Joebox - Abstract Analysis File: 3629
General information
Joebox version: 1.5.5
Start time: 12:35:59
Start date: 09/04/2010
Overall analysis duration: 0h 4m 54s
Target binary file name: TDSS.new.b.exe
Target script file name: xpvistaw7.jbs
Avira scanner version: 7.10.4.41 - FUP(0), created 02/11/2010
Avira label: no label
Errors:
    Number of runs: 3
    Number of analysed new started processes analysed: 1
    Number of new started drivers analysed: 1
    Number of existing processes analysed: 0
    Number of existing drivers analysed: 0
    Number of injected processes analysed: 0
    Calling statistics
    NtCreateFile 10
    NtOpenFile 17
    NtDeleteFile 0
    NtSetInformationFile 6
    NtCreateIoCompletion 2
    NtRemoveIoCompletion 0
    NtSetIoCompletion 0
    NtAreMappedFilesTheSame 0
    NtCancelIoFile 0
    NtCreateNamedPipeFile 0
    NtFlushBuffersFile 0
    NtFsControlFile 582
    NtLockFile 0
    NtOpenDirectoryObject 3
    NtQueryAttributesFile 9
    NtQueryDirectoryFile 0
    NtQueryFullAttributesFile 0
    NtQueryInformationFile 14
    NtQueryVolumeInformationFile 11
    NtReadFile 3
    NtUnlockFile 0
    NtUnmapViewOfSection 6
    NtWriteFile 12
    NtCloseObjectAuditAlarm 0
    NtClose 114
    NtDeleteObjectAuditAlarm 0
    NtCreateSection 10
    NtOpenSection 23
    NtMapViewOfSection 31
    NtQuerySection 24
    NtMakeTemporaryObject 0
    NtCreateKey 4
    NtOpenKey 26
    NtRenameKey 0
    NtDeleteKey 0
    NtDeleteValueKey 0
    NtSetValueKey 3
    NtEnumerateKey 2
    NtEnumerateValueKey 1
    NtFlushKey 0
    NtNotifyChangeKey 0
    NtQueryKey 2
    NtQueryValueKey 30
    NtSetInformationKey 0
    NtCreateProcess 0
    NtCreateProcessEx 0
    NtTerminateProcess 2
    NtFlushInstructionCache 86
    NtOpenProcess 0
    NtOpenProcessToken 3
    NtOpenProcessTokenEx 1
    NtReadVirtualMemory 0
    NtWriteVirtualMemory 0
    NtAllocateVirtualMemory 38
    NtFlushVirtualMemory 2
    NtFreeVirtualMemory 13
    NtLockVirtualMemory 0
    NtProtectVirtualMemory 57
    NtQueryInformationProcess 53
    NtQueryVirtualMemory 1
    NtSetInformationProcess 1
    NtSuspendProcess 0
    NtCreateThread 1
    NtGetContextThread 0
    NtSetContextThread 0
    NtQueueApcThread 0
    NtAlertThread 2
    NtDelayExecution 0
    NtImpersonateThread 0
    NtOpenThread 0
    NtOpenThreadToken 1
    NtOpenThreadTokenEx 5
    NtQueryInformationThread 1
    NtRegisterThreadTerminatePort 2
    NtResumeThread 1
    NtSetInformationThread 8
    NtSuspendThread 0
    NtTerminateThread 0
    NtYieldExecution 0
    NtAcceptConnectPort 0
    NtCompleteConnectPort 0
    NtConnectPort 1
    NtCreatePort 0
    NtImpersonateClientOfPort 0
    NtReplyPort 0
    NtReplyWaitReceivePort 0
    NtReplyWaitReceivePortEx 0
    NtRequestPort 0
    NtRequestWaitReplyPort 2
    NtSecureConnectPort 1
    NtReadRequestData 0
    NtWriteRequestData 0
    NtAccessCheck 2
    NtAccessCheckAndAuditAlarm 0
    NtAccessCheckByType 0
    NtAdjustPrivilegesToken 0
    NtAllocateLocallyUniqueId 0
    NtQuerySecurityObject 0
    NtSetSecurityObject 0
    NtAddAtom 2
    NtFindAtom 0
    NtDeleteAtom 0
    NtQueryInformationAtom 0
    NtOpenKeyedEvent 1
    NtCreateKeyedEvent 1
    NtOpenEvent 1
    NtQueryEvent 0
    NtCreateEvent 13
    NtSetEvent 4
    NtSetEventBoostPriority 1
    NtOpenMutant 0
    NtCreateMutant 1
    NtCreateSemaphore 3
    NtReleaseSemaphore 0
    NtReleaseMutant 1
    NtCreateTimer 3
    NtCancelTimer 0
    NtSetTimer 1
    NtDeviceIoControlFile 2
    NtLoadDriver 0
    NtUnloadDriver 0
    NtDuplicateObject 2
    NtOpenObjectAuditAlarm 0
    NtDuplicateToken 2
    NtImpersonateAnonymousToken 0
    NtQueryInformationToken 2
    NtGetPlugPlayEvent 0
    NtPlugPlayControl 0
    NtOpenSymbolicLinkObject 1
    NtQuerySymbolicLinkObject 1
    NtQueryDirectoryObject 0
    NtQueryDebugFilterState 22
    NtQueryDefaultLocale 3
    NtQueryDefaultUILanguage 4
    NtQueryInstallUILanguage 1
    NtQueryInformationJobObject 0
    NtQueryObject 1
    NtQueryPerformanceCounter 23
    NtQuerySystemInformation 12
    NtQuerySystemTime 4
    NtQueryTimerResolution 0
    NtRaiseException 0
    NtRaiseHardError 0
    NtSetInformationObject 4
    NtSetSystemInformation 2
    NtShutdownSystem 0
    NtSystemDebugControl 0
    NtTestAlert 2
    NtWaitForMultipleObjects 2
    NtWaitForSingleObject 1
    NtSetInformationDebugObject 0
    NtCreateDebugObject 0
    NtDebugContinue 0
    NtWaitForDebugEvent 0
    NtRemoveProcessDebug 0
    NtUserPostMessage 0
    NtUserSendInput 0
    NtUserSetWindowsHookEx 0
    NtUserSetWinEventHook 0
    NtUserDestroyWindow 0
    NtUserPostThreadMessage 0
    NtUserBuildHwndList 0
    NtUserSetCapture 0
    NtUserRegisterHotKey 0
    NtUserRegisterUserApiHook 0
    NtUserCreateWindowEx 0
    NtUserQueryWindow 0
    NtUserFindWindowEx 0
    NtUserGetAsyncKeyState 0
    NtUserGetKeyboardState 0
    NtUserGetKeyState 0
    Startup
    • system is xp
    • TDSS.new.b.exe (PID: 1032 MD5: 707E2294ED5425B588D8844DF0AB38A4)
    • 5.tmp (PID: 4 MD5: D248B7F23C7D3D0186505AD66D8854F8)
    • cleanup
    • system is vista
    • TDSS.new.b.exe (PID: 1760 MD5: 707E2294ED5425B588D8844DF0AB38A4)
    • D21B.tmp (PID: 4 MD5: D248B7F23C7D3D0186505AD66D8854F8)
    • cleanup
    • system is w7
    • TDSS.new.b.exe (PID: 2180 MD5: 707E2294ED5425B588D8844DF0AB38A4)
    • 5EE.tmp (PID: 4 MD5: D248B7F23C7D3D0186505AD66D8854F8)
    • cleanup
    Analysis File: TDSS.new.b.exe PID: 1032 Parent PID: 1264 Run ID: 0
    Sections
    General
    Start time: 12:36:53
    Start date: 09/04/2010
    Path: C:\TDSS.new.b.exe
    File size: 84480 bytes
    MD5 hash: 707E2294ED5425B588D8844DF0AB38A4
    File Activities:
    File opened
    File Path Access Options Completion Count
    C:\WINDOWS\WindowsShell.Manifest read attributes and synchronize and generic read synchronous io non alert and non directory file success or wait 38
    C:\WINDOWS\WindowsShell.Manifest read attributes and synchronize and generic read synchronous io non alert and non directory file success or wait 1
    globalrootC:\TDSS.new.b.exe read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize write through and synchronous io non alert and non directory file success or wait 1
    File created
    File Path Access Attributes Options Completion Count
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\3.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\4.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    File overwritten
    File Path Access Options Completion Count
    WMIDataDevice read attributes and synchronize and generic read and generic write non directory file success or wait 1
    WMIDataDevice read attributes and synchronize and generic read and generic write non directory file success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp read attributes and delete and synchronize and generic write sequential only and synchronous io non alert and non directory file success or wait 1
    \Device\KsecDD read data or list directory and synchronize synchronous io alert success or wait 1
    C:\WINDOWS\system32\urlmon.dll.123.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
    C:\WINDOWS\system32\WININET.dll.123.Manifest read data or list directory and read ea and execute or traverse and read attributes and read control and synchronize synchronous io non alert and non directory file object name not found 1
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    C:\WINDOWS\system32\urlmon.dll.123.Config open none object name not found 1
    C:\WINDOWS\WindowsShell.Config open none object name not found 1
    C:\WINDOWS\system32\WININET.dll.123.Config open none object name not found 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp EndOfFileInformation 00 4A 01 00 00 00 00 00 success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp BasicInformation 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 00 B6 02 92 D0 D7 CA 01 00 00 00 00 00 00 00 00 success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp RenameInformation 01 05 15 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 33 00 2E 00 74 00 6D 00 70 00 00 00 00 00 success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\3.tmp DispositionInformation 01 cannot delete 1
    C:\TDSS.new.b.exe RenameInformation 01 00 00 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 34 00 2E 00 74 00 6D 00 70 00 00 00 00 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    \KnownDlls\kernel32.dll map write and map read and map execute 7C800000 7C80B64E F6000 own pid success or wait 1
    \NLS\NlsSectionUnicode map read 00270000 0 15DF4 own pid success or wait 1
    \NLS\NlsSectionLocale map read 00290000 0 40EDC own pid success or wait 1
    \NLS\NlsSectionSortkey query and map read 002E0000 0 40004 own pid success or wait 1
    \NLS\NlsSectionSortTbls map read 00330000 0 5A04 own pid success or wait 1
    \NLS\NlsSectionSortkey00000409 map read not known not known not known own pid object name not found 2
    \KnownDlls\USER32.DLL map write and map read and map execute 7E410000 7E41B217 91000 own pid success or wait 1
    \KnownDlls\GDI32.dll map write and map read and map execute 77F10000 77F16587 49000 own pid success or wait 1
    \KnownDlls\ADVAPI32.dll map write and map read and map execute 77DD0000 77DD710B 9B000 own pid success or wait 1
    \KnownDlls\RPCRT4.dll map write and map read and map execute 77E70000 77E7628F 92000 own pid success or wait 1
    \KnownDlls\Secur32.dll map write and map read and map execute 77FE0000 77FE2146 11000 own pid success or wait 1
    \KnownDlls\SHLWAPI.dll map write and map read and map execute 77F60000 77F651FB 76000 own pid success or wait 1
    \KnownDlls\msvcrt.dll map write and map read and map execute 77C10000 77C1F2A1 58000 own pid success or wait 1
    \NLS\NlsSectionCType map read 003F0000 0 20C2 own pid success or wait 1
    \KnownDlls\imagehlp.dll map write and map read and map execute 76C90000 76C9126D 28000 own pid success or wait 1
    \KnownDlls\PSAPI.DLL map write and map read and map execute not known not known not known own pid object name not found 1
    \KnownDlls\WININET.dll map write and map read and map execute 3D930000 3D931744 E6000 own pid success or wait 1
    \KnownDlls\Normaliz.dll map write and map read and map execute 00A10000 401782 9000 own pid success or wait 1
    \KnownDlls\urlmon.dll map write and map read and map execute 78130000 78131AFA 132000 own pid success or wait 1
    \KnownDlls\ole32.dll map write and map read and map execute 774E0000 774FD0B9 13D000 own pid success or wait 1
    \KnownDlls\OLEAUT32.dll map write and map read and map execute 77120000 77121560 8B000 own pid success or wait 1
    \KnownDlls\iertutil.dll map write and map read and map execute 3DFD0000 3E0E7B59 1E8000 own pid success or wait 1
    \KnownDlls\WINSPOOL.DRV map write and map read and map execute not known not known not known own pid object name not found 1
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    not known query and map write and map read and map execute and extend size reserve not known F71F2A00 10000 read write own pid success or wait 37
    not known query and map write and map read and map execute and extend size reserve not known F71F2A00 10000 read write own pid success or wait 1
    C:\WINDOWS\system32\imm32.dll map write and map read and map execute commit 00340000 F71F2A00 1AE00 execute own pid success or wait 2
    C:\WINDOWS\system32\imm32.dll query and map write and map read and map execute image 76390000 763912C0 1D000 execute own pid success or wait 1
    C:\WINDOWS\system32\psapi.dll query and map write and map read and map execute image 76BF0000 76BF10F1 B000 execute own pid success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll map write and map read and map execute commit 00A30000 FA87DA00 101600 execute own pid success or wait 1
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll query and map write and map read and map execute image 773D0000 773D4256 103000 execute own pid success or wait 1
    C:\WINDOWS\WindowsShell.Manifest map write and map read and map execute commit 00A30000 FA87DA00 2ED execute own pid success or wait 1
    C:\WINDOWS\WindowsShell.Manifest query and map read commit 00A30000 FA87DA00 2ED readonly own pid success or wait 1
    C:\WINDOWS\WindowsShell.Manifest map read commit 00A30000 FA87DA00 2ED readonly own pid success or wait 1
    C:\WINDOWS\system32\winspool.drv query and map write and map read and map execute image 73000000 730054A5 26000 execute own pid success or wait 1
    C:\TDSS.new.b.exe query and map write and map read and map execute and extend size commit 00C70000 FA87DA00 14A00 readonly own pid success or wait 1
    C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp query and map write and map read commit 00C70000 FA87DA00 14A00 read write own pid success or wait 1
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDSS.new.b.exe generic read object name not found 2
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.DLL generic read object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option query value and set value and read or execute and write object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE maximum allowed success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance maximum allowed object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\imagehlp.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Ole query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT query value and read or execute object name not found 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra query value and enumerate sub key and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll generic read object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots enumerate sub key and read or execute object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll generic read object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll generic read object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes maximum allowed success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ maximum allowed object name not found 1
    HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler maximum allowed success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler maximum allowed object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 maximum allowed success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute object name not found 2
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSPOOL.DRV generic read object name not found 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDSS.new.b.exe\RpcThreadPoolThrottle query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    Key created
    Key Path Access Options Completion Count
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 109
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 1
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations Other 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 34 00 2E 00 74 00 6D 00 70 00 00 00 00 00 00 00 success or wait 1
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server TSAppCompat success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager SafeDllSearchMode object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LeakTrack object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CriticalSectionTimeout success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole RWLockResourceTimeOut object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableTypeLib object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop SmoothScroll object name not found 1
    HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTips object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableImprovedZoneCheck object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN TDSS.new.b.exe object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN * object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc MaxRpcSize object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations2 object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    own pid own process file path own process cmdline success or wait 2
    own pid own process file path own process cmdline success or wait 1
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    1524 own pid own process file path own process cmdline terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation success or wait 1
    1524 own pid own process file path own process cmdline terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation success or wait 1
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    System information queried
    System info class Completion Count
    BasicInformation success or wait 21
    BasicInformation success or wait 3
    RangeStartInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    ProcessorInformation success or wait 4
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 2
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    PerformanceInformation success or wait 1
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    2353278725 3579545 success or wait 6
    2353278725 3579545 success or wait 1
    2353279946 3579545 success or wait 1
    2353368043 3579545 success or wait 1
    2353369660 3579545 success or wait 1
    2353375447 3579545 success or wait 1
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    129152830142209552 success or wait 1
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDSS.new.b.exe Access: generic read object name not found 2352819146
    System info queried Type: BasicInformation success or wait 2352821413
    System info queried Type: BasicInformation success or wait 2352822388
    Section opened Access: map write and map read and map execute Baseaddress: 7C800000 Size: F6000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll success or wait 2352825524
    System info queried Type: RangeStartInformation success or wait 2352829093
    System info queried Type: BasicInformation success or wait 2352829207
    Section created Access: query and map write and map read and map execute and extend size Protection: read write Attributes: reserve Path: not known Type: reserve Baseaddress: not known Entrypoint: F71F2A00 Mapped to pid: own pid Size: 10000 success or wait 2352831261
    System info queried Type: BasicInformation success or wait 2353087751
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353090216
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server Name: TSAppCompat success or wait 2353092282
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDSS.new.b.exe Access: generic read object name not found 2353098994
    Section opened Access: map read Baseaddress: 00270000 Size: 15DF4 Mapped to pid: own pid Path: \NLS\NlsSectionUnicode success or wait 2353099234
    Section opened Access: map read Baseaddress: 00290000 Size: 40EDC Mapped to pid: own pid Path: \NLS\NlsSectionLocale success or wait 2353100777
    Section opened Access: query and map read Baseaddress: 002E0000 Size: 40004 Mapped to pid: own pid Path: \NLS\NlsSectionSortkey success or wait 2353101731
    Section opened Access: map read Baseaddress: 00330000 Size: 5A04 Mapped to pid: own pid Path: \NLS\NlsSectionSortTbls success or wait 2353102615
    Section opened Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409 object name not found 2353107992
    Section opened Access: map read Baseaddress: not known Size: not known Mapped to pid: own pid Path: \NLS\NlsSectionSortkey00000409 object name not found 2353108307
    Section opened Access: map write and map read and map execute Baseaddress: 7E410000 Size: 91000 Mapped to pid: own pid Path: \KnownDlls\USER32.DLL success or wait 2353114546
    Section opened Access: map write and map read and map execute Baseaddress: 77F10000 Size: 49000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll success or wait 2353117493
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll Access: generic read object name not found 2353126289
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.DLL Access: generic read object name not found 2353126823
    System info queried Type: BasicInformation success or wait 2353127081
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute success or wait 2353128614
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode object name not found 2353129120
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: C:\WINDOWS\system32\imm32.dll Type: commit Baseaddress: 00340000 Entrypoint: F71F2A00 Mapped to pid: own pid Size: 1AE00 success or wait 2353130809
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: C:\WINDOWS\system32\imm32.dll Type: commit Baseaddress: 00340000 Entrypoint: F71F2A00 Mapped to pid: own pid Size: 1AE00 success or wait 2353133636
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\WINDOWS\system32\imm32.dll Type: image Baseaddress: 76390000 Entrypoint: 763912C0 Mapped to pid: own pid Size: 1D000 success or wait 2353135445
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write object name not found 2353136814
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute success or wait 2353137071
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers Name: TransparentEnabled success or wait 2353137678
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute object name not found 2353138978
    Section opened Access: map write and map read and map execute Baseaddress: 77DD0000 Size: 9B000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll success or wait 2353140086
    Section opened Access: map write and map read and map execute Baseaddress: 77E70000 Size: 92000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll success or wait 2353143191
    Section opened Access: map write and map read and map execute Baseaddress: 77FE0000 Size: 11000 Mapped to pid: own pid Path: \KnownDlls\Secur32.dll success or wait 2353147358
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll Access: generic read object name not found 2353157511
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll Access: generic read object name not found 2353158431
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll Access: generic read object name not found 2353158764
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353159147
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack object name not found 2353159575
    Key opened Path: HKEY_LOCAL_MACHINE Access: maximum allowed success or wait 2353160451
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353160928
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL Access: generic read object name not found 2353161340
    System info queried Type: BasicInformation success or wait 2353161485
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll Access: generic read object name not found 2353162230
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32.dll Access: generic read object name not found 2353162505
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353163026
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353163317
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2353163615
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353167839
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: AppInit_DLLs success or wait 2353168096
    Section opened Access: map write and map read and map execute Baseaddress: 77F60000 Size: 76000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll success or wait 2353202180
    Section opened Access: map write and map read and map execute Baseaddress: 77C10000 Size: 58000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll success or wait 2353205712
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll Access: generic read object name not found 2353209725
    System info queried Type: BasicInformation success or wait 2353210394
    Section opened Access: map read Baseaddress: 003F0000 Size: 20C2 Mapped to pid: own pid Path: \NLS\NlsSectionCType success or wait 2353211911
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll Access: generic read object name not found 2353215366
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Performance Access: maximum allowed object name not found 2353215718
    Section opened Access: map write and map read and map execute Baseaddress: 76C90000 Size: 28000 Mapped to pid: own pid Path: \KnownDlls\imagehlp.dll success or wait 2353216746
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\imagehlp.dll Access: generic read object name not found 2353220035
    System info queried Type: BasicInformation success or wait 2353220280
    System info queried Type: ProcessorInformation success or wait 2353220476
    System info queried Type: BasicInformation success or wait 2353220757
    Section opened Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\PSAPI.DLL object name not found 2353221826
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\WINDOWS\system32\psapi.dll Type: image Baseaddress: 76BF0000 Entrypoint: 76BF10F1 Mapped to pid: own pid Size: B000 success or wait 2353223287
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL Access: generic read object name not found 2353226808
    Section opened Access: map write and map read and map execute Baseaddress: 3D930000 Size: E6000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll success or wait 2353227032
    Section opened Access: map write and map read and map execute Baseaddress: 00A10000 Size: 9000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll success or wait 2353232122
    Section opened Access: map write and map read and map execute Baseaddress: 78130000 Size: 132000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll success or wait 2353237620
    Section opened Access: map write and map read and map execute Baseaddress: 774E0000 Size: 13D000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll success or wait 2353240469
    Section opened Access: map write and map read and map execute Baseaddress: 77120000 Size: 8B000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll success or wait 2353247076
    Section opened Access: map write and map read and map execute Baseaddress: 3DFD0000 Size: 1E8000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll success or wait 2353255374
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Normaliz.dll Access: generic read object name not found 2353265411
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll Access: generic read object name not found 2353265651
    System info queried Type: BasicInformation success or wait 2353270960
    System info queried Type: ProcessorInformation success or wait 2353271152
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353271797
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout success or wait 2353272123
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353272897
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: RWLockResourceTimeOut object name not found 2353273183
    System info queried Type: BasicInformation success or wait 2353273901
    System info queried Type: ProcessorInformation success or wait 2353274095
    System info queried Type: BasicInformation success or wait 2353274237
    System info queried Type: ProcessorInformation success or wait 2353274429
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353274644
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll object name not found 2353274947
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32 object name not found 2353275123
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib object name not found 2353275295
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353275600
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll object name not found 2353275886
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32 object name not found 2353276060
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll Access: generic read object name not found 2353276702
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2353276971
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute object name not found 2353277909
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2353278118
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iertutil.dll Access: generic read object name not found 2353278323
    Performance counter queried Count: 2353278725 Frequency: 3579545 success or wait 2353278705
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll Access: generic read object name not found 2353279595
    Performance counter queried Count: 2353279946 Frequency: 3579545 success or wait 2353279941
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute object name not found 2353299900
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Type: commit Baseaddress: 00A30000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 101600 success or wait 2353302728
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll Type: image Baseaddress: 773D0000 Entrypoint: 773D4256 Mapped to pid: own pid Size: 103000 success or wait 2353304757
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll Access: generic read object name not found 2353311880
    Section created Access: map write and map read and map execute Protection: execute Attributes: commit Path: C:\WINDOWS\WindowsShell.Manifest Type: commit Baseaddress: 00A30000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 2ED success or wait 2353314509
    File opened Path: C:\WINDOWS\WindowsShell.Manifest Access: read attributes and synchronize and generic read Disposition: open Options: synchronous io non alert and non directory file Attributes: none success or wait 2353316715
    Section created Access: query and map read Protection: readonly Attributes: commit Path: C:\WINDOWS\WindowsShell.Manifest Type: commit Baseaddress: 00A30000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 2ED success or wait 2353317125
    Section created Access: map read Protection: readonly Attributes: commit Path: C:\WINDOWS\WindowsShell.Manifest Type: commit Baseaddress: 00A30000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 2ED success or wait 2353318872
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353335878
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353337706
    Key value queried Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Control Panel\Desktop Name: SmoothScroll object name not found 2353338138
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353340426
    Key value queried Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips object name not found 2353340881
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\LanguagePack Access: query value and read or execute success or wait 2353342350
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll Access: generic read object name not found 2353345902
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes Access: maximum allowed success or wait 2353347514
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_CLASSES\PROTOCOLS\Name-Space Handler\ Access: maximum allowed object name not found 2353351173
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed success or wait 2353351404
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003_Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed object name not found 2353356006
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003 Access: maximum allowed success or wait 2353361191
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute object name not found 2353361705
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute object name not found 2353361933
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2353362156
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck object name not found 2353362801
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute object name not found 2353363849
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353366083
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353366373
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2353366651
    Performance counter queried Count: 2353368043 Frequency: 3579545 success or wait 2353368020
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: TDSS.new.b.exe object name not found 2353368797
    Performance counter queried Count: 2353369660 Frequency: 3579545 success or wait 2353369637
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: * object name not found 2353369887
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Access: query value and read or execute object name not found 2353370627
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute object name not found 2353370906
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2353371150
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2353371395
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute success or wait 2353371636
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2353371972
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 Access: query value and read or execute object name not found 2353372217
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353372596
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353372939
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353373182
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353373425
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353373667
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353373904
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353374192
    Key opened Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353374474
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353374756
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2353375039
    Performance counter queried Count: 2353375447 Frequency: 3579545 success or wait 2353375425
    System info queried Type: BasicInformation success or wait 2353376935
    File overwritten Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normale success or wait 2353378723
    File overwritten Path: WMIDataDevice Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: normale success or wait 2353381157
    Thread created Access: terminate and suspend resume and alert and get context and set context and set information and query information and set token and impersonate and direct impersonation PID: NULL TID: 1524 Imagepath: own process file path Cmdline: own process cmdline success or wait 2353384206
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute object name not found 2353403720
    Key created Path: HKEY_USERS\S-1-5-21-220523388-1935655697-1343024091-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile success or wait 2353406219
    Section opened Access: map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINSPOOL.DRV object name not found 2353699580
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\WINDOWS\system32\winspool.drv Type: image Baseaddress: 73000000 Entrypoint: 730054A5 Mapped to pid: own pid Size: 26000 success or wait 2353701270
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSPOOL.DRV Access: generic read object name not found 2353987520
    System info queried Type: BasicInformation success or wait 2353987881
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 2353989948
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 2353990303
    File created Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2354037392
    File opened Path: globalrootC:\TDSS.new.b.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and synchronous io non alert and non directory file Attributes: none success or wait 2354045499
    File overwritten Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp Access: read attributes and delete and synchronize and generic write Disposition: overwrite if exists Options: sequential only and synchronous io non alert and non directory file Attributes: archive success or wait 2354325790
    File other operation Disposition: EndOfFileInformation Data: 00 4A 01 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 2354338426
    Section created Access: query and map write and map read and map execute and extend size Protection: readonly Attributes: commit Path: C:\TDSS.new.b.exe Type: commit Baseaddress: 00C70000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 14A00 success or wait 2354339006
    File write Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 2354580082
    File write Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 2354815949
    File other operation Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 00 B6 02 92 D0 D7 CA 01 00 00 00 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 2354817283
    File opened Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Disposition: open Options: write through and synchronous io non alert and non directory file Attributes: none success or wait 2354818850
    Section created Access: query and map write and map read Protection: read write Attributes: commit Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp Type: commit Baseaddress: 00C70000 Entrypoint: FA87DA00 Mapped to pid: own pid Size: 14A00 success or wait 2354819341
    File created Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\3.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2354836566
    File other operation Disposition: RenameInformation Data: 01 05 15 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 33 00 2E 00 74 00 6D 00 70 00 00 00 00 00 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\2.tmp success or wait 2354840251
    System info queried Type: BasicInformation success or wait 2354868927
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\PagedBuffers Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2354869277
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2354869508
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize object name not found 2354869834
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TDSS.new.b.exe\RpcThreadPoolThrottle Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2354870675
    System time queried Time: 129152830142209552 success or wait 2354871431
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2354871981
    System info queried Type: PerformanceInformation success or wait 2354872118
    File other operation Disposition: DispositionInformation Data: 01 Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\3.tmp cannot delete 2355141954
    File created Path: C:\DOCUME~1\HANUEL~1\LOCALS~1\Temp\4.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2355143856
    File other operation Disposition: RenameInformation Data: 01 00 00 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 34 00 2E 00 74 00 6D 00 70 00 00 00 00 00 Path: C:\TDSS.new.b.exe success or wait 2355147516
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 2355174748
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations2 object name not found 2355175144
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 2355193644
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations object name not found 2355193903
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: Other Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 44 00 4F 00 43 00 55 00 4D 00 45 00 7E 00 31 00 5C 00 48 00 41 00 4E 00 55 00 45 00 4C 00 7E 00 31 00 5C 00 4C 00 4F 00 43 00 41 00 4C 00 53 00 7E 00 31 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 34 00 2E 00 74 00 6D 00 70 00 00 00 00 00 00 00 success or wait 2355212967
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline success or wait 2355228481
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2355238442
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2355238928
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline NOSTATUS 2355240013
    Analysis File: 5.tmp PID: 4 Parent PID: -1 Run ID: 0
    Sections
    General
    Start time: 12:36:54
    Start date: 09/04/2010
    Path: C:\WINDOWS\TEMP\5.tmp
    File size: 31744 bytes
    MD5 hash: D248B7F23C7D3D0186505AD66D8854F8
    File Activities:
    File opened
    File Path Access Options Completion Count
    File created
    File Path Access Attributes Options Completion Count
    \sitnvkvs\tvnqylaa\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 20
    \sitnvkvs\tvnqylaa\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    \sitnvkvs\tvnqylaa\rsrc.dat read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    File overwritten
    File Path Access Options Completion Count
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 2
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    C:\WINDOWS\AppPatch\drvmain.sdb open none success or wait 1
    C: open none success or wait 1
    physicaldrive0 open none success or wait 1
    C:\WINDOWS\system32\drivers\cdrom.sys open none success or wait 1
    C: open none success or wait 1
    \sitnvkvs\tvnqylaa\rsrc.dat open none object name not found 1
    C:\WINDOWS\system32\drivers\cdrom.sys open none success or wait 1
    not known EndOfFileInformation 60 00 00 00 00 00 00 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    C:\WINDOWS\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 3
    C:\WINDOWS\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 1
    C:\WINDOWS\system32\drivers\cdrom.sys map write and map read commit not known not known not known read write own pid success or wait 2
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography generic read success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cdrom query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Cdrom query value and read or execute success or wait 1
    Key created
    Key Path Access Options Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 17
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 1
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NQQOIENWHPYMDHV\0000\Control ActiveService String nqqoienwhpymdhv success or wait 1
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Count Dword 1 success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum NextInstance Dword 1 success or wait 1
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Count object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv ImagePath buffer overflow 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv ImagePath success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom imagepath success or wait 2
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom start success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv ErrorControl object name not found 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    System information queried
    System info class Completion Count
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2355321091
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 2355321445
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Name: Count object name not found 2355322111
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NQQOIENWHPYMDHV\0000\Control Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 2355330784
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NQQOIENWHPYMDHV\0000\Control Name: ActiveService Type: String Data: nqqoienwhpymdhv success or wait 2355331203
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Name: Count Type: Dword Data: 1 success or wait 2355331687
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv\Enum Name: NextInstance Type: Dword Data: 1 success or wait 2355332030
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv Name: ImagePath buffer overflow 2355332441
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv Name: ImagePath success or wait 2355332654
    Section created Access: map read Protection: readonly Attributes: commit Path: C:\WINDOWS\AppPatch\drvmain.sdb Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2355333513
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: generic read success or wait 2355342537
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 2355343304
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\cdrom Access: query value and read or execute success or wait 2355452548
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom Name: imagepath success or wait 2355453583
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom Name: start success or wait 2355454358
    Section created Access: map write and map read Protection: read write Attributes: commit Path: C:\WINDOWS\system32\drivers\cdrom.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2355459822
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\Cdrom Access: query value and read or execute success or wait 2355958897
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cdrom Name: imagepath success or wait 2355959784
    Section created Access: map write and map read Protection: read write Attributes: commit Path: C:\WINDOWS\system32\drivers\cdrom.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2356077504
    File write Path: not known success or wait 2356110666
    File write Path: not known success or wait 2356121636
    File write Path: not known success or wait 2356129594
    File write Path: not known success or wait 2356137397
    File write Path: not known success or wait 2356167949
    File write Path: not known success or wait 2356174973
    File write Path: not known success or wait 2356183078
    File write Path: not known success or wait 2356192322
    File other operation Disposition: EndOfFileInformation Data: 60 00 00 00 00 00 00 00 Path: not known success or wait 2356200278
    File other operation Operation: null Path: \sitnvkvs\tvnqylaa\tdl Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 2356229835
    File write Path: not known success or wait 2356481886
    File other operation Operation: null Path: \sitnvkvs\tvnqylaa\rsrc.dat Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 2357154321
    File write Path: not known success or wait 2357184373
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nqqoienwhpymdhv Name: ErrorControl object name not found 2357242872
    Analysis File: TDSS.new.b.exe PID: 1760 Parent PID: 2528 Run ID: 1
    Sections
    General
    Start time: 12:38:51
    Start date: 09/04/2010
    Path: C:\TDSS.new.b.exe
    File size: 84480 bytes
    MD5 hash: 707E2294ED5425B588D8844DF0AB38A4
    File Activities:
    File opened
    File Path Access Options Completion Count
    globalrootC:\TDSS.new.b.exe read attributes and synchronize and generic read sequential only and non directory file success or wait 1
    globalrootC:\TDSS.new.b.exe read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp read data or list directory and read attributes and delete and synchronize and generic write sequential only and synchronous io non alert and non directory file success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize write through and synchronous io non alert and non directory file success or wait 1
    PIPE\lsarpc read attributes and synchronize and generic read and generic write non directory file success or wait 1
    File created
    File Path Access Attributes Options Completion Count
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 37
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\D0C8.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\D1F5.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    File overwritten
    File Path Access Options Completion Count
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp read data or list directory and read attributes and delete and synchronize and generic write sequential only and non directory file success or wait 1
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 1
    \Device\NamedPipe\lsass success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp EndOfFileInformation 00 4A 01 00 00 00 00 00 success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp BasicInformation 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 55 6C 90 71 D0 D7 CA 01 00 00 00 00 00 00 00 00 success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp RenameInformation 01 60 20 00 00 00 00 00 5A 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 30 00 43 00 38 00 2E 00 74 00 6D 00 70 00 65 00 00 00 success or wait 1
    \Device\NamedPipe\lsass PipeInformation 01 00 00 00 00 00 00 00 success or wait 1
    \Device\NamedPipe\lsass CompletionInformation A4 00 00 00 00 00 FF FF success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\D0C8.tmp DispositionInformation 01 cannot delete 1
    C:\TDSS.new.b.exe RenameInformation 01 72 20 00 00 00 00 00 5A 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 31 00 46 00 35 00 2E 00 74 00 6D 00 70 00 89 AB 01 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    \KnownDlls\kernel32.dll query and map write and map read and map execute 76D30000 76D7B7F5 DC000 own pid success or wait 1
    \Sessions\1\Windows\SharedSection query and map read 7F6F0000 82B91000 100000 own pid success or wait 1
    \KnownDlls\USER32.DLL query and map write and map read and map execute 76E10000 76E27A1D 9D000 own pid success or wait 1
    \KnownDlls\GDI32.dll query and map write and map read and map execute 75AF0000 75AFF12A 4B000 own pid success or wait 1
    \KnownDlls\ADVAPI32.dll query and map write and map read and map execute 75C30000 75C70CC1 C6000 own pid success or wait 1
    \KnownDlls\RPCRT4.dll query and map write and map read and map execute 75990000 759E02EB C3000 own pid success or wait 1
    \KnownDlls\MSCTF.dll query and map write and map read and map execute 76A50000 76A5169E C8000 own pid success or wait 1
    \KnownDlls\msvcrt.dll query and map write and map read and map execute 76EB0000 76EB9FAE AA000 own pid success or wait 1
    \KnownDlls\LPK.DLL query and map write and map read and map execute 771D0000 771D1303 9000 own pid success or wait 1
    \KnownDlls\USP10.dll query and map write and map read and map execute 77280000 77289B1E 7D000 own pid success or wait 1
    \KnownDlls\SHLWAPI.dll query and map write and map read and map execute 769F0000 76A0BA35 59000 own pid success or wait 1
    \KnownDlls\imagehlp.dll query and map write and map read and map execute 75930000 759312D0 29000 own pid success or wait 1
    \KnownDlls\PSAPI.DLL query and map write and map read and map execute 75740000 7574154B 7000 own pid success or wait 1
    \KnownDlls\WININET.dll query and map write and map read and map execute 75B40000 75B41744 E6000 own pid success or wait 1
    \KnownDlls\Normaliz.dll query and map write and map read and map execute 771E0000 771E0000 3000 own pid success or wait 1
    \KnownDlls\urlmon.dll query and map write and map read and map execute 76F60000 76F61AFA 132000 own pid success or wait 1
    \KnownDlls\ole32.dll query and map write and map read and map execute 757E0000 758394C0 145000 own pid success or wait 1
    \KnownDlls\OLEAUT32.dll query and map write and map read and map execute 75A60000 75A63F45 8D000 own pid success or wait 1
    \KnownDlls\iertutil.dll query and map write and map read and map execute 76B20000 76C37B59 1E8000 own pid success or wait 1
    \KnownDlls\WINSPOOL.DRV query and map write and map read and map execute not known not known not known own pid object name not found 1
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    not known query and map write and map read and map execute and extend size commit not known 82B91000 10000 read write own pid success or wait 29
    not known query and map write and map read and map execute and extend size commit not known 82B91000 10000 read write own pid success or wait 1
    C:\Windows\System32\imm32.dll query and map write and map read and map execute image 76D10000 76D11378 1E000 readonly own pid success or wait 2
    C:\Windows\System32\imm32.dll query and map write and map read and map execute image 76D10000 76D11378 1E000 execute own pid success or wait 1
    C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll query and map write and map read and map execute image 744A0000 744D3681 19E000 readonly own pid success or wait 1
    C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll query and map write and map read and map execute image 744A0000 744D3681 19E000 execute own pid success or wait 1
    C:\Windows\WindowsShell.Manifest map read commit 003D0000 82B91000 2ED readonly own pid success or wait 1
    C:\Windows\System32\winspool.drv query and map write and map read and map execute image 6AE70000 6AE948E6 42000 execute own pid success or wait 1
    C:\Users\Sepp\AppData\Local\Temp\CF54.tmp query and map write and map read commit 008D0000 82B91000 14A00 read write own pid success or wait 1
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\Setup query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE maximum allowed success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option query value and set value and read or execute and write object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings query value and enumerate sub key and notify and read or execute and write and read control object name not found 3
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 maximum allowed success or wait 4
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Control Panel\Desktop query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop query value and enumerate sub key and notify and read or execute and write and read control success or wait 4
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop\LanguageConfiguration query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\Settings query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide query value and enumerate sub key and notify and read or execute and write and read control success or wait 4
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots enumerate sub key and read or execute object name not found 3
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT query value and read or execute object name not found 2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra query value and enumerate sub key and read or execute object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_Classes maximum allowed success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_CLASSES\PROTOCOLS\Name-Space Handler\ maximum allowed object name not found 1
    HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler maximum allowed success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_Classes\PROTOCOLS\Name-Space Handler maximum allowed object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings query value and read or execute success or wait 2
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System query value and read or execute success or wait 2
    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc query value and enumerate sub key and notify and read or execute and write and read control object name not found 2
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    Key created
    Key Path Access Options Completion Count
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 135
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control non volatile success or wait 1
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations Other 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 31 00 46 00 35 00 2E 00 74 00 6D 00 70 00 00 00 00 00 00 00 success or wait 1
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LeakTrack object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\Setup SystemSetupInProgress success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager SafeDllSearchMode object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers TransparentEnabled object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs success or wait 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop PreferredUILanguages object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop CachedMachinePreferredUILanguages object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\Settings PreferredUILanguages object name not found 1
    HKEY_LOCAL_MACHINE\COMPONENTS PreferExternalManifest object name not found 1
    HKEY_LOCAL_MACHINE\COMPONENTS PreferExternalManifest object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop SmoothScroll object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced EnableBalloonTips object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole PageAllocatorUseSystemHeap object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole PageAllocatorSystemHeapIsPrivate object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager CriticalSectionTimeout success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface InterfaceHelperDisableTypeLib object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAll object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} InterfaceHelperDisableAllForOle32 object name not found 1
    HKEY_LOCAL_MACHINE\COMPONENTS PreferExternalManifest object name not found 2
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale en-US object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings EnableUTF8 object name not found 1
    HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings MBCSServername object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableImprovedZoneCheck object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_HKLM_only object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN TDSS.new.b.exe object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN * object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_HKLM_only object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_HKLM_only object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK TDSS.new.b.exe object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK * object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileBufferedSynchronousIo object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileChunkSize object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileOverlappedCount object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc MaxRpcSize object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows CEIPEnable object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations2 object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager PendingFileRenameOperations object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    \KnownDlls\ success or wait 1
    \KnownDlls\ success or wait 1
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    own pid own process file path own process cmdline success or wait 2
    own pid own process file path own process cmdline success or wait 1
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    System information queried
    System info class Completion Count
    BasicInformation success or wait 14
    BasicInformation success or wait 1
    BasicInformation success or wait 3
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    ProcessorInformation success or wait 4
    BasicInformation success or wait 2
    PerformanceInformation success or wait 1
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    2805440782 0 success or wait 28
    2805440782 0 success or wait 1
    2805722928 0 success or wait 1
    2805724195 0 success or wait 1
    2805725273 0 success or wait 1
    2805726221 0 success or wait 1
    2805852135 0 success or wait 1
    2805852914 0 success or wait 1
    2805853671 0 success or wait 1
    2805884687 0 success or wait 1
    2805890022 3579545 success or wait 1
    2805969981 0 success or wait 1
    2806077587 0 success or wait 1
    2806116604 0 success or wait 1
    2806125442 0 success or wait 1
    2806194289 0 success or wait 1
    2806195048 0 success or wait 1
    2806195781 0 success or wait 1
    2806196609 0 success or wait 1
    2806197372 0 success or wait 1
    2806277993 3579545 success or wait 1
    2806279296 3579545 success or wait 1
    2806292165 3579545 success or wait 1
    2806293904 3579545 success or wait 1
    2806333239 0 success or wait 1
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    129152831326413056 success or wait 1
    129152831326413056 success or wait 1
    129152831327514640 success or wait 1
    129152831328816512 success or wait 1
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    System info queried Type: BasicInformation success or wait 2805417853
    System info queried Type: BasicInformation success or wait 2805418264
    Section opened Access: query and map write and map read and map execute Baseaddress: 76D30000 Size: DC000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll success or wait 2805432121
    Performance counter queried Count: 2805440782 Frequency: 0 success or wait 2805440721
    Section opened Access: query and map read Baseaddress: 7F6F0000 Size: 100000 Mapped to pid: own pid Path: \Sessions\1\Windows\SharedSection success or wait 2805443731
    Section created Access: query and map write and map read and map execute and extend size Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: not known Entrypoint: 82B91000 Mapped to pid: own pid Size: 10000 success or wait 2805445867
    Section opened Access: query and map write and map read and map execute Baseaddress: 76E10000 Size: 9D000 Mapped to pid: own pid Path: \KnownDlls\USER32.DLL success or wait 2805458374
    Section opened Access: query and map write and map read and map execute Baseaddress: 75AF0000 Size: 4B000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll success or wait 2805508727
    Section opened Access: query and map write and map read and map execute Baseaddress: 75C30000 Size: C6000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll success or wait 2805518505
    Section opened Access: query and map write and map read and map execute Baseaddress: 75990000 Size: C3000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll success or wait 2805525910
    Performance counter queried Count: 2805722928 Frequency: 0 success or wait 2805722830
    Performance counter queried Count: 2805724195 Frequency: 0 success or wait 2805724097
    Performance counter queried Count: 2805725273 Frequency: 0 success or wait 2805725190
    Performance counter queried Count: 2805726221 Frequency: 0 success or wait 2805726138
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805731887
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Name: LeakTrack object name not found 2805734898
    Mutant created Name: \KnownDlls\ success or wait 2805736359
    Key opened Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805739229
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress success or wait 2805741381
    Key opened Path: HKEY_LOCAL_MACHINE Access: maximum allowed success or wait 2805742139
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2805745349
    System info queried Type: BasicInformation success or wait 2805748158
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute success or wait 2805751305
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode object name not found 2805753489
    Section created Access: query and map write and map read and map execute Protection: readonly Attributes: image Path: C:\Windows\System32\imm32.dll Type: image Baseaddress: 76D10000 Entrypoint: 76D11378 Mapped to pid: own pid Size: 1E000 success or wait 2805758894
    Section created Access: query and map write and map read and map execute Protection: readonly Attributes: image Path: C:\Windows\System32\imm32.dll Type: image Baseaddress: 76D10000 Entrypoint: 76D11378 Mapped to pid: own pid Size: 1E000 success or wait 2805763698
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\Windows\System32\imm32.dll Type: image Baseaddress: 76D10000 Entrypoint: 76D11378 Mapped to pid: own pid Size: 1E000 success or wait 2805768111
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write object name not found 2805770221
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute success or wait 2805770710
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers Name: TransparentEnabled object name not found 2805771561
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute object name not found 2805774190
    Section opened Access: query and map write and map read and map execute Baseaddress: 76A50000 Size: C8000 Mapped to pid: own pid Path: \KnownDlls\MSCTF.dll success or wait 2805782668
    Section opened Access: query and map write and map read and map execute Baseaddress: 76EB0000 Size: AA000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll success or wait 2805785321
    Performance counter queried Count: 2805852135 Frequency: 0 success or wait 2805852072
    Performance counter queried Count: 2805852914 Frequency: 0 success or wait 2805852837
    Performance counter queried Count: 2805853671 Frequency: 0 success or wait 2805853594
    System info queried Type: BasicInformation success or wait 2805860501
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2805862896
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805863984
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2805864798
    Section opened Access: query and map write and map read and map execute Baseaddress: 771D0000 Size: 9000 Mapped to pid: own pid Path: \KnownDlls\LPK.DLL success or wait 2805868792
    Section opened Access: query and map write and map read and map execute Baseaddress: 77280000 Size: 7D000 Mapped to pid: own pid Path: \KnownDlls\USP10.dll success or wait 2805875332
    Performance counter queried Count: 2805884687 Frequency: 0 success or wait 2805884625
    Performance counter queried Count: 2805890022 Frequency: 3579545 success or wait 2805889943
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805906746
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: LoadAppInit_DLLs success or wait 2805907386
    Section opened Access: query and map write and map read and map execute Baseaddress: 769F0000 Size: 59000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll success or wait 2805960554
    Performance counter queried Count: 2805969981 Frequency: 0 success or wait 2805969912
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2805989446
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 Access: maximum allowed success or wait 2805992039
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2805992846
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805993350
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop\LanguageConfiguration Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2805994094
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806001429
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 Access: maximum allowed success or wait 2806003462
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806004135
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806004572
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Name: PreferredUILanguages object name not found 2806005522
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806006396
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 Access: maximum allowed success or wait 2806013691
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806014379
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Name: CachedMachinePreferredUILanguages object name not found 2806015337
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\Settings Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806015801
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\Settings Name: PreferredUILanguages object name not found 2806016503
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806018543
    Key value queried Path: HKEY_LOCAL_MACHINE\COMPONENTS Name: PreferExternalManifest object name not found 2806019233
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute object name not found 2806024536
    Section created Access: query and map write and map read and map execute Protection: readonly Attributes: image Path: C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll Type: image Baseaddress: 744A0000 Entrypoint: 744D3681 Mapped to pid: own pid Size: 19E000 success or wait 2806031885
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll Type: image Baseaddress: 744A0000 Entrypoint: 744D3681 Mapped to pid: own pid Size: 19E000 success or wait 2806036084
    Performance counter queried Count: 2806077587 Frequency: 0 success or wait 2806077424
    Section created Access: map read Protection: readonly Attributes: commit Path: C:\Windows\WindowsShell.Manifest Type: commit Baseaddress: 003D0000 Entrypoint: 82B91000 Mapped to pid: own pid Size: 2ED success or wait 2806087694
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806089469
    Key value queried Path: HKEY_LOCAL_MACHINE\COMPONENTS Name: PreferExternalManifest object name not found 2806090635
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806099370
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806102560
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Control Panel\Desktop Name: SmoothScroll object name not found 2806103265
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806106462
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Name: EnableBalloonTips object name not found 2806107207
    Section opened Access: query and map write and map read and map execute Baseaddress: 75930000 Size: 29000 Mapped to pid: own pid Path: \KnownDlls\imagehlp.dll success or wait 2806109829
    Performance counter queried Count: 2806116604 Frequency: 0 success or wait 2806116533
    System info queried Type: BasicInformation success or wait 2806117326
    System info queried Type: ProcessorInformation success or wait 2806117733
    Section opened Access: query and map write and map read and map execute Baseaddress: 75740000 Size: 7000 Mapped to pid: own pid Path: \KnownDlls\PSAPI.DLL success or wait 2806120173
    Performance counter queried Count: 2806125442 Frequency: 0 success or wait 2806125364
    Section opened Access: query and map write and map read and map execute Baseaddress: 75B40000 Size: E6000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll success or wait 2806126022
    Section opened Access: query and map write and map read and map execute Baseaddress: 771E0000 Size: 3000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll success or wait 2806134936
    Section opened Access: query and map write and map read and map execute Baseaddress: 76F60000 Size: 132000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll success or wait 2806138467
    Section opened Access: query and map write and map read and map execute Baseaddress: 757E0000 Size: 145000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll success or wait 2806143075
    Section opened Access: query and map write and map read and map execute Baseaddress: 75A60000 Size: 8D000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll success or wait 2806158917
    Section opened Access: query and map write and map read and map execute Baseaddress: 76B20000 Size: 1E8000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll success or wait 2806178212
    Performance counter queried Count: 2806194289 Frequency: 0 success or wait 2806194207
    Performance counter queried Count: 2806195048 Frequency: 0 success or wait 2806194982
    Performance counter queried Count: 2806195781 Frequency: 0 success or wait 2806195701
    Performance counter queried Count: 2806196609 Frequency: 0 success or wait 2806196529
    Performance counter queried Count: 2806197372 Frequency: 0 success or wait 2806197307
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806199477
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: PageAllocatorUseSystemHeap object name not found 2806200293
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806201547
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: PageAllocatorSystemHeapIsPrivate object name not found 2806202161
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806203422
    System info queried Type: BasicInformation success or wait 2806204028
    System info queried Type: ProcessorInformation success or wait 2806204416
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806205252
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: CriticalSectionTimeout success or wait 2806207500
    System info queried Type: BasicInformation success or wait 2806212660
    System info queried Type: ProcessorInformation success or wait 2806213053
    System info queried Type: BasicInformation success or wait 2806213813
    System info queried Type: ProcessorInformation success or wait 2806214255
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806215093
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAll object name not found 2806215745
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableAllForOle32 object name not found 2806216121
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface Name: InterfaceHelperDisableTypeLib object name not found 2806216492
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00020400-0000-0000-C000-000000000046} Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806217217
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAll object name not found 2806217852
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046} Name: InterfaceHelperDisableAllForOle32 object name not found 2806218229
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2806223171
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra Access: query value and enumerate sub key and read or execute object name not found 2806223635
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT Access: query value and read or execute object name not found 2806224357
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806226731
    Key value queried Path: HKEY_LOCAL_MACHINE\COMPONENTS Name: PreferExternalManifest object name not found 2806227371
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute object name not found 2806233202
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_Classes Access: maximum allowed success or wait 2806240489
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_CLASSES\PROTOCOLS\Name-Space Handler\ Access: maximum allowed object name not found 2806244406
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed success or wait 2806244856
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000_Classes\PROTOCOLS\Name-Space Handler Access: maximum allowed object name not found 2806250451
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806253132
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale Name: en-US object name not found 2806253791
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806261527
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000 Access: maximum allowed success or wait 2806265878
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2806266541
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: EnableUTF8 object name not found 2806267352
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2806268595
    Key value queried Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: MBCSServername object name not found 2806269255
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2806270446
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck object name not found 2806271053
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2806272847
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: Security_HKLM_only object name not found 2806273816
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806276263
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806276775
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806277243
    Performance counter queried Count: 2806277993 Frequency: 3579545 success or wait 2806277928
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: TDSS.new.b.exe object name not found 2806278359
    Performance counter queried Count: 2806279296 Frequency: 3579545 success or wait 2806279231
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN Name: * object name not found 2806279662
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ Access: query value and read or execute success or wait 2806280593
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: Security_HKLM_only object name not found 2806281487
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and read or execute success or wait 2806282821
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: Security_HKLM_only object name not found 2806283467
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2806284714
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2806285159
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute success or wait 2806285676
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl Access: query value and read or execute object name not found 2806286336
    Key opened Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 Access: query value and read or execute object name not found 2806286778
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806287712
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806288191
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806288625
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806289060
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806289496
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806289926
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806290463
    Key opened Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2806290939
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806291411
    Performance counter queried Count: 2806292165 Frequency: 3579545 success or wait 2806292100
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Name: TDSS.new.b.exe object name not found 2806292534
    Performance counter queried Count: 2806293904 Frequency: 3579545 success or wait 2806293356
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Name: * object name not found 2806294294
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2806300605
    Key value queried Path: HKEY_LOCAL_MACHINE\COMPONENTS Name: PreferExternalManifest object name not found 2806301237
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots Access: enumerate sub key and read or execute object name not found 2806306129
    Key created Path: HKEY_USERS\S-1-5-21-327642138-1895112337-2113120967-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access: query value and set value and create sub key and enumerate sub key and notify and read or execute and write and read control Options: non volatile success or wait 2806313214
    Section opened Access: query and map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINSPOOL.DRV object name not found 2806316792
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: C:\Windows\System32\winspool.drv Type: image Baseaddress: 6AE70000 Entrypoint: 6AE948E6 Mapped to pid: own pid Size: 42000 success or wait 2806319823
    Performance counter queried Count: 2806333239 Frequency: 0 success or wait 2806333174
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 2806337399
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 2806338064
    File created Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2806345741
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: query value and read or execute success or wait 2806358723
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileBufferedSynchronousIo object name not found 2806359511
    File opened Path: globalrootC:\TDSS.new.b.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and non directory file Attributes: none success or wait 2806361200
    File opened Path: globalrootC:\TDSS.new.b.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and synchronous io non alert and non directory file Attributes: none success or wait 2806364005
    File overwritten Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp Access: read data or list directory and read attributes and delete and synchronize and generic write Disposition: overwrite if exists Options: sequential only and non directory file Attributes: archive success or wait 2806693555
    File opened Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp Access: read data or list directory and read attributes and delete and synchronize and generic write Disposition: open Options: sequential only and synchronous io non alert and non directory file Attributes: archive success or wait 2806697235
    File other operation Disposition: EndOfFileInformation Data: 00 4A 01 00 00 00 00 00 Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 2806710857
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: query value and read or execute success or wait 2806712334
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileChunkSize object name not found 2806713533
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileOverlappedCount object name not found 2806713925
    File write Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 2807280972
    File write Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 2807523270
    File other operation Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 55 6C 90 71 D0 D7 CA 01 00 00 00 00 00 00 00 00 Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 2807528108
    File opened Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Disposition: open Options: write through and synchronous io non alert and non directory file Attributes: none success or wait 2807532221
    Section created Access: query and map write and map read Protection: read write Attributes: commit Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp Type: commit Baseaddress: 008D0000 Entrypoint: 82B91000 Mapped to pid: own pid Size: 14A00 success or wait 2807533412
    File created Path: C:\Users\Sepp\AppData\Local\Temp\D0C8.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2807665962
    File other operation Disposition: RenameInformation Data: 01 60 20 00 00 00 00 00 5A 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 30 00 43 00 38 00 2E 00 74 00 6D 00 70 00 65 00 00 00 Path: C:\Users\Sepp\AppData\Local\Temp\CF54.tmp success or wait 2807675553
    System info queried Type: BasicInformation success or wait 2807877828
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807878804
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize object name not found 2807880508
    System time queried Time: 129152831326413056 success or wait 2807882756
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807883777
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807884686
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName success or wait 2807886349
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2807887645
    System info queried Type: PerformanceInformation success or wait 2807887998
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2807891124
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807891572
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows Name: CEIPEnable object name not found 2807892360
    System time queried Time: 129152831326413056 success or wait 2807897701
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807898515
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2807899218
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName success or wait 2807899839
    File opened Path: PIPE\lsarpc Access: read attributes and synchronize and generic read and generic write Disposition: open Options: non directory file Attributes: none success or wait 2807910845
    File other operation Disposition: PipeInformation Data: 01 00 00 00 00 00 00 00 Path: \Device\NamedPipe\lsass success or wait 2807912180
    File other operation Disposition: CompletionInformation Data: A4 00 00 00 00 00 FF FF Path: \Device\NamedPipe\lsass success or wait 2807912621
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2807913272
    File write Path: \Device\NamedPipe\lsass success or wait 2807914174
    System time queried Time: 129152831327514640 success or wait 2808274475
    System time queried Time: 129152831328816512 success or wait 2808739023
    File other operation Disposition: DispositionInformation Data: 01 Path: C:\Users\Sepp\AppData\Local\Temp\D0C8.tmp cannot delete 2808743470
    File created Path: C:\Users\Sepp\AppData\Local\Temp\D1F5.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 2808746064
    File other operation Disposition: RenameInformation Data: 01 72 20 00 00 00 00 00 5A 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 31 00 46 00 35 00 2E 00 74 00 6D 00 70 00 89 AB 01 00 Path: C:\TDSS.new.b.exe success or wait 2808751191
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 2808766646
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations2 object name not found 2808769848
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 2808789294
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations object name not found 2808789895
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: PendingFileRenameOperations Type: Other Data: 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 65 00 70 00 70 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 44 00 31 00 46 00 35 00 2E 00 74 00 6D 00 70 00 00 00 00 00 00 00 success or wait 2808809383
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline success or wait 2808813083
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 2808832709
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 2808833595
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline NOSTATUS 2808836548
    Analysis File: D21B.tmp PID: 4 Parent PID: -1 Run ID: 1
    Sections
    General
    Start time: 12:38:53
    Start date: 09/04/2010
    Path: C:\Windows\TEMP\D21B.tmp
    File size: 31744 bytes
    MD5 hash: D248B7F23C7D3D0186505AD66D8854F8
    File Activities:
    File opened
    File Path Access Options Completion Count
    File created
    File Path Access Attributes Options Completion Count
    \bxfcixum\dsqjwpst\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 20
    \bxfcixum\dsqjwpst\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    \bxfcixum\dsqjwpst\rsrc.dat read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    File overwritten
    File Path Access Options Completion Count
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 2
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    C:\WINDOWS\AppPatch\drvmain.sdb open none success or wait 1
    C: open none success or wait 1
    physicaldrive0 open none success or wait 1
    C:\WINDOWS\system32\drivers\ndis.sys open none success or wait 1
    C: open none success or wait 1
    \bxfcixum\dsqjwpst\rsrc.dat open none object name not found 1
    C:\WINDOWS\system32\drivers\ndis.sys open none success or wait 1
    not known EndOfFileInformation 4F 00 00 00 00 00 00 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    C:\Windows\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 3
    C:\Windows\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 1
    C:\Windows\System32\drivers\ndis.sys map write and map read commit not known not known not known read write own pid success or wait 2
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography generic read success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\rassstp query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ndis query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NDIS query value and read or execute success or wait 1
    Key created
    Key Path Access Options Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 18
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 1
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XDPFBIBRIPQBLVC\0000\Control ActiveService String xdpfbibripqblvc success or wait 1
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Count Dword 1 success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum NextInstance Dword 1 success or wait 1
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Count object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc PnpFlags object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasSstp imagepath success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasSstp start success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS imagepath success or wait 2
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS start success or wait 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    System information queried
    System info class Completion Count
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 2809231207
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 2809233386
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Name: Count object name not found 2809235056
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XDPFBIBRIPQBLVC\0000\Control Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 2809251763
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_XDPFBIBRIPQBLVC\0000\Control Name: ActiveService Type: String Data: xdpfbibripqblvc success or wait 2809252980
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Name: Count Type: Dword Data: 1 success or wait 2809253850
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc\Enum Name: NextInstance Type: Dword Data: 1 success or wait 2809254383
    Section created Access: map read Protection: readonly Attributes: commit Path: C:\Windows\AppPatch\drvmain.sdb Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2809257291
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xdpfbibripqblvc Name: PnpFlags object name not found 2809261634
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: generic read success or wait 2809273384
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 2809275132
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\rassstp Access: query value and read or execute success or wait 2809464946
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasSstp Name: imagepath success or wait 2809466419
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RasSstp Name: start success or wait 2809468930
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ndis Access: query value and read or execute success or wait 2809535536
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS Name: imagepath success or wait 2809541395
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS Name: start success or wait 2809542822
    Section created Access: map write and map read Protection: read write Attributes: commit Path: C:\Windows\System32\drivers\ndis.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2809551092
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\NDIS Access: query value and read or execute success or wait 2814023210
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NDIS Name: imagepath success or wait 2814025965
    Section created Access: map write and map read Protection: read write Attributes: commit Path: C:\Windows\System32\drivers\ndis.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 2815988426
    File write Path: not known success or wait 2816043738
    File write Path: not known success or wait 2816058861
    File write Path: not known success or wait 2816069491
    File write Path: not known success or wait 2816080242
    File write Path: not known success or wait 2816129330
    File write Path: not known success or wait 2816138618
    File write Path: not known success or wait 2816149490
    File write Path: not known success or wait 2816159933
    File other operation Disposition: EndOfFileInformation Data: 4F 00 00 00 00 00 00 00 Path: not known success or wait 2816170636
    File other operation Operation: null Path: \bxfcixum\dsqjwpst\tdl Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 2816207111
    File write Path: not known success or wait 2816517599
    File other operation Operation: null Path: \bxfcixum\dsqjwpst\rsrc.dat Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 2817344251
    File write Path: not known success or wait 2817387818
    Analysis File: TDSS.new.b.exe PID: 2180 Parent PID: 3892 Run ID: 2
    Sections
    General
    Start time: 12:40:35
    Start date: 09/04/2010
    Path: \Device\HarddiskVolume2\TDSS.new.b.exe
    File size: 84480 bytes
    MD5 hash: 707E2294ED5425B588D8844DF0AB38A4
    File Activities:
    File opened
    File Path Access Options Completion Count
    globalroot\Device\HarddiskVolume2\TDSS.new.b.exe read attributes and synchronize and generic read sequential only and non directory file success or wait 1
    globalroot\Device\HarddiskVolume2\TDSS.new.b.exe read attributes and synchronize and generic read sequential only and synchronous io non alert and non directory file success or wait 1
    C:\Users\John\AppData\Local\Temp\44A.tmp read data or list directory and read attributes and delete and synchronize and generic write sequential only and synchronous io non alert and non directory file success or wait 1
    C:\Users\John\AppData\Local\Temp\44A.tmp read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize write through and synchronous io non alert and non directory file success or wait 1
    File created
    File Path Access Attributes Options Completion Count
    C:\Users\John\AppData\Local\Temp\44A.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 25
    C:\Users\John\AppData\Local\Temp\44A.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\Users\John\AppData\Local\Temp\595.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    C:\Users\John\AppData\Local\Temp\5F0.tmp read attributes and synchronize and generic read normale synchronous io non alert and non directory file success or wait 1
    File overwritten
    File Path Access Options Completion Count
    C:\Users\John\AppData\Local\Temp\44A.tmp read data or list directory and read attributes and delete and synchronize and generic write sequential only and non directory file success or wait 1
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 1
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp EndOfFileInformation 00 4A 01 00 00 00 00 00 success or wait 1
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp BasicInformation 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 55 6C 90 71 D0 D7 CA 01 00 00 00 00 00 00 00 00 success or wait 1
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp RenameInformation 01 00 29 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 4A 00 6F 00 68 00 6E 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 35 00 39 00 35 00 2E 00 74 00 6D 00 70 00 00 00 00 00 success or wait 1
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\595.tmp DispositionInformation 01 cannot delete 1
    \Device\HarddiskVolume2\TDSS.new.b.exe RenameInformation 01 D3 2A 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 4A 00 6F 00 68 00 6E 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 35 00 46 00 30 00 2E 00 74 00 6D 00 70 00 6C 00 73 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    \KnownDlls\kernel32.dll query and map write and map read and map execute 77890000 778E10C5 D4000 own pid success or wait 1
    \KnownDlls\KERNELBASE.dll query and map write and map read and map execute 75F00000 75F07A9D 4A000 own pid success or wait 1
    \Sessions\1\Windows\SharedSection query and map read 7F6F0000 484C 100000 own pid success or wait 1
    \KnownDlls\USER32.DLL query and map write and map read and map execute 77600000 7761F7C9 C9000 own pid success or wait 1
    \KnownDlls\GDI32.dll query and map write and map read and map execute 76430000 7643EC49 4E000 own pid success or wait 1
    \KnownDlls\LPK.dll query and map write and map read and map execute 77D30000 77D3136C A000 own pid success or wait 1
    \KnownDlls\USP10.dll query and map write and map read and map execute 77370000 773A47D7 9D000 own pid success or wait 1
    \KnownDlls\msvcrt.dll query and map write and map read and map execute 76070000 7607A472 AC000 own pid success or wait 1
    \KnownDlls\MSCTF.dll query and map write and map read and map execute 76320000 7632168B CC000 own pid success or wait 1
    \KnownDlls\SHLWAPI.dll query and map write and map read and map execute 76010000 7602A24A 57000 own pid success or wait 1
    \KnownDlls\imagehlp.dll query and map write and map read and map execute 77410000 774112FA 2A000 own pid success or wait 1
    \KnownDlls\PSAPI.DLL query and map write and map read and map execute 77D20000 77D21438 5000 own pid success or wait 1
    \KnownDlls\WININET.dll query and map write and map read and map execute 76580000 7658175B F4000 own pid success or wait 1
    \KnownDlls\ADVAPI32.dll query and map write and map read and map execute 772D0000 772F2DD9 A0000 own pid success or wait 1
    \KnownDlls\RPCRT4.dll query and map write and map read and map execute 764D0000 7650AFD4 A1000 own pid success or wait 1
    \KnownDlls\Normaliz.dll query and map write and map read and map execute 77D10000 77D10000 3000 own pid success or wait 1
    \KnownDlls\urlmon.dll query and map write and map read and map execute 776D0000 776D1AAC 135000 own pid success or wait 1
    \KnownDlls\ole32.dll query and map write and map read and map execute 774A0000 774F5D13 15C000 own pid success or wait 1
    \KnownDlls\OLEAUT32.dll query and map write and map read and map execute 77C80000 77C83FB1 8F000 own pid success or wait 1
    \KnownDlls\CRYPT32.dll query and map write and map read and map execute 75DE0000 75DE15AE 11C000 own pid success or wait 1
    \KnownDlls\MSASN1.dll query and map write and map read and map execute 75CF0000 75CF238D C000 own pid success or wait 1
    \KnownDlls\iertutil.dll query and map write and map read and map execute 76120000 7612224D 1F9000 own pid success or wait 1
    \KnownDlls\WINSPOOL.DRV query and map write and map read and map execute not known not known not known own pid object name not found 1
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    not known query and map write and map read and map execute and extend size commit not known 484C 10000 read write own pid success or wait 30
    not known query and map write and map read and map execute and extend size commit not known 484C 10000 read write own pid success or wait 1
    \Device\HarddiskVolume2\Windows\System32\imm32.dll map read commit 001D0000 484C 1CE00 readonly own pid success or wait 2
    \Device\HarddiskVolume2\Windows\System32\imm32.dll query and map write and map read and map execute image 77970000 77971355 1F000 execute own pid success or wait 1
    \Device\HarddiskVolume2\Windows\System32\sechost.dll query and map write and map read and map execute image 77D40000 77D44975 19000 execute own pid success or wait 1
    \Device\HarddiskVolume2\Windows\System32\winspool.drv query and map write and map read and map execute image 716B0000 716D9834 51000 execute own pid success or wait 1
    \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp query and map write and map read commit 00270000 484C 14A00 read write own pid success or wait 1
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option query value and set value and read or execute and write object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute success or wait 1
    HKEY_USERS\S-1-5-21-408408355-4048866324-3369073821-1002\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE maximum allowed success or wait 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System query value and read or execute success or wait 2
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName query value and enumerate sub key and notify and read or execute and write and read control success or wait 1
    HKEY_LOCAL_MACHINE\System\Setup query value and enumerate sub key and notify and read or execute and write and read control success or wait 2
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 1
    Key created
    Key Path Access Options Completion Count
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers TransparentEnabled object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions NULL success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager SafeDllSearchMode object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole PageAllocatorUseSystemHeap object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole PageAllocatorSystemHeapIsPrivate object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32 DebugHeapFlags object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings DisableImprovedZoneCheck object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Security_HKLM_only object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileBufferedSynchronousIo object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileChunkSize object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System CopyFileOverlappedCount object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc MaxRpcSize object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName ComputerName success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\Setup OOBEInProgress success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\Setup SystemSetupInProgress success or wait 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows CEIPEnable object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize DisableMetaFiles object name not found 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    \KnownDlls\ success or wait 1
    \KnownDlls\ success or wait 1
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    own pid own process file path own process cmdline success or wait 2
    own pid own process file path own process cmdline success or wait 1
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    0000006E BC 00 00 00 FC ED 12 00 40 EE 12 00 00 00 00 00 00 00 00 00 07 00 00 00 B8 D4 2A 00 5E 00 00 00 00 01 00 00 object name not found 1
    0000006E BC 00 00 00 FC ED 12 00 40 EE 12 00 00 00 00 00 00 00 00 00 07 00 00 00 B8 D4 2A 00 5E 00 00 00 01 01 00 00 success or wait 1
    System information queried
    System info class Completion Count
    BasicInformation success or wait 14
    BasicInformation success or wait 2
    BasicInformation success or wait 1
    NumaProcessorMap success or wait 1
    RangeStartInformation success or wait 1
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    ProcessorInformation success or wait 2
    BasicInformation success or wait 1
    BasicInformation success or wait 1
    0000007B success or wait 1
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    476494385 0 success or wait 27
    476494385 0 success or wait 1
    476498631 0 success or wait 1
    476555208 0 success or wait 1
    476580418 0 success or wait 1
    476603364 0 success or wait 1
    476622554 0 success or wait 1
    476639233 3579545 success or wait 1
    476692872 0 success or wait 1
    476722152 0 success or wait 1
    476790210 0 success or wait 1
    476799933 0 success or wait 1
    476805974 3579545 success or wait 1
    476847929 0 success or wait 1
    476848570 0 success or wait 1
    476849180 0 success or wait 1
    476864079 0 success or wait 1
    476864693 0 success or wait 1
    476865506 0 success or wait 1
    476866166 0 success or wait 1
    476866838 0 success or wait 1
    476868884 0 success or wait 1
    476881624 3579545 success or wait 1
    476915943 0 success or wait 1
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    129152832363152192 success or wait 1
    129152832363252336 success or wait 1
    129152832363252336 success or wait 1
    129152832363953344 success or wait 1
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    System info queried Type: BasicInformation success or wait 476430903
    System info queried Type: BasicInformation success or wait 476431117
    System info queried Type: NumaProcessorMap success or wait 476432140
    Section opened Access: query and map write and map read and map execute Baseaddress: 77890000 Size: D4000 Mapped to pid: own pid Path: \KnownDlls\kernel32.dll success or wait 476448185
    Section opened Access: query and map write and map read and map execute Baseaddress: 75F00000 Size: 4A000 Mapped to pid: own pid Path: \KnownDlls\KERNELBASE.dll success or wait 476473083
    Performance counter queried Count: 476494385 Frequency: 0 success or wait 476494362
    Performance counter queried Count: 476498631 Frequency: 0 success or wait 476498606
    System info queried Type: RangeStartInformation success or wait 476499286
    Section opened Access: query and map read Baseaddress: 7F6F0000 Size: 100000 Mapped to pid: own pid Path: \Sessions\1\Windows\SharedSection success or wait 476499861
    Section created Access: query and map write and map read and map execute and extend size Protection: read write Attributes: commit Path: not known Type: commit Baseaddress: not known Entrypoint: 484C Mapped to pid: own pid Size: 10000 success or wait 476501073
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option Access: query value and set value and read or execute and write object name not found 476509304
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\DLL Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 476509719
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute success or wait 476509974
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers Name: TransparentEnabled object name not found 476510961
    Key opened Path: HKEY_USERS\S-1-5-21-408408355-4048866324-3369073821-1002\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Access: query value and read or execute object name not found 476513053
    Section opened Access: query and map write and map read and map execute Baseaddress: 77600000 Size: C9000 Mapped to pid: own pid Path: \KnownDlls\USER32.DLL success or wait 476514635
    Section opened Access: query and map write and map read and map execute Baseaddress: 76430000 Size: 4E000 Mapped to pid: own pid Path: \KnownDlls\GDI32.dll success or wait 476518186
    Section opened Access: query and map write and map read and map execute Baseaddress: 77D30000 Size: A000 Mapped to pid: own pid Path: \KnownDlls\LPK.dll success or wait 476521752
    Section opened Access: query and map write and map read and map execute Baseaddress: 77370000 Size: 9D000 Mapped to pid: own pid Path: \KnownDlls\USP10.dll success or wait 476525787
    Section opened Access: query and map write and map read and map execute Baseaddress: 76070000 Size: AC000 Mapped to pid: own pid Path: \KnownDlls\msvcrt.dll success or wait 476528044
    Performance counter queried Count: 476555208 Frequency: 0 success or wait 476555186
    Performance counter queried Count: 476580418 Frequency: 0 success or wait 476580395
    Performance counter queried Count: 476603364 Frequency: 0 success or wait 476603342
    Performance counter queried Count: 476622554 Frequency: 0 success or wait 476622502
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Versions Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 476626700
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions Name: NULL success or wait 476627762
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: query value and read or execute success or wait 476635166
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Name: SafeDllSearchMode object name not found 476636921
    Performance counter queried Count: 476639233 Frequency: 3579545 success or wait 476639212
    System info queried Type: BasicInformation success or wait 476639952
    Section created Access: map read Protection: readonly Attributes: commit Path: \Device\HarddiskVolume2\Windows\System32\imm32.dll Type: commit Baseaddress: 001D0000 Entrypoint: 484C Mapped to pid: own pid Size: 1CE00 success or wait 476642421
    Section created Access: map read Protection: readonly Attributes: commit Path: \Device\HarddiskVolume2\Windows\System32\imm32.dll Type: commit Baseaddress: 001D0000 Entrypoint: 484C Mapped to pid: own pid Size: 1CE00 success or wait 476646046
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: \Device\HarddiskVolume2\Windows\System32\imm32.dll Type: image Baseaddress: 77970000 Entrypoint: 77971355 Mapped to pid: own pid Size: 1F000 success or wait 476648967
    Section opened Access: query and map write and map read and map execute Baseaddress: 76320000 Size: CC000 Mapped to pid: own pid Path: \KnownDlls\MSCTF.dll success or wait 476651514
    Performance counter queried Count: 476692872 Frequency: 0 success or wait 476692848
    Performance counter queried Count: 476722152 Frequency: 0 success or wait 476722129
    System info queried Type: BasicInformation success or wait 476723695
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Error Message Instrument\ Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 476724248
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 476724916
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 476725567
    Key opened Path: HKEY_LOCAL_MACHINE Access: maximum allowed success or wait 476734651
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Name: LoadAppInit_DLLs success or wait 476735369
    Section opened Access: query and map write and map read and map execute Baseaddress: 76010000 Size: 57000 Mapped to pid: own pid Path: \KnownDlls\SHLWAPI.dll success or wait 476785389
    Performance counter queried Count: 476790210 Frequency: 0 success or wait 476790188
    Section opened Access: query and map write and map read and map execute Baseaddress: 77410000 Size: 2A000 Mapped to pid: own pid Path: \KnownDlls\imagehlp.dll success or wait 476791410
    Performance counter queried Count: 476799933 Frequency: 0 success or wait 476799910
    System info queried Type: BasicInformation success or wait 476800447
    System info queried Type: ProcessorInformation success or wait 476800663
    Section opened Access: query and map write and map read and map execute Baseaddress: 77D20000 Size: 5000 Mapped to pid: own pid Path: \KnownDlls\PSAPI.DLL success or wait 476801839
    Performance counter queried Count: 476805974 Frequency: 3579545 success or wait 476805951
    Section opened Access: query and map write and map read and map execute Baseaddress: 76580000 Size: F4000 Mapped to pid: own pid Path: \KnownDlls\WININET.dll success or wait 476806465
    Section opened Access: query and map write and map read and map execute Baseaddress: 772D0000 Size: A0000 Mapped to pid: own pid Path: \KnownDlls\ADVAPI32.dll success or wait 476809452
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: \Device\HarddiskVolume2\Windows\System32\sechost.dll Type: image Baseaddress: 77D40000 Entrypoint: 77D44975 Mapped to pid: own pid Size: 19000 success or wait 476813409
    Section opened Access: query and map write and map read and map execute Baseaddress: 764D0000 Size: A1000 Mapped to pid: own pid Path: \KnownDlls\RPCRT4.dll success or wait 476817733
    Section opened Access: query and map write and map read and map execute Baseaddress: 77D10000 Size: 3000 Mapped to pid: own pid Path: \KnownDlls\Normaliz.dll success or wait 476822598
    Section opened Access: query and map write and map read and map execute Baseaddress: 776D0000 Size: 135000 Mapped to pid: own pid Path: \KnownDlls\urlmon.dll success or wait 476823900
    Section opened Access: query and map write and map read and map execute Baseaddress: 774A0000 Size: 15C000 Mapped to pid: own pid Path: \KnownDlls\ole32.dll success or wait 476825824
    Section opened Access: query and map write and map read and map execute Baseaddress: 77C80000 Size: 8F000 Mapped to pid: own pid Path: \KnownDlls\OLEAUT32.dll success or wait 476829102
    Section opened Access: query and map write and map read and map execute Baseaddress: 75DE0000 Size: 11C000 Mapped to pid: own pid Path: \KnownDlls\CRYPT32.dll success or wait 476831719
    Section opened Access: query and map write and map read and map execute Baseaddress: 75CF0000 Size: C000 Mapped to pid: own pid Path: \KnownDlls\MSASN1.dll success or wait 476834525
    Section opened Access: query and map write and map read and map execute Baseaddress: 76120000 Size: 1F9000 Mapped to pid: own pid Path: \KnownDlls\iertutil.dll success or wait 476837486
    Performance counter queried Count: 476847929 Frequency: 0 success or wait 476847905
    Performance counter queried Count: 476848570 Frequency: 0 success or wait 476848547
    Performance counter queried Count: 476849180 Frequency: 0 success or wait 476849158
    Performance counter queried Count: 476864079 Frequency: 0 success or wait 476864056
    Performance counter queried Count: 476864693 Frequency: 0 success or wait 476864671
    Performance counter queried Count: 476865506 Frequency: 0 success or wait 476865484
    Performance counter queried Count: 476866166 Frequency: 0 success or wait 476866144
    Performance counter queried Count: 476866838 Frequency: 0 success or wait 476866817
    Performance counter queried Count: 476868884 Frequency: 0 success or wait 476868861
    Mutant created Name: \KnownDlls\ success or wait 476870026
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: PageAllocatorUseSystemHeap object name not found 476872755
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole Name: PageAllocatorSystemHeapIsPrivate object name not found 476873960
    System info queried Type: BasicInformation success or wait 476874859
    System info queried Type: ProcessorInformation success or wait 476875109
    Performance counter queried Count: 476881624 Frequency: 3579545 success or wait 476881602
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32 Name: DebugHeapFlags object name not found 476883265
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Name: DisableImprovedZoneCheck object name not found 476888742
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Name: Security_HKLM_only object name not found 476890467
    Section opened Access: query and map write and map read and map execute Baseaddress: not known Size: not known Mapped to pid: own pid Path: \KnownDlls\WINSPOOL.DRV object name not found 476904413
    Section created Access: query and map write and map read and map execute Protection: execute Attributes: image Path: \Device\HarddiskVolume2\Windows\System32\winspool.drv Type: image Baseaddress: 716B0000 Entrypoint: 716D9834 Mapped to pid: own pid Size: 51000 success or wait 476908499
    Performance counter queried Count: 476915943 Frequency: 0 success or wait 476915920
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 476921319
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 476922096
    File created Path: C:\Users\John\AppData\Local\Temp\44A.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 476955762
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: query value and read or execute success or wait 477017653
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileBufferedSynchronousIo object name not found 477018260
    File opened Path: globalroot\Device\HarddiskVolume2\TDSS.new.b.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and non directory file Attributes: none success or wait 477019218
    File opened Path: globalroot\Device\HarddiskVolume2\TDSS.new.b.exe Access: read attributes and synchronize and generic read Disposition: open Options: sequential only and synchronous io non alert and non directory file Attributes: none success or wait 477020622
    File overwritten Path: C:\Users\John\AppData\Local\Temp\44A.tmp Access: read data or list directory and read attributes and delete and synchronize and generic write Disposition: overwrite if exists Options: sequential only and non directory file Attributes: archive success or wait 477306907
    File opened Path: C:\Users\John\AppData\Local\Temp\44A.tmp Access: read data or list directory and read attributes and delete and synchronize and generic write Disposition: open if exists Options: sequential only and synchronous io non alert and non directory file Attributes: archive success or wait 477310920
    File other operation Disposition: EndOfFileInformation Data: 00 4A 01 00 00 00 00 00 Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 477325085
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System Access: query value and read or execute success or wait 477326686
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileChunkSize object name not found 477327177
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System Name: CopyFileOverlappedCount object name not found 477327387
    File write Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 477887297
    File write Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 478133005
    File other operation Disposition: BasicInformation Data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F4 0A 8E 71 D0 D7 CA 01 55 6C 90 71 D0 D7 CA 01 00 00 00 00 00 00 00 00 Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 478134304
    File opened Path: C:\Users\John\AppData\Local\Temp\44A.tmp Access: read data or list directory and write data or add file and append data or add subdirectory or create pipe instance and read ea and write ea and execute or traverse and delete child and read attributes and write attributes and delete and read control and write dac and write owner and synchronize Disposition: open Options: write through and synchronous io non alert and non directory file Attributes: none success or wait 478136737
    Section created Access: query and map write and map read Protection: read write Attributes: commit Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp Type: commit Baseaddress: 00270000 Entrypoint: 484C Mapped to pid: own pid Size: 14A00 success or wait 478137507
    File created Path: C:\Users\John\AppData\Local\Temp\595.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 478141582
    File other operation Disposition: RenameInformation Data: 01 00 29 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 4A 00 6F 00 68 00 6E 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 35 00 39 00 35 00 2E 00 74 00 6D 00 70 00 00 00 00 00 Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\44A.tmp success or wait 478151249
    System info queried Type: BasicInformation success or wait 478203482
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc Name: MaxRpcSize object name not found 478204370
    System time queried Time: 129152832363152192 success or wait 478206103
    Key opened Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 478206916
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName Name: ComputerName success or wait 478207787
    Key opened Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 478208667
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: OOBEInProgress success or wait 478209672
    Key opened Path: HKEY_LOCAL_MACHINE\System\Setup Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 478210412
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\Setup Name: SystemSetupInProgress success or wait 478210816
    System info queried Type: 0000007B success or wait 478211922
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows Access: query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control object name not found 478212816
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows Access: query value and enumerate sub key and notify and wow64 64key and wow64 resource and read or execute and write and read control success or wait 478213087
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows Name: CEIPEnable object name not found 478213662
    System time queried Time: 129152832363252336 success or wait 478217033
    System time queried Time: 129152832363252336 success or wait 478228267
    System time queried Time: 129152832363953344 success or wait 478462445
    File other operation Disposition: DispositionInformation Data: 01 Path: \Device\HarddiskVolume2\Users\John\AppData\Local\Temp\595.tmp cannot delete 478464430
    File created Path: C:\Users\John\AppData\Local\Temp\5F0.tmp Access: read attributes and synchronize and generic read Disposition: create Options: synchronous io non alert and non directory file Attributes: normale success or wait 478465844
    File other operation Disposition: RenameInformation Data: 01 D3 2A 00 00 00 00 00 58 00 00 00 5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 4A 00 6F 00 68 00 6E 00 5C 00 41 00 70 00 70 00 44 00 61 00 74 00 61 00 5C 00 4C 00 6F 00 63 00 61 00 6C 00 5C 00 54 00 65 00 6D 00 70 00 5C 00 35 00 46 00 30 00 2E 00 74 00 6D 00 70 00 6C 00 73 00 Path: \Device\HarddiskVolume2\TDSS.new.b.exe success or wait 478468980
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 478535236
    System info set Type: 0000006E Data: BC 00 00 00 FC ED 12 00 40 EE 12 00 00 00 00 00 00 00 00 00 07 00 00 00 B8 D4 2A 00 5E 00 00 00 00 01 00 00 object name not found 478535831
    Key other operation Operation: NULL Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Access: generic read and generic write Options: non volatile success or wait 478536492
    System info set Type: 0000006E Data: BC 00 00 00 FC ED 12 00 40 EE 12 00 00 00 00 00 00 00 00 00 07 00 00 00 B8 D4 2A 00 5E 00 00 00 01 01 00 00 success or wait 478536938
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline success or wait 478541416
    Key opened Path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Access: query value and enumerate sub key and notify and read or execute and write and read control success or wait 478549741
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize Name: DisableMetaFiles object name not found 478550347
    Process terminated Path: own process file path PID: own pid Cmdline: own process cmdline NOSTATUS 478551475
    Analysis File: 5EE.tmp PID: 4 Parent PID: -1 Run ID: 2
    Sections
    General
    Start time: 12:40:36
    Start date: 09/04/2010
    Path: C:\Windows\TEMP\5EE.tmp
    File size: 31744 bytes
    MD5 hash: D248B7F23C7D3D0186505AD66D8854F8
    File Activities:
    File opened
    File Path Access Options Completion Count
    File created
    File Path Access Attributes Options Completion Count
    \petdpuqn\wdspkqot\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 20
    \petdpuqn\wdspkqot\tdl read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    \petdpuqn\wdspkqot\rsrc.dat read data or list directory and write data or add file and synchronize none write through and synchronous io non alert success or wait 1
    File overwritten
    File Path Access Options Completion Count
    File deleted
    File Path Completion Count
    File renamed
    Old File Path New File Path Completion Count
    File written
    File Path Completion Count
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 2
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    not known success or wait 1
    Other file operations
    File Path Disposition Data Completion Count
    C:\WINDOWS\AppPatch\drvmain.sdb open none success or wait 1
    C: open none success or wait 1
    physicaldrive0 open none success or wait 1
    C:\WINDOWS\system32\drivers\volmgrx.sys open none success or wait 1
    C: open none success or wait 1
    \petdpuqn\wdspkqot\rsrc.dat open none object name not found 1
    C:\WINDOWS\system32\drivers\volmgrx.sys open none success or wait 1
    not known EndOfFileInformation 4F 00 00 00 00 00 00 00 success or wait 1
    Section Activities:
    Section opened
    File Path Access Base Entrypoint Size Mapped to pid Completion Count
    Section created
    File Path Access Attributes Base Entrypoint Size Protection Mapped to pid Completion Count
    \Device\HarddiskVolume2\Windows\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 3
    \Device\HarddiskVolume2\Windows\AppPatch\drvmain.sdb map read commit not known not known not known readonly own pid success or wait 1
    \Device\HarddiskVolume2\Windows\System32\drivers\volmgrx.sys map write and map read commit not known not known not known read write own pid success or wait 2
    Registry Activities:
    Key opened
    Key Path Access Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum query value and enumerate sub key and notify and read or execute and write and read control object name not found 1
    HKEY_LOCAL_MACHINE\software\microsoft\cryptography generic read success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spldr query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VIDEOPRT query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\umbus query value and read or execute success or wait 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\crashdmp query value and read or execute object name not found 1
    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\volmgrx query value and read or execute success or wait 2
    Key created
    Key Path Access Options Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 23
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner volatile success or wait 1
    Key deleted
    Key Path Completion Count
    Key value deleted
    Key Path Key Value Name Completion Count
    Key value set
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UYBPXMKRIECBBDT\0000\Control ActiveService String uybpxmkriecbbdt success or wait 1
    Key value replaced with new
    Key Path Name Type Old Data New Data Completion Count
    Key value replaced with same
    Key Path Name Type Data Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Count Dword 1 success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum NextInstance Dword 1 success or wait 1
    Key value queried
    Key Path Name Completion Count
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Count object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt ImagePath success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt PnpFlags object name not found 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography machineguid success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\spldr imagepath object name not found 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\umbus imagepath success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\umbus start success or wait 1
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx imagepath success or wait 2
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx start success or wait 1
    Mutant Activities:
    Mutant opened
    Name Completion Count
    Mutant created
    Name Completion Count
    Mutant released
    Name Completion Count
    Process Activities:
    Process started
    PID Access Flags System Completion Count
    Process opened
    PID Access Filename Cmdline Completion Count
    Process suspended
    PID Filename Cmdline Completion Count
    Process terminated
    PID Filename Cmdline Completion Count
    Thread Activities:
    Thread opened
    TID PID Access Completion Count
    Thread created
    TID PID Process Path Cmdline Access Completion Count
    Thread queued
    TID PID Completion Count
    Thread set
    TID PID Completion Count
    Thread delayed
    TID Delay Completion Count
    Thread terminated
    TID PID Completion Count
    Memory Activities:
    Memory read
    PID Filename Cmdline Base Completion Count
    Memory written
    PID Filename Cmdline Base Completion Count
    Driver Activities:
    Driver loaded
    Service name path Completion Count
    Driver unloaded
    Service name path Completion Count
    System Activities:
    System information set
    System info class Data Completion Count
    System information queried
    System info class Completion Count
    Time Activities:
    Performance counter queried
    Count Frequency Completion Count
    System resolution queried
    Minimum resolution Maximum resolution Current resolution Completion Count
    System time queried
    Time Completion Count
    User Activities:
    Window created
    Window name Class name Completion Count
    Window found
    Window name Class name Completion Count
    Window hook set
    Module Thread id Hook code Completion Count
    Key async got
    Virtual key code Key state Count
    Keyboard state got
    Completion Count
    Key state got
    Virtual key code State Count
    Debug Activities:
    System debug info set
    Debug info class Input data Output data Completion Count
    Exception Activities:
    Exception raised
    Exception code Address Completion Count
    Chronological sections
    Operation Data Completion Time
    Key opened Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Access: query value and enumerate sub key and notify and read or execute and write and read control object name not found 478955242
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 478956242
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Name: Count object name not found 478958230
    Key other operation Operation: INVALID PTR Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UYBPXMKRIECBBDT\0000\Control Access: query value and set value and create sub key and enumerate sub key and notify and create link and read or execute and write and delete and read control and write dac and write owner Options: volatile success or wait 478972213
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_UYBPXMKRIECBBDT\0000\Control Name: ActiveService Type: String Data: uybpxmkriecbbdt success or wait 478973320
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Name: Count Type: Dword Data: 1 success or wait 478973893
    Key value set Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt\Enum Name: NextInstance Type: Dword Data: 1 success or wait 478974258
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt Name: ImagePath success or wait 478974746
    Section created Access: map read Protection: readonly Attributes: commit Path: \Device\HarddiskVolume2\Windows\AppPatch\drvmain.sdb Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 478976786
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\uybpxmkriecbbdt Name: PnpFlags object name not found 478980340
    Key opened Path: HKEY_LOCAL_MACHINE\software\microsoft\cryptography Access: generic read success or wait 478998771
    Key value queried Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography Name: machineguid success or wait 479000315
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\spldr Access: query value and read or execute success or wait 479186092
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\spldr Name: imagepath object name not found 479187761
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\VIDEOPRT Access: query value and read or execute object name not found 479368200
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\umbus Access: query value and read or execute success or wait 479544059
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\umbus Name: imagepath success or wait 479546442
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\umbus Name: start success or wait 479549510
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\crashdmp Access: query value and read or execute object name not found 479679675
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\volmgrx Access: query value and read or execute success or wait 479708620
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx Name: imagepath success or wait 479710018
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx Name: start success or wait 479711265
    Section created Access: map write and map read Protection: read write Attributes: commit Path: \Device\HarddiskVolume2\Windows\System32\drivers\volmgrx.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 479741317
    Key opened Path: HKEY_LOCAL_MACHINE\system\currentcontrolset\services\volmgrx Access: query value and read or execute success or wait 481219815
    Key value queried Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx Name: imagepath success or wait 481221648
    Section created Access: map write and map read Protection: read write Attributes: commit Path: \Device\HarddiskVolume2\Windows\System32\drivers\volmgrx.sys Type: commit Baseaddress: not known Entrypoint: not known Mapped to pid: own pid Size: not known success or wait 482240830
    File write Path: not known success or wait 482342761
    File write Path: not known success or wait 482365114
    File write Path: not known success or wait 482376010
    File write Path: not known success or wait 482386826
    File write Path: not known success or wait 482437848
    File write Path: not known success or wait 482446290
    File write Path: not known success or wait 482456822
    File write Path: not known success or wait 482467754
    File other operation Disposition: EndOfFileInformation Data: 4F 00 00 00 00 00 00 00 Path: not known success or wait 482478174
    File other operation Operation: null Path: \petdpuqn\wdspkqot\tdl Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 482510306
    File write Path: not known success or wait 482887365
    File other operation Operation: null Path: \petdpuqn\wdspkqot\rsrc.dat Access: read data or list directory and write data or add file and synchronize Disposition: overwrite if exists Options: write through and synchronous io non alert Attributes: none success or wait 483692899
    File write Path: not known success or wait 483740907
    Network Data
    All TCP, UDP, ICMP
    Timestamp Source Port Dest Port Source IP Dest IP Protocol
    Apr 9, 2010 12:36:53.697991000 138 138 192.168.111.6 192.168.111.255 udp
    Apr 9, 2010 12:36:59.714144000 138 138 192.168.111.6 192.168.111.255 udp
    Apr 9, 2010 12:37:14.689887000 138 138 192.168.111.6 192.168.111.255 udp
    Apr 9, 2010 12:37:14.692489000 138 138 192.168.111.6 192.168.111.255 udp
    Apr 9, 2010 12:37:14.698194000 137 137 192.168.111.6 192.168.111.7 udp
    Apr 9, 2010 12:37:14.702607000 192.168.111.7 192.168.111.6 icmp
    Apr 9, 2010 12:37:14.702821000 192.168.111.6 192.168.111.7 icmp
    Apr 9, 2010 12:37:14.705092000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.705531000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.705895000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.706113000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.707280000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.708097000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.711155000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.711595000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.712490000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.713248000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.713843000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.714166000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.715047000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.716009000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.717462000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:14.717924000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:14.918475000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:27.046445000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:27.046770000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:27.076247000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:27.076521000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:27.077570000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:37:27.077749000 139 59683 192.168.111.6 192.168.111.7 tcp
    Apr 9, 2010 12:37:27.077921000 59683 139 192.168.111.7 192.168.111.6 tcp
    Apr 9, 2010 12:38:44.873607000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:45.873345000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:46.839996000 55232 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:46.874101000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:46.922239000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:46.937988000 55232 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:47.141285000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:47.198967000 51094 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:47.293397000 64902 53 192.168.111.7 192.168.111.1 udp
    Apr 9, 2010 12:38:47.299534000 51094 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:47.301967000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.318560000 123 123 192.168.111.7 207.46.232.182 udp
    Apr 9, 2010 12:38:47.563000000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.595791000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.670395000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.675757000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.698599000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:47.876844000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:47.885298000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:48.406861000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:48.626643000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:48.636695000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:49.377176000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:50.129169000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:50.880401000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:51.500987000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:51.590787000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:51.631052000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:51.664494000 123 123 192.168.111.7 207.46.232.182 udp
    Apr 9, 2010 12:38:51.833584000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:51.953814000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:52.037426000 51902 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:52.136777000 51902 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:52.334749000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:52.382063000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:52.737845000 50164 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:52.838833000 50164 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:53.083414000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.133302000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.834521000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.885987000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.886118000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.886344000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:53.888594000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:55.263359000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:55.343776000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:55.429135000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:55.451130000 61544 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:55.549171000 61544 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:55.658257000 53399 3702 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:55.748896000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:55.751472000 137 137 192.168.111.7 192.168.111.21 udp
    Apr 9, 2010 12:38:56.257805000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:56.498803000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:57.249352000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:57.259285000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:57.790710000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:57.824826000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:58.030787000 53084 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:58.132499000 53084 5355 192.168.111.7 224.0.0.252 udp
    Apr 9, 2010 12:38:58.302695000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:58.445123000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:59.092118000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:38:59.193208000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:38:59.942865000 137 137 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:39:02.099401000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:39:05.101297000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:39:08.134097000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:39:11.142125000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:39:14.144682000 55238 1900 192.168.111.7 239.255.255.250 udp
    Apr 9, 2010 12:39:26.497277000 138 138 192.168.111.7 192.168.111.255 udp
    Apr 9, 2010 12:40:12.578608000 65495 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:12.582175000 59314 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.582815000 59315 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.761656000 59315 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.762260000 59315 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.763663000 59314 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.764000000 59314 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.945622000 59315 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.947742000 59315 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.950569000 61592 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:12.951988000 59314 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.952351000 59314 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:12.953791000 51264 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:12.972353000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:12.976712000 50263 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:12.989525000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:12.989992000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:13.025838000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:13.720841000 50264 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:13.901379000 50264 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:13.901855000 50264 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:14.085523000 50264 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:14.086061000 50264 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:14.089026000 57889 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:14.112185000 51673 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:15.719482000 51674 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:15.900344000 51674 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:15.900898000 51674 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:15.980201000 50263 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:16.084980000 51674 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:16.085461000 51674 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:16.086061000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:16.119406000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:16.138152000 59316 80 192.168.111.8 212.243.152.136 tcp
    Apr 9, 2010 12:40:16.962013000 51675 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:17.112258000 51673 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:17.141778000 51675 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:17.142254000 51675 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:17.326295000 51675 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:17.326758000 51675 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:17.328662000 52024 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:17.350667000 51676 80 192.168.111.8 94.236.15.26 tcp
    Apr 9, 2010 12:40:18.020404000 51677 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:18.202925000 51677 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:18.203475000 51677 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:18.390460000 51677 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:18.390980000 51677 80 192.168.111.8 207.46.16.233 tcp
    Apr 9, 2010 12:40:20.356466000 51676 80 192.168.111.8 94.236.15.26 tcp
    Apr 9, 2010 12:40:21.979384000 50263 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:23.111068000 51673 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:26.355698000 51676 80 192.168.111.8 94.236.15.26 tcp
    Apr 9, 2010 12:40:36.759812000 54024 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:36.814686000 55873 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:38.583232000 51678 80 192.168.111.8 192.221.106.126 tcp
    Apr 9, 2010 12:40:38.586595000 51679 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.587330000 51680 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.607192000 51678 80 192.168.111.8 192.221.106.126 tcp
    Apr 9, 2010 12:40:38.624525000 51678 80 192.168.111.8 192.221.106.126 tcp
    Apr 9, 2010 12:40:38.679896000 56292 53 192.168.111.8 192.168.111.1 udp
    Apr 9, 2010 12:40:38.682282000 57243 53 192.168.111.8 192.168.111.1 tcp
    Apr 9, 2010 12:40:38.759028000 51679 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.759483000 51679 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.762523000 51680 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.762858000 51680 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:38.853418000 51678 80 192.168.111.8 192.221.106.126 tcp
    Apr 9, 2010 12:40:39.143146000 51679 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:39.143215000 51680 80 192.168.111.8 207.46.170.10 tcp
    Apr 9, 2010 12:40:41.677451000 57243 53 192.168.111.8 192.168.111.1 tcp
    DNS
    Timestamp Source IP Dest IP Type Data
    Apr 9, 2010 12:38:46.839996000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:46.937988000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:47.198967000 192.168.111.7 224.0.0.252 Query Sepp-PC: type ANY, class IN
    Apr 9, 2010 12:38:47.293397000 192.168.111.7 192.168.111.1 Query time.windows.com: type A, class IN
    Apr 9, 2010 12:38:47.299534000 192.168.111.7 224.0.0.252 Query Sepp-PC: type ANY, class IN
    Apr 9, 2010 12:38:52.037426000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:52.136777000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:52.737845000 192.168.111.7 224.0.0.252 Query Sepp-PC: type ANY, class IN
    Apr 9, 2010 12:38:52.838833000 192.168.111.7 224.0.0.252 Query Sepp-PC: type ANY, class IN
    Apr 9, 2010 12:38:55.451130000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:55.549171000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:58.030787000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:38:58.132499000 192.168.111.7 224.0.0.252 Query isatap: type A, class IN
    Apr 9, 2010 12:40:12.578608000 192.168.111.8 192.168.111.1 Query go.microsoft.com: type A, class IN
    Apr 9, 2010 12:40:12.950569000 192.168.111.8 192.168.111.1 Query www.usa.gov: type A, class IN
    Apr 9, 2010 12:40:12.953791000 192.168.111.8 192.168.111.1 Query www.microsoft.com: type A, class IN
    Apr 9, 2010 12:40:14.089026000 192.168.111.8 192.168.111.1 Query rss.msnbc.msn.com: type A, class IN
    Apr 9, 2010 12:40:17.328662000 192.168.111.8 192.168.111.1 Query www.ieaddons.com: type A, class IN
    Apr 9, 2010 12:40:36.759812000 192.168.111.8 192.168.111.1 Query dns.msftncsi.com: type A, class IN
    Apr 9, 2010 12:40:36.814686000 192.168.111.8 192.168.111.1 Query dns.msftncsi.com: type AAAA, class IN
    Apr 9, 2010 12:40:38.679896000 192.168.111.8 192.168.111.1 Query pheedo-rdr.msnbc.msn.com: type A, class IN
    HTTP
    Timestamp Source IP Dest IP Data
    Apr 9, 2010 12:38:47.563000000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:47.670395000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:47.698599000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:48.406861000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:51.500987000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:51.590787000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:51.833584000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:51.953814000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:55.343776000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:38:59.092118000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:39:02.099401000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:39:05.101297000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:39:08.134097000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:39:11.142125000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:39:14.144682000 192.168.111.7 239.255.255.250 M-SEARCH * HTTP/1.1\r\n
    Apr 9, 2010 12:40:12.762260000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=129794 HTTP/1.1\r\n
    Apr 9, 2010 12:40:12.764000000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=68929 HTTP/1.1\r\n
    Apr 9, 2010 12:40:12.989992000 192.168.111.8 212.243.152.136 GET /rss/updates.xml HTTP/1.1\r\n
    Apr 9, 2010 12:40:13.901855000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=44406 HTTP/1.1\r\n
    Apr 9, 2010 12:40:15.900898000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=129793 HTTP/1.1\r\n
    Apr 9, 2010 12:40:16.086061000 192.168.111.8 212.243.152.136 GET /rss/FAQs.xml HTTP/1.1\r\n
    Apr 9, 2010 12:40:17.142254000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=121315 HTTP/1.1\r\n
    Apr 9, 2010 12:40:18.203475000 192.168.111.8 207.46.16.233 GET /fwlink/?LinkId=68928 HTTP/1.1\r\n
    Apr 9, 2010 12:40:38.624525000 192.168.111.8 192.221.106.126 GET /id/3032091/device/rss/rss.xml HTTP/1.1\r\n
    Apr 9, 2010 12:40:38.759483000 192.168.111.8 207.46.170.10 GET /atwork/community/rss.xml HTTP/1.1\r\n
    Apr 9, 2010 12:40:38.762858000 192.168.111.8 207.46.170.10 GET /athome/community/rss.xml HTTP/1.1\r\n
    Copyright 2010 Joe Security | All rights reserved | This page is optimized for firefox - 1024x786