy.exe
%SystemRoot%\system32\rsvpsp.dll Hermes_.exe
%SystemRoot%\System32\winrnr.dll Hermes_.exe
+%dd/2 ctfmon.exe, explorer.exe, wscntfy.exe, 37D9255C1CBC487F9CA1202E7C7AF6A4.dat.dr
%SystemRoot%\system32\mswsock.dll Hermes_.exe
URLs
String value Source
http://winscp.net/ UpgradeHelper.exe.dr
http://www.autoitscript.com/autoit3/ explorer.exe

Network Behavior

No network behavior found

Code Manipulation Behavior

User Modules
Hook Summary
Function Name Hook Type Active in Processes
CreateProcessW INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessA INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessAsUserW INLINE ctfmon.exe, wscntfy.exe, explorer.exe
CreateProcessAsUserA INLINE ctfmon.exe, wscntfy.exe, explorer.exe
Processes
Process: ctfmon.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x3F
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x1F
Process: ctfmon.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xF9
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xA9
Process: wscntfy.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x36
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x16
Process: wscntfy.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xF0
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xA0
Process: explorer.exe, Module: kernel32.dll
Function Name Hook Type New Data
CreateProcessW INLINE 0xE9 0x90 0x07 0x7F 0xF3 0x35
CreateProcessA INLINE 0xE9 0x9B 0xBC 0xCF 0xF1 0x15
Process: explorer.exe, Module: ADVAPI32.dll
Function Name Hook Type New Data
CreateProcessAsUserW INLINE 0xE9 0x9C 0xC3 0x36 0x6F 0xFF
CreateProcessAsUserA INLINE 0xE9 0x96 0x6B 0xB0 0x0A 0xAF

System Behavior

General
Start time: 09:39:48
Start date: 24/01/2012
Path: C:\Hermes_.exe
Wow64 process (32bit): false
Commandline: unknown
Imagebase: 0x400000
File size: 407040 bytes
MD5 hash: 20BE4F07F9A12C35463361A7212CA5FF

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\WINDOWS\explorer.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 4030D8 NtOpenFile
Scsi0: read attributes and synchronize and generic read and generic write synchronous io non alert and non directory file true success or wait 1 5C70D8 CreateFileA
File Path Offset Length Value Completion Count Source Address Symbol
File Path Offset Length Value Completion Count Source Address Symbol
File Path Disposition Data Ascii Data Completion Count Source Address Symbol

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
\KnownDlls\kernel32.dll write and read and execute unknown 7C800000 1007616 own pid read write success or wait 1
unknown query and write and read and execute and extend size reserve 7C800000 1007616 own pid read write success or wait 1
\NLS\NlsSectionUnicode read unknown 260000 90112 own pid readonly success or wait 1
\NLS\NlsSectionLocale read unknown 280000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortkey query and read unknown 2D0000 266240 own pid readonly success or wait 1
\NLS\NlsSectionSortTbls read unknown 320000 24576 own pid readonly success or wait 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\NLS\NlsSectionSortkey00000409 read unknown unknown unknown unknown unknown object name not found 1
\KnownDlls\user32.dll write and read and execute unknown 7E410000 593920 own pid read write success or wait 1
\KnownDlls\GDI32.dll write and read and execute unknown 77F10000 299008 own pid read write success or wait 1
\KnownDlls\ntprint.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\ntprint.dll query and write and read and execute image 5F180000 98304 own pid read write success or wait 1
\KnownDlls\msvcrt.dll write and read and execute unknown 77C10000 360448 own pid read write success or wait 1
\KnownDlls\SHELL32.dll write and read and execute unknown 7C9C0000 8482816 own pid read write success or wait 1
\KnownDlls\ADVAPI32.dll write and read and execute unknown 77DD0000 634880 own pid read write success or wait 1
\KnownDlls\RPCRT4.dll write and read and execute unknown 77E70000 602112 own pid read write success or wait 1
\KnownDlls\Secur32.dll write and read and execute unknown 77FE0000 69632 own pid read write success or wait 1
\KnownDlls\SHLWAPI.dll write and read and execute unknown 77F60000 483328 own pid read write success or wait 1
\KnownDlls\SETUPAPI.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\setupapi.dll query and write and read and execute image 77920000 995328 own pid read write success or wait 1
\KnownDlls\WINSPOOL.DRV write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\winspool.drv query and write and read and execute image 73000000 155648 own pid read write success or wait 1
\KnownDlls\mscms.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\mscms.dll query and write and read and execute image 73B30000 86016 own pid read write success or wait 1
\KnownDlls\CRYPT32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\crypt32.dll query and write and read and execute image 77A80000 610304 own pid read write success or wait 1
\KnownDlls\MSASN1.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1
C:\WINDOWS\system32\msasn1.dll query and write and read and execute image 77B20000 73728 own pid read write success or wait 1
\KnownDlls\VERSION.dll write and read and execute unknown 77C00000 32768 own pid read write success or wait 1
\KnownDlls\comctl32.dll write and read and execute unknown 5D090000 630784 own pid read write success or wait 1
\KnownDlls\oleaut32.dll write and read and execute unknown 77120000 569344 own pid read write success or wait 1
\KnownDlls\ole32.dll write and read and execute unknown 774E0000 1302528 own pid read write success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 5F0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll write and read and execute commit 5F0000 110592 own pid execute success or wait 1
C:\WINDOWS\system32\imm32.dll query and write and read and execute image 76390000 118784 own pid read write success or wait 1
\NLS\NlsSectionCType read unknown A30000 12288 own pid readonly success or wait 1
C:\WINDOWS\system32\shell32.dll read commit A40000 8462336 own pid readonly success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll write and read and execute commit A40000 1056768 own pid execute success or wait 1
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll query and write and read and execute image 773D0000 1060864 own pid read write success or wait 1
C:\WINDOWS\WindowsShell.Manifest write and read and execute commit A40000 4096 own pid execute success or wait 1
C:\WINDOWS\WindowsShell.Manifest query and read commit A40000 4096 own pid readonly success or wait 1
C:\WINDOWS\WindowsShell.Manifest read commit A40000 4096 own pid readonly success or wait 1
C:\Hermes_.exe read commit A60000 409600 own pid readonly success or wait 1
C:\WINDOWS\system32\comctl32.dll read commit A80000 618496 own pid readonly success or wait 1
unknown query and write and read commit AB0000 20480 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\wsock32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\wsock32.dll query and write and read and execute image 71AD0000 36864 own pid read write success or wait 1 5E84B7
\KnownDlls\WS2_32.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\ws2_32.dll query and write and read and execute image 71AB0000 94208 own pid read write success or wait 1 5E84B7
\KnownDlls\WS2HELP.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 5E84B7
C:\WINDOWS\system32\ws2help.dll query and write and read and execute image 71AA0000 32768 own pid read write success or wait 1 5E84B7
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 AA033A
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 AA033A
\KnownDlls\MSVCP60.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 AA033A
C:\WINDOWS\system32\msvcp60.dll query and write and read and execute image 76080000 413696 own pid read write success or wait 1 AA033A
\KnownDlls\psapi.dll write and read and execute unknown unknown unknown unknown unknown object name not found 1 4021D4
C:\WINDOWS\system32\psapi.dll query and write and read and execute image 76BF0000 45056 own pid read write success or wait 1 4021D4

Registry Activites

Key Path Completion Count Source Address Symbol
Key Path Name Type Old Data New Data Completion Count Source Address Symbol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key NULL unicode success or wait 1 5BF5D5 RegSetValueA
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key unicode regfile success or wait 1 5BF636 RegSetValueExA
Key Path Name Completion Count Source Address Symbol

Mutex Activites

Name Completion Count Source Address Symbol

Process Activites

PID Process info class Completion Count Source Address Symbol
1552 ImageFileName success or wait 1 40221B GetProcessImageFileNameA
PID Filepath Completion Count Source Address Symbol
2332 C:\Hermes_.exe success or wait 1 40102D ExitProcess

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
4004 1552 7C8106F9 BA28C6 C:\WINDOWS\explorer.exe success or wait 1 402598 CreateRemoteThread
TID PID Path Completion Count Source Address Symbol
TID Delay Completion Count Source Address Symbol
2336 0s success or wait 44 4016A7 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe BA0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 402532 WriteProcessMemory
1552 C:\WINDOWS\explorer.exe C90000 305 00 00 00 00 00 00 BE 00 00 00 BA 00 00 60 03 00 01 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 40254A WriteProcessMemory
1552 C:\WINDOWS\explorer.exe BE0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 40256A WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
2332 C:\Hermes_.exe A80000 12FF80 page execute and read and write success or wait 1 593186 VirtualAlloc
2332 C:\Hermes_.exe A80000 12FF48 page read and write success or wait 5 5E80CA VirtualAlloc
2332 C:\Hermes_.exe B30000 12FE08 page no access success or wait 1 5B63FC VirtualAlloc
2332 C:\Hermes_.exe B30000 12FDF8 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe B34000 12FE8C page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe A80000 12FEB4 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe A90000 12FEB4 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AA0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B3C000 12FE24 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe AB0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AC0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AD0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe AE0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B40000 12FE24 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe AF0000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B00000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B10000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C30000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C40000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C50000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C60000 12FEE0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FEAC page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe C70000 12FF2C page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1DC page execute and read and write success or wait 2 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F0BC page execute and read and write success or wait 5 5D49DE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FD68 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe B44000 12FD58 page read and write success or wait 1 5B65CE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1F0 page execute and read and write success or wait 1 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1CC page execute and read and write success or wait 21 5D49DE VirtualAlloc
2332 C:\Hermes_.exe C80000 12F1D8 page execute and read and write success or wait 4 5D49DE VirtualAlloc
1552 C:\WINDOWS\explorer.exe BA0000 12FC3C page execute and read and write success or wait 1 40246B VirtualAllocEx
1552 C:\WINDOWS\explorer.exe BE0000 12FC3C page execute and read and write success or wait 1 402480 VirtualAllocEx
1552 C:\WINDOWS\explorer.exe C90000 12FC3C page read and write success or wait 1 402493 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:49 2 4 2
09:39:50 2 4 2
09:39:54 3 5 3

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 1 403A68 CreateToolhelp32Snapshot

Timing Activites

Time Completion Count Source Address Symbol

Windows UI Activites

HWND Completion Count Source Address Symbol
10084 success 44 40167D NtUserGetForegroundWindow
90086 success 1 4016BD NtUserGetForegroundWindow
Chronological Activities
Operation Data Completion Time
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF80 Allocation Type: unknown Protection: page execute and read and write success or wait 533520825
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533531462
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533533103
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533551502
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533554664
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FF48 Allocation Type: unknown Protection: page read and write success or wait 533555820
Section loaded Path: \KnownDlls\wsock32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533558367
Section loaded Path: C:\WINDOWS\system32\wsock32.dll Access: query and write and read and execute Type: image Baseaddress: 71AD0000 Size: 36864 Protection: read write Mapped to pid: own pid success or wait 533560807
Section loaded Path: \KnownDlls\WS2_32.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533564249
Section loaded Path: C:\WINDOWS\system32\ws2_32.dll Access: query and write and read and execute Type: image Baseaddress: 71AB0000 Size: 94208 Protection: read write Mapped to pid: own pid success or wait 533566069
Section loaded Path: \KnownDlls\WS2HELP.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 533571098
Section loaded Path: C:\WINDOWS\system32\ws2help.dll Access: query and write and read and execute Type: image Baseaddress: 71AA0000 Size: 32768 Protection: read write Mapped to pid: own pid success or wait 533572942
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FE08 Allocation Type: unknown Protection: page no access success or wait 533581123
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B30000 Length: 12FDF8 Allocation Type: unknown Protection: page read and write success or wait 533581401
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B34000 Length: 12FE8C Allocation Type: unknown Protection: page read and write success or wait 533652737
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A80000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write success or wait 533710483
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: A90000 Length: 12FEB4 Allocation Type: unknown Protection: page execute and read and write success or wait 533710924
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AA0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533711707
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B3C000 Length: 12FE24 Allocation Type: unknown Protection: page read and write success or wait 533712040
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AB0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533712383
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AC0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533712707
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AD0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533713029
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AE0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533713402
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B40000 Length: 12FE24 Allocation Type: unknown Protection: page read and write success or wait 533713815
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: AF0000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714247
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B00000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714612
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B10000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533714934
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C30000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715258
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C40000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715649
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C50000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533715973
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C60000 Length: 12FEE0 Allocation Type: unknown Protection: page execute and read and write success or wait 533716296
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FEAC Allocation Type: unknown Protection: page read and write success or wait 533717174
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C70000 Length: 12FF2C Allocation Type: unknown Protection: page execute and read and write success or wait 533717480
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write success or wait 533717860
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533718230
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD68 Allocation Type: unknown Protection: page read and write success or wait 533718532
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533721669
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533722050
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: B44000 Length: 12FD58 Allocation Type: unknown Protection: page read and write success or wait 533722356
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533725522
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F0BC Allocation Type: unknown Protection: page execute and read and write success or wait 533725969
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1F0 Allocation Type: unknown Protection: page execute and read and write success or wait 533726379
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533726750
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533727093
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533727433
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533728577
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533728969
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533729314
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731089
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731434
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533731774
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533732114
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533732452
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533732796
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533733338
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533733681
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734022
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734362
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533734700
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533735042
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533735469
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533735812
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736151
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736492
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533736829
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1D8 Allocation Type: unknown Protection: page execute and read and write success or wait 533737171
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1DC Allocation Type: unknown Protection: page execute and read and write success or wait 533755644
Memory allocated PID: 2332 Path: C:\Hermes_.exe Base: C80000 Length: 12F1CC Allocation Type: unknown Protection: page execute and read and write success or wait 533756049
File opened Path: Scsi0: Access: read attributes and synchronize and generic read and generic write Options: synchronous io non alert and non directory file Attributes: none Content Overwritten: true success or wait 533944177
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: NULL Type: unicode Data: Old data: success or wait 534022596
Key value replaced with new Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key Name: Type: unicode Data: regfile Old data: success or wait 534027752
Foreground Window Got HWND: 10084 success 534051990
Thread delayed Time: 0 TID: 2336 success or wait 534053095
Foreground Window Got HWND: 10084 success 534447209
Thread delayed Time: 0 TID: 2336 success or wait 534447548
Foreground Window Got HWND: 10084 success 534835880
Thread delayed Time: 0 TID: 2336 success or wait 534836181
Foreground Window Got HWND: 10084 success 535227411
Thread delayed Time: 0 TID: 2336 success or wait 535227655
Foreground Window Got HWND: 10084 success 535618895
Thread delayed Time: 0 TID: 2336 success or wait 535619139
Foreground Window Got HWND: 10084 success 536010676
Thread delayed Time: 0 TID: 2336 success or wait 536010938
Foreground Window Got HWND: 10084 success 536404860
Thread delayed Time: 0 TID: 2336 success or wait 536405120
Foreground Window Got HWND: 10084 success 536796514
Thread delayed Time: 0 TID: 2336 success or wait 536796818
Foreground Window Got HWND: 10084 success 537184965
Thread delayed Time: 0 TID: 2336 success or wait 537185270
Foreground Window Got HWND: 10084 success 537576609
Thread delayed Time: 0 TID: 2336 success or wait 537576853
Foreground Window Got HWND: 10084 success 537970784
Thread delayed Time: 0 TID: 2336 success or wait 537971076
Foreground Window Got HWND: 10084 success 538361805
Thread delayed Time: 0 TID: 2336 success or wait 538362048
Foreground Window Got HWND: 10084 success 538751083
Thread delayed Time: 0 TID: 2336 success or wait 538751330
Foreground Window Got HWND: 10084 success 539142565
Thread delayed Time: 0 TID: 2336 success or wait 539142907
Foreground Window Got HWND: 10084 success 539535872
Thread delayed Time: 0 TID: 2336 success or wait 539536221
Foreground Window Got HWND: 10084 success 539925698
Thread delayed Time: 0 TID: 2336 success or wait 539925963
Foreground Window Got HWND: 10084 success 540317423
Thread delayed Time: 0 TID: 2336 success or wait 540317667
Foreground Window Got HWND: 10084 success 540708680
Thread delayed Time: 0 TID: 2336 success or wait 540708925
Foreground Window Got HWND: 10084 success 541100731
Thread delayed Time: 0 TID: 2336 success or wait 541100986
Foreground Window Got HWND: 10084 success 541491648
Thread delayed Time: 0 TID: 2336 success or wait 541493527
Foreground Window Got HWND: 10084 success 541883110
Thread delayed Time: 0 TID: 2336 success or wait 541883492
Foreground Window Got HWND: 10084 success 542274427
Thread delayed Time: 0 TID: 2336 success or wait 542274674
Foreground Window Got HWND: 10084 success 542668297
Thread delayed Time: 0 TID: 2336 success or wait 542668543
Foreground Window Got HWND: 10084 success 543065083
Thread delayed Time: 0 TID: 2336 success or wait 543067934
Foreground Window Got HWND: 10084 success 543449522
Thread delayed Time: 0 TID: 2336 success or wait 543449785
Foreground Window Got HWND: 10084 success 543840731
Thread delayed Time: 0 TID: 2336 success or wait 543841069
Foreground Window Got HWND: 10084 success 544232184
Thread delayed Time: 0 TID: 2336 success or wait 544232482
Foreground Window Got HWND: 10084 success 544623719
Thread delayed Time: 0 TID: 2336 success or wait 544623963
Foreground Window Got HWND: 10084 success 545015261
Thread delayed Time: 0 TID: 2336 success or wait 545015507
Foreground Window Got HWND: 10084 success 545407198
Thread delayed Time: 0 TID: 2336 success or wait 545407443
Foreground Window Got HWND: 10084 success 545798831
Thread delayed Time: 0 TID: 2336 success or wait 545799099
Foreground Window Got HWND: 10084 success 546189820
Thread delayed Time: 0 TID: 2336 success or wait 546190498
Foreground Window Got HWND: 10084 success 546584983
Thread delayed Time: 0 TID: 2336 success or wait 546585286
Foreground Window Got HWND: 10084 success 546977775
Thread delayed Time: 0 TID: 2336 success or wait 546980356
Foreground Window Got HWND: 10084 success 547364291
Thread delayed Time: 0 TID: 2336 success or wait 547364534
Foreground Window Got HWND: 10084 success 547756961
Thread delayed Time: 0 TID: 2336 success or wait 547757205
Foreground Window Got HWND: 10084 success 548147454
Thread delayed Time: 0 TID: 2336 success or wait 548147703
Foreground Window Got HWND: 10084 success 548541427
Thread delayed Time: 0 TID: 2336 success or wait 548541767
Foreground Window Got HWND: 10084 success 548930338
Thread delayed Time: 0 TID: 2336 success or wait 548930637
Foreground Window Got HWND: 10084 success 549321870
Thread delayed Time: 0 TID: 2336 success or wait 549322114
Foreground Window Got HWND: 10084 success 549713362
Thread delayed Time: 0 TID: 2336 success or wait 549713605
Foreground Window Got HWND: 10084 success 550105074
Thread delayed Time: 0 TID: 2336 success or wait 550105316
Foreground Window Got HWND: 10084 success 550496522
Thread delayed Time: 0 TID: 2336 success or wait 550496787
Foreground Window Got HWND: 10084 success 550887956
Thread delayed Time: 0 TID: 2336 success or wait 550890563
Foreground Window Got HWND: 90086 success 551279472
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551285471
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 551290299
Section loaded Path: \KnownDlls\MSVCP60.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551428776
Section loaded Path: C:\WINDOWS\system32\msvcp60.dll Access: query and write and read and execute Type: image Baseaddress: 76080000 Size: 413696 Protection: read write Mapped to pid: own pid success or wait 551430533
System info queried Type: ProcessInformation success or wait 551442671
Section loaded Path: \KnownDlls\psapi.dll Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 551495209
Section loaded Path: C:\WINDOWS\system32\psapi.dll Access: query and write and read and execute Type: image Baseaddress: 76BF0000 Size: 45056 Protection: read write Mapped to pid: own pid success or wait 551497119
Process information queried PID: 1552 Info Class: ImageFileName success or wait 551501084
File opened Path: C:\WINDOWS\explorer.exe Access: read data or list directory and read ea and read attributes and read control and synchronize Options: synchronous io non alert Overwritten: false success or wait 551502172
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 12FC3C Allocation Type: unknown Protection: page execute and read and write success or wait 551505918
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 12FC3C Allocation Type: unknown Protection: page execute and read and write success or wait 551506221
Memory allocated PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 12FC3C Allocation Type: unknown Protection: page read and write success or wait 551506510
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BA0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 559385601
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: C90000 Length: 305 Value: 00 00 00 00 00 00 BE 00 00 00 BA 00 00 60 03 00 01 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 559423387
Memory written PID: 1552 Path: C:\WINDOWS\explorer.exe Base: BE0000 Length: 221184 Value: 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 559435803
Thread created PID: 1552 TID: 4004 EIP: 7C8106F9 EAX: BA28C6 Imagepath: C:\WINDOWS\explorer.exe success or wait 559446958
Process terminated PID: 2332 Path: C:\Hermes_.exe success or wait 559450681
General
Start time: 09:39:54
Start date: 24/01/2012
Path: C:\WINDOWS\explorer.exe
Wow64 process (32bit): false
Commandline: C:\WINDOWS\Explorer.EXE
Imagebase: 0x1000000
File size: 1033728 bytes
MD5 hash: 12896823FB95BFB3DC9B46BCAEDC9923

File Activites

File Path Access Options Content overwritten Completion Count Source Address Symbol
C:\WINDOWS\system32\ctfmon.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 BA30D8 NtOpenFile
C:\WINDOWS\system32\wscntfy.exe read data or list directory and read ea and read attributes and read control and synchronize synchronous io non alert false success or wait 1 BA30D8 NtOpenFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp read attributes and synchronize and generic write synchronous io non alert and non directory file true success or wait 11 D72204 CreateFileA
C:\Hermes_.exe read attributes and synchronize and generic read synchronous io non alert and non directory file true success or wait 1 D7217D CreateFileA
File Path Access Attributes Options Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 D80C4C GetTempFileNameA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LM73.tmp read attributes and synchronize and generic read normal synchronous io non alert and non directory file success or wait 1 D80C4C GetTempFileNameA
C:\Documents and Settings\Administrator\Application Data\TeamViewer read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D755F9 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE} read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D75636 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 D72204 CreateFileA
C:\Documents and Settings\Administrator\Application Data\Dropbox read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D74CB2 CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031} read data or list directory and synchronize normal directory file and synchronous io non alert and open for backup ident success or wait 1 D74CEF CreateDirectoryA
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe read attributes and synchronize and generic write normal synchronous io non alert and non directory file success or wait 1 D72204 CreateFileA
File Path Completion Count Source Address Symbol
C:\Hermes_.exe cannot delete 1 D74A08 DeleteFileA
C:\Hermes_.exe success or wait 1 D74A08 DeleteFileA
File Path Offset Length Value Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 374 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 127 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0F 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 09 0B 0F 17 63 1E 73 5F 57 50 7D 51 4C 5B 72 51 51 4E 04 1E 7C 4B 57 52 5A 04 1E 0B 0E 0F 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 success or wait 1 D7223A WriteFile
C:\Documents and Settings\Administrator\Application Data\TeamViewer\{D6406A80-0F4F-4C22-B5BA-6201426F8DCE}\37D9255C1CBC487F9CA1202E7C7AF6A4.dat unknown 407040 1C 20 20 63 54 30 6C 4F 56 45 36 58 AA CE 78 7A DD 58 4E 30 5A 57 30 7A 0D 67 27 3D 51 7A 70 63 56 30 6C 4F 52 45 39 58 55 31 78 7A 65 58 4E 30 5A 57 30 7A 4D 67 3D 3D 51 7A 70 63 56 31 6C 4F E8 55 39 56 4A 85 71 B7 44 E0 4F 7C 97 76 A0 EA 19 0F 54 4E 71 0A 02 0C 31 42 0D 22 72 28 4C 2B 21 11 1A 1F success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 148 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0D 07 04 0B 09 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0C 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 08 08 0C 17 63 1E 79 5B 4A 7F 4B 4A 51 6C 4B 50 68 5F 52 4B 5B 70 5F 53 5B 04 1E 6B 50 5F 5C 52 5B 1E 4A 51 1E 4F 4B 5B 4C 47 1E success or wait 1 D7223A WriteFile
C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe unknown 407040 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 135 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 09 0C 06 1E 0C 63 04 65 0F 06 0D success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 396 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 08 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0E 63 04 65 07 07 09 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 135 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 07 09 0F 17 63 1E 6E 4C 51 5D 5B 4D 4D 76 5F 50 5A 6D 56 5F 55 5B 73 5B 4D 4D 5F 59 5B 04 1E 0F 07 0C 0A 1E 0C 63 04 65 0F 06 0D success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 110 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 76 5B 4C 53 5B 4D 7D 51 4C 5B 10 5D 4E 4E 16 0F 06 07 0D 17 63 1E 6E 6E 73 04 1E 0B 63 04 65 0F 06 0D 63 04 65 7D 04 62 69 77 70 7A 71 69 6D 62 7B 46 4E 52 51 4C 5B 4C 10 7B 66 success or wait 1 D7223A WriteFile
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp unknown 399 65 0C 0E 0F 0C 13 0E 0F 13 0C 0A 1E 0E 07 04 0A 0E 04 0F 06 63 04 65 0F 63 04 65 0F 10 0C 0A 63 04 65 0A 63 04 65 65 10 62 7F 4E 57 76 51 51 55 5B 4C 10 5D 4E 4E 16 08 0A 17 63 1E 77 50 57 4A 04 1E 0E 46 09 5D 06 0E 0E 0E 0E 0E 1E 0F 1E 0F 1E 0F 1E 0F 63 04 65 0E 63 04 65 7D 04 62 69 77 70 7A 71 69 success or wait 1 D7223A WriteFile
File Path Offset Length Value Completion Count Source Address Symbol
C:\Hermes_.exe unknown 407040 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73 74 20 62 65 success or wait 1 D721B4 ReadFile
File Path Disposition Data Ascii Data Completion Count Source Address Symbol
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 0 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 374 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 501 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 649 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 759 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 894 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1004 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1400 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1510 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1645 success or wait 1 D72225 SetFilePointer
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~LC72.tmp PositionInformation Offset: 1755 success or wait 1 D72225 SetFilePointer

Section Activites

File Path Access Type Base Size Mapped to pid Protection Completion Count
C:\WINDOWS\system32\xpsp1res.dll query and read commit D30000 188416 own pid readonly success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
unknown query and write and read commit E00000 16384 own pid read write success or wait 1
File Path Access Type Base Size Mapped to pid Protection Completion Count Source Address
\KnownDlls\MFC42.DLL write and read and execute unknown unknown unknown unknown unknown object name not found 1 BA46BE
C:\WINDOWS\system32\mfc42.dll query and write and read and execute image 73DD0000 987136 own pid read write success or wait 1 BA46BE

Registry Activites

Key Path Name Type Data Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrId dword 114 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrMask dword 62 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainId dword 115 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainMask dword 126 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage CustomBarMenu binary 12 40 2C 27 39 53 19 22 37 2B 4D 2B 75 50 16 1E 45 0B 2B 44 2E 3E 5E 1D 3E 3B 7C 59 3C 13 1E 0A 25 44 1E 2E 26 2A 4B 04 14 41 08 16 0C 3B 2F 44 33 38 5E 5A 09 06 49 5C 0D 2E 15 02 3B 66 05 2A 25 20 4B 04 2E 75 4E 4E 55 6E 0F 08 6A 7A 00 3C 79 21 10 09 12 48 42 4E 14 05 2E 0E 7F 73 0B 68 64 05 4A 4C 23 60 0A 73 1F 2A 6C 49 7A 23 04 0F 64 4F 33 52 15 72 2F 7B 6A 72 7F 61 16 70 49 48 55 6A 0B 07 19 60 71 3C 7B 26 09 13 35 1B 04 success or wait 1 D75288 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile dword 3 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFolder dword 18 success or wait 1 D80016 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run UpgradeHelper unicode C:\Documents and Settings\Administrator\Application Data\Dropbox\{21AB3907-285B-4A96-BD2E-D17684D28031}\UpgradeHelper.exe success or wait 1 D7FEC0 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMenuMask dword 77654 success or wait 1 BA1565 RegSetValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartProcIrq dword 6 success or wait 1 D80016 RegSetValueExA
Key Path Name Completion Count Source Address Symbol
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMenuMask object name not found 1 BA1426 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage AdvancedImages object name not found 1 D7FF75 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrId object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartCurrMask object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainId object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced StartMainMask object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile object name not found 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced PersistFile success or wait 1 D7FF43 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run UpgradeHelper buffer overflow 4 D7FEE9 RegQueryValueExA
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage ModulesCache object name not found 1 D7FF75 RegQueryValueExA

Mutex Activites

Name Completion Count Source Address Symbol
\BaseNamedObjects\Global\NtKernelProc.1552 success or wait 1 BA2CF8 CreateMutexA
\BaseNamedObjects\Global\NtKernelTrusted success or wait 1 D74595 CreateMutexA
\BaseNamedObjects\NtKernelInjLock success or wait 88 BA2BAA CreateMutexA
\BaseNamedObjects\Global\NtSys32AutoLock success or wait 1 D7ABD9 CreateMutexA

Process Activites

PID Process info class Completion Count Source Address Symbol
1552 Wow64Information success or wait 1 D72835 IsWow64Process
1728 ImageFileName success or wait 1 BA221B GetProcessImageFileNameA
1924 ImageFileName success or wait 1 BA221B GetProcessImageFileNameA

Thread Activites

TID PID EIP EAX (Usermode EIP) Filepath Completion Count Source Address Symbol
4020 1552 7C8106F9 D74458 C:\WINDOWS\explorer.exe success or wait 1 D74364 CreateThread
4024 1552 7C8106F9 BA2B47 C:\WINDOWS\explorer.exe success or wait 1 BA2AFC CreateThread
484 1552 7C8106F9 D75D48 C:\WINDOWS\explorer.exe success or wait 1 D75D0F CreateThread
988 1552 7C8106F9 D879B3 C:\WINDOWS\explorer.exe success or wait 1 D878FB CreateThread
3052 1728 7C8106F9 D628C6 C:\WINDOWS\system32\ctfmon.exe success or wait 1 BA2598 CreateRemoteThread
3080 1552 7C8106F9 D87FBA C:\WINDOWS\explorer.exe success or wait 1 D87BCB CreateThread
3560 1924 7C8106F9 AE28C6 C:\WINDOWS\system32\wscntfy.exe success or wait 1 BA2598 CreateRemoteThread
3580 1552 7C8106F9 D87FBA C:\WINDOWS\explorer.exe success or wait 1 D87BCB CreateThread
TID PID Path Completion Count Source Address Symbol
3080 1552 C:\WINDOWS\explorer.exe success or wait 1 D87C7B ResumeThread
3580 1552 C:\WINDOWS\explorer.exe success or wait 1 D87C7B ResumeThread
TID Delay Completion Count Source Address Symbol
4024 -1s success or wait 89 BA27F4 Sleep
4024 -10s success or wait 4 BA2804 Sleep

Memory Activites

PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 7C80236B 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 7C802336 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 77E10CE8 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
1552 C:\WINDOWS\explorer.exe 77DEA8A9 5 8B FF 55 8B EC success or wait 1 D710D5 ReadProcessMemory
PID Filepath Base Length Value Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 7C80236B 5 E9 BC F1 56 84 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 7C802336 5 E9 07 F3 56 84 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 77E10CE8 5 E9 6B 0A F6 88 success or wait 1 D7110E WriteProcessMemory
1552 C:\WINDOWS\explorer.exe 77DEA8A9 5 E9 C3 6F F8 88 success or wait 1 D7110E WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe D60000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA2532 WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe A30000 305 00 00 00 00 00 00 DA 00 00 00 D6 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 BA254A WriteProcessMemory
1728 C:\WINDOWS\system32\ctfmon.exe DA0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA256A WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe AE0000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA2532 WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe B60000 305 00 00 00 00 00 00 B2 00 00 00 AE 00 00 60 03 00 00 43 3A 5C 48 65 72 6D 65 73 5F 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 success or wait 1 BA254A WriteProcessMemory
1924 C:\WINDOWS\system32\wscntfy.exe B20000 221184 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F8 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 F4 F4 54 AA B0 95 3A F9 B0 95 3A F9 B0 95 3A F9 CB 89 36 F9 B3 95 3A F9 33 9D 67 F9 B4 95 3A F9 33 89 34 F9 B3 95 3A F9 DF 8A 3E F9 B4 95 3A F9 B0 95 3B F9 C6 95 3A F9 86 B3 3E F9 B3 95 3A F9 86 B3 30 F9 B7 95 3A F9 86 B3 31 F9 BD 95 3A F9 77 93 3C F9 B1 95 3A F9 52 69 63 68 B0 95 3A F9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 05 success or wait 1 BA256A WriteProcessMemory
PID Filepath Base Length Protection Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe 30C8000 D6FB6C page read and write success or wait 1 BA5200 malloc
1552 C:\WINDOWS\explorer.exe 39F0000 D6FD00 page read and write success or wait 1 BA5200 malloc
1552 C:\WINDOWS\explorer.exe D70000 D6FE5C page read and write success or wait 1 BA4999 VirtualAlloc
1552 C:\WINDOWS\explorer.exe CA0000 D6FE1C page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CA0000 D6FE20 page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CA1000 D6FAFC page read and write success or wait 1 D9AC87 HeapCreate
1552 C:\WINDOWS\explorer.exe CB0000 D6FE28 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DD0000 D6FE28 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DE0000 D6FE08 page execute and read and write success or wait 1 D710AD VirtualAlloc
1552 C:\WINDOWS\explorer.exe DF0000 D6FE00 page execute and read and write success or wait 1 D710AD VirtualAlloc
1728 C:\WINDOWS\system32\ctfmon.exe D60000 199FCA8 page execute and read and write success or wait 1 BA246B VirtualAllocEx
1728 C:\WINDOWS\system32\ctfmon.exe DA0000 199FCA8 page execute and read and write success or wait 1 BA2480 VirtualAllocEx
1728 C:\WINDOWS\system32\ctfmon.exe A30000 199FCA8 page read and write success or wait 1 BA2493 VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe AE0000 199FCA8 page execute and read and write success or wait 1 BA246B VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe B20000 199FCA8 page execute and read and write success or wait 1 BA2480 VirtualAllocEx
1924 C:\WINDOWS\system32\wscntfy.exe B60000 199FCA8 page read and write success or wait 1 BA2493 VirtualAllocEx
PID Filepath Base Length New Protection Old Protection Completion Count Source Address Symbol
1552 C:\WINDOWS\explorer.exe D71000 3A000 page execute read page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DAB000 C000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DB7000 3000 page read and write page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DBC000 1000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe DBD000 5000 page readonly page read and write success or wait 1 BA48A0 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C80236B 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C80236B 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C802336 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 7C802336 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77E10CE8 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77E10CE8 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77DEA8A9 1000 page execute and read and write page execute read success or wait 1 D710C2 VirtualProtect
1552 C:\WINDOWS\explorer.exe 77DEA8A9 1000 page execute read page execute and read and write success or wait 1 D71122 VirtualProtect
Time Private Usage (mb) Workingset (mb) Page File Usage (mb)
09:39:54 20 28 20
09:39:55 20 34 20
09:39:56 23 38 23
09:39:57 22 37 22
09:39:58 22 37 22
09:40:01 22 37 22
09:40:15 23 37 23
09:40:16 23 37 23
09:40:18 23 37 23
09:40:33 23 36 23
09:40:37 23 36 23

System Activites

System info class Completion Count Source Address Symbol
ProcessInformation success or wait 4 BA3A68 CreateToolhelp32Snapshot

Windows UI Activites

Desktop HWND Parent HWND Enum Childrens TID Window Handles Completion Count Source Address Symbol
0 0 false 0 2003E, 20044, 90086, 900A4, 10076, 10074, 10082, 10070, 3004E, 900A8, 90098, 1008E, 160148, E0128, 170114 success or wait 5 1002587 EnumWindows
HWND Message LParam WParam Completion Count Source Address Symbol
TID Message LParam WParam Completion Count Source Address Symbol
0 464 0 0 error 2 D7382F PostThreadMessageA
FB4 467 1728 2 success 1 D7B200 PostThreadMessageA
FB4 467 1924 2 success 1 D7B200 PostThreadMessageA
Chronological Activities
Operation Data Completion Time
Section loaded Path: \KnownDlls\MFC42.DLL Access: write and read and execute Type: unknown Baseaddress: unknown Size: unknown Protection: unknown Mapped to pid: unknown object name not found 559448059
Section loaded Path: C:\WINDOWS\system32\mfc42.dll Access: query and write and read and execute Type: image Baseaddress: 73DD0000 Size: 987136 Protection: read write Mapped to pid: own pid success or wait 559448692