API tools faq
paste
Advertisement
MalwareMustDie

PID 4128 - exp%n.tmp.exe #MalwareMustDie 20130126

MalwareMustDie
Jan 26th, 2013
1,432
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 69.01 KB | None | 0 0
raw download clone embed print report
  1. ===========================
  2. PID 4028 - exp3.tmp.exe
  3. ===========================
  4.  
  5. 20:39:38.8834401","exp3.tmp.exe","4028","QueryNameInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Name: \Documents and Settings\RIK\Local Settings\Temp\exp3.tmp.exe"
  6. 20:39:38.8838828","exp3.tmp.exe","4028","QueryNameInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Name: \Documents and Settings\RIK\Local Settings\Temp\exp3.tmp.exe"
  7. 20:39:38.8840739","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\Prefetch\EXP3.TMP.EXE-32842BFC.pf","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a"
  8. 20:39:38.8846360","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  9. 20:39:38.8867304","exp3.tmp.exe","4028","FileSystemControl","C:\Documents and Settings\rik","SUCCESS","Control: FSCTL_IS_VOLUME_MOUNTED"
  10. 20:39:38.8870028","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  11. 20:39:38.8880021","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 62,464, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  12. 20:39:38.9317627","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  13. 20:39:38.9326376","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  14. 20:39:38.9328913","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  15. 20:39:38.9332559","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  16. 20:39:38.9349173","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  17. 20:39:38.9349410","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  18. 20:39:38.9349779","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  19. 20:39:38.9352525","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  20. 20:39:38.9360417","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  21. 20:39:38.9373785","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  22. 20:39:38.9376307","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  23. 20:39:38.9379970","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  24. 20:39:38.9395676","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  25. 20:39:38.9395877","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,080, NumberOfLinks: 1, DeletePending: False, Directory: False"
  26. 20:39:38.9396234","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  27. 20:39:38.9398961","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  28. 20:39:38.9414343","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  29. 20:39:38.9416994","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  30. 20:39:38.9419522","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  31. 20:39:38.9430021","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  32. 20:39:38.9432750","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\imm32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  33. 20:39:38.9433538","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\IMM32.DLL","SUCCESS","SyncType: SyncTypeOther"
  34. 20:39:38.9438329","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  35. 20:39:38.9463073","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  36. 20:39:38.9477848","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  37. 20:39:38.9480438","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  38. 20:39:38.9489900","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  39. 20:39:38.9502759","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\imm32.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  40. 20:39:38.9505296","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\imm32.dll","SUCCESS",""
  41. 20:39:38.9533140","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\LPK.DLL","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  42. 20:39:38.9549916","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  43. 20:39:38.9552961","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  44. 20:39:38.9555855","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  45. 20:39:39.0093929","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\lpk.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  46. 20:39:39.0097189","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\lpk.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  47. 20:39:39.0098030","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\LPK.DLL","SUCCESS","SyncType: SyncTypeOther"
  48. 20:39:39.0101196","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\lpk.dll","SUCCESS",""
  49. 20:39:39.0220973","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\USP10.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  50. 20:39:39.0241227","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  51. 20:39:39.0244705","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  52. 20:39:39.0247940","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  53. 20:39:39.0265024","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\usp10.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  54. 20:39:39.0268496","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\usp10.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  55. 20:39:39.0269337","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\USP10.DLL","SUCCESS","SyncType: SyncTypeOther"
  56. 20:39:39.0272812","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\usp10.dll","SUCCESS",""
  57. 20:39:39.0790546","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\shell32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  58. 20:39:39.0793258","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  59. 20:39:39.0793496","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\SHELL32.dll","SUCCESS","AllocationSize: 8,372,224, EndOfFile: 8,367,104, NumberOfLinks: 1, DeletePending: False, Directory: False"
  60. 20:39:39.0793870","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\shell32.dll","SUCCESS","SyncType: SyncTypeOther"
  61. 20:39:39.0796496","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  62. 20:39:39.0813602","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\SHELL32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  63. 20:39:39.1170952","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\shell32.dll","SUCCESS",""
  64. 20:39:39.1174734","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe.Local","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  65. 20:39:39.1183747","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  66. 20:39:39.1184794","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","CreationTime: 2012/10/07 18:19:17, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:18, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  67. 20:39:39.1185719","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""
  68. 20:39:39.1195304","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  69. 20:39:39.1197377","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  70. 20:39:39.1198902","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  71. 20:39:39.1199059","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","AllocationSize: 1,064,960, EndOfFile: 1,054,208, NumberOfLinks: 1, DeletePending: False, Directory: False"
  72. 20:39:39.1199327","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeOther"
  73. 20:39:39.1235041","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  74. 20:39:39.1237963","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  75. 20:39:39.1239441","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  76. 20:39:39.1240044","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  77. 20:39:39.1242293","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll","SUCCESS",""
  78. 20:39:39.1252158","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  79. 20:39:39.1252797","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA"
  80. 20:39:39.1253334","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  81. 20:39:39.1255085","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  82. 20:39:39.1255747","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  83. 20:39:39.1255884","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  84. 20:39:39.1256130","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  85. 20:39:39.1256789","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  86. 20:39:39.1281779","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  87. 20:39:39.1282390","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","CreationTime: 2012/10/07 18:40:07, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:40:08, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHA"
  88. 20:39:39.1289252","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  89. 20:39:39.1290495","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  90. 20:39:39.1291162","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  91. 20:39:39.1291297","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  92. 20:39:39.1291531","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  93. 20:39:39.1299448","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  94. 20:39:39.1300921","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  95. 20:39:39.1301572","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  96. 20:39:39.1301706","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  97. 20:39:39.1301940","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","SyncType: SyncTypeOther"
  98. 20:39:39.1308360","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS","AllocationSize: 16,384, EndOfFile: 749, NumberOfLinks: 1, DeletePending: False, Directory: False"
  99. 20:39:39.1309296","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\WindowsShell.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  100. 20:39:39.1479474","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WindowsShell.Manifest","SUCCESS",""
  101. 20:39:39.1533752","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  102. 20:39:39.1535629","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\comctl32.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  103. 20:39:39.1535789","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS","AllocationSize: 622,592, EndOfFile: 617,472, NumberOfLinks: 1, DeletePending: False, Directory: False"
  104. 20:39:39.1536051","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\COMCTL32.DLL","SUCCESS","SyncType: SyncTypeOther"
  105. 20:39:39.1537937","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  106. 20:39:39.1540985","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\comctl32.dll.124.Config","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  107. 20:39:39.1559060","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\comctl32.dll","SUCCESS",""
  108. 20:39:39.1588608","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  109. 20:39:39.1588991","exp3.tmp.exe","4028","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  110. 20:39:39.1589326","exp3.tmp.exe","4028","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: "
  111. 20:39:39.1589600","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS",""
  112. 20:39:39.1665629","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  113. 20:39:39.1666344","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2012/10/07 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: RHD"
  114. 20:39:39.1666923","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS",""
  115. 20:39:39.1669641","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","NAME COLLISION","Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0"
  116. 20:39:39.1671183","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  117. 20:39:39.1672258","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 1601/01/01 9:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: HN"
  118. 20:39:39.1687333","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\D5809E24","SUCCESS",""
  119. 20:39:39.1702002","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 1,024, Length: 31,232, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  120. 20:39:39.1919659","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 46,080, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  121. 20:39:39.1922673","exp3.tmp.exe","4028","ReadFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","Offset: 32,256, Length: 512, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  122. 20:39:39.1924126","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\SYSTEM32\SHLWAPI.DLL","SUCCESS","Offset: 267,264, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  123. 20:39:39.3723460","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  124. 20:39:39.3996903","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  125. 20:39:39.4000887","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  126. 20:39:39.4037039","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  127. 20:39:39.4125713","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  128. 20:39:39.4128671","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  129.  
  130. : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip : snip snip :
  131. looping so many times...
  132.  
  133. 20:39:43.6352431","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  134. 20:39:43.6354747","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  135. 20:39:43.6357320","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  136. 20:39:43.6360432","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  137. 20:39:43.6363863","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\wbem\HIENESS_MINI_FONT.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"
  138. 20:39:46.4602405","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  139. 20:39:46.4602958","exp3.tmp.exe","4028","QueryNameInformationFile","C:\","SUCCESS","Name: \"
  140. 20:39:46.4603257","exp3.tmp.exe","4028","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 1601/01/01 9:00:00, VolumeSerialNumber: 9455-E50D, SupportsObjects: False, VolumeLabel: "
  141. 20:39:46.4603528","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS",""
  142. 20:39:46.9660126","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  143. 20:39:46.9661123","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 1601/01/01 9:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: N"
  144. 20:39:46.9662833","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  145. 20:39:46.9664693","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  146. 20:39:46.9665858","exp3.tmp.exe","4028","QueryAttributeTagFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","INVALID PARAMETER",""
  147. 20:39:46.9666892","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  148. 20:39:46.9667805","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","CreationTime: 2013/01/26 20:39:38, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  149. 20:39:46.9668772","exp3.tmp.exe","4028","QueryStreamInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","INVALID PARAMETER",""
  150. 20:39:46.9669828","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","CreationTime: 2013/01/26 20:39:38, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  151. 20:39:46.9670803","exp3.tmp.exe","4028","QueryEaInformationFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","EaSize: 0"
  152. 20:39:46.9671887","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0, OpenResult: Overwritten"
  153. 20:39:46.9672851","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  154. 20:39:46.9673574","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS",""
  155. 20:39:46.9675259","exp3.tmp.exe","4028","QueryAttributeInformationVolume","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32"
  156. 20:39:46.9675982","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:48, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  157. 20:39:46.9676918","exp3.tmp.exe","4028","QueryAttributeInformationVolume","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","FileSystemAttributes: Case Preserved, Unicode, MaximumComponentNameLength: 255, FileSystemName: FAT32"
  158. 20:39:46.9677636","exp3.tmp.exe","4028","SetEndOfFileInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","EndOfFile: 110,592"
  159. 20:39:46.9679413","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  160. 20:39:46.9679567","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\DOCUME~1\rik\LOCALS~1\Temp\exp3.tmp.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  161. 20:39:46.9679810","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS","SyncType: SyncTypeOther"
  162. 20:39:46.9680637","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 0, Length: 65,536"
  163. 20:39:46.9683858","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 65,536, Length: 45,056"
  164. 20:39:46.9685665","exp3.tmp.exe","4028","SetBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 1601/01/01 9:00:00, LastAccessTime: 1601/01/01 9:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: n/a"
  165. 20:39:46.9686808","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp3.tmp.exe","SUCCESS",""
  166. 20:39:46.9687640","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  167. 20:39:46.9689283","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","NAME COLLISION","Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0"
  168. 20:39:46.9692104","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  169. 20:39:46.9693093","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","CreationTime: 2012/10/07 18:49:52, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2012/10/07 18:19:58, ChangeTime: 1601/01/01 9:00:00, FileAttributes: D"
  170. 20:39:46.9693993","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS",""
  171. 20:39:46.9696362","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp","SUCCESS","Desired Access: Generic Read, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 0, OpenResult: Created"
  172. 20:39:46.9698681","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp","SUCCESS",""
  173. 20:39:46.9700421","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: H, ShareMode: Read, AllocationSize: 0, OpenResult: Created"
  174. 20:39:46.9701701","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Open For Backup, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  175. 20:39:46.9702746","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp","SUCCESS",""
  176. 20:39:46.9707562","exp3.tmp.exe","4028","WriteFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS","Offset: 0, Length: 195"
  177. 20:39:46.9710037","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Local Settings\Temp\exp4.tmp.bat","SUCCESS",""
  178. 20:39:46.9715359","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  179. 20:39:46.9717041","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  180. 20:39:46.9718616","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  181. 20:39:46.9722759","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  182. 20:39:46.9724388","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  183. 20:39:46.9725947","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  184. 20:39:46.9728411","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  185. 20:39:46.9730107","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  186. 20:39:46.9730255","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  187. 20:39:46.9730386","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  188. 20:39:46.9730629","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  189. 20:39:46.9909244","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  190. 20:39:46.9922128","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  191. 20:39:46.9924804","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  192. 20:39:46.9927313","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  193. 20:39:46.9977610","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  194. 20:39:46.9980373","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  195. 20:39:46.9980594","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","AllocationSize: 131,072, EndOfFile: 125,952, NumberOfLinks: 1, DeletePending: False, Directory: False"
  196. 20:39:46.9980974","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\Apphelp.dll","SUCCESS","SyncType: SyncTypeOther"
  197. 20:39:46.9983692","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  198. 20:39:46.9992238","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  199. 20:39:46.9994869","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  200. 20:39:46.9997372","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  201. 20:39:47.0001052","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  202. 20:39:47.0003753","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\apphelp.dll","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  203. 20:39:47.0004549","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\SYSTEM32\APPHELP.DLL","SUCCESS","SyncType: SyncTypeOther"
  204. 20:39:47.0007293","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\apphelp.dll","SUCCESS",""
  205. 20:39:47.0015632","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  206. 20:39:47.0017920","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  207. 20:39:47.0019942","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  208. 20:39:47.0020155","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  209. 20:39:47.0020523","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  210. 20:39:47.0022772","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  211. 20:39:47.0026139","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a"
  212. 20:39:47.0030106","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  213. 20:39:47.0031745","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  214. 20:39:47.0034170","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  215. 20:39:47.0041101","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  216. 20:39:47.0043808","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  217. 20:39:47.0049650","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  218. 20:39:47.0050580","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  219. 20:39:47.0051030","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  220. 20:39:47.0051631","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS",""
  221. 20:39:47.0053606","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  222. 20:39:47.0054642","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32"
  223. 20:39:47.0055807","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS",""
  224. 20:39:47.0058296","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  225. 20:39:47.0059838","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  226. 20:39:47.0062221","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  227. 20:39:47.0066158","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 143,360, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  228. 20:39:47.0283325","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 28,672, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  229. 20:39:47.0308563","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 589,824, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  230. 20:39:47.0359544","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 815,104, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  231. 20:39:47.0465809","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Offset: 745,472, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  232. 20:39:47.0477894","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  233. 20:39:47.0480624","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  234. 20:39:47.0483211","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  235. 20:39:47.0496302","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  236. 20:39:47.0499020","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  237. 20:39:47.0501604","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  238. 20:39:47.0505356","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  239. 20:39:47.0508161","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  240. 20:39:47.0508384","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  241. 20:39:47.0511164","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  242. 20:39:47.0513983","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  243. 20:39:47.0514505","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 0, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  244. 20:39:47.0526300","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  245. 20:39:47.0529018","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  246. 20:39:47.0531602","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  247. 20:39:47.0535376","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  248. 20:39:47.0538181","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  249. 20:39:47.0538396","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  250. 20:39:47.0538771","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  251. 20:39:47.0541564","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  252. 20:39:47.0542478","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 245,760, Length: 32,768, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  253. 20:39:47.0548632","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 454,656, Length: 31,744, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  254. 20:39:47.0711698","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  255. 20:39:47.0717442","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  256. 20:39:47.0720082","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  257. 20:39:47.0723870","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  258. 20:39:47.0726663","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  259. 20:39:47.0726878","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  260. 20:39:47.0727253","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  261. 20:39:47.0730049","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  262. 20:39:47.0737212","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  263. 20:39:47.0866148","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  264. 20:39:47.0868788","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  265. 20:39:47.0872562","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  266. 20:39:47.0885382","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  267. 20:39:47.0885600","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  268. 20:39:47.0885982","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  269. 20:39:47.0889215","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  270. 20:39:47.0920898","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  271. 20:39:47.0923602","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  272. 20:39:47.0926183","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  273. 20:39:47.0938606","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  274. 20:39:47.0939048","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  275. 20:39:47.0939682","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS",""
  276. 20:39:47.0961752","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  277. 20:39:47.0962822","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32","SUCCESS","Filter: system32, 1: system32"
  278. 20:39:47.0964020","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS",""
  279. 20:39:47.0966551","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  280. 20:39:47.0968107","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  281. 20:39:47.0970513","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  282. 20:39:47.0973860","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS",""
  283. 20:39:47.1007051","exp3.tmp.exe","4028","QueryNameInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Name: \WINDOWS\System32\cmd.exe"
  284. 20:39:47.1013694","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  285. 20:39:47.1016418","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","CreationTime: 2008/08/20 12:00:00, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2008/08/20 12:00:00, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  286. 20:39:47.1019002","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  287. 20:39:47.1019863","exp3.tmp.exe","4028","CreateFile","C:\","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  288. 20:39:47.1020298","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS","SUCCESS","Filter: WINDOWS, 1: WINDOWS"
  289. 20:39:47.1020880","exp3.tmp.exe","4028","CloseFile","C:\","SUCCESS",""
  290. 20:39:47.1022818","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  291. 20:39:47.1068841","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\System32","SUCCESS","Filter: System32, 1: system32"
  292. 20:39:47.1070112","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS","SUCCESS",""
  293. 20:39:47.1072699","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  294. 20:39:47.1075205","exp3.tmp.exe","4028","QueryDirectory","C:\WINDOWS\system32\cmd.exe","SUCCESS","Filter: cmd.exe, 1: cmd.exe"
  295. 20:39:47.1077621","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32","SUCCESS",""
  296. 20:39:47.1081189","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  297. 20:39:47.1083809","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  298. 20:39:47.1084027","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","AllocationSize: 491,520, EndOfFile: 486,400, NumberOfLinks: 1, DeletePending: False, Directory: False"
  299. 20:39:47.1084399","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\system32\cmd.exe","SUCCESS","SyncType: SyncTypeOther"
  300. 20:39:47.1091168","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 99,328, Length: 30,720, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  301. 20:39:47.1103024","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\system32\cmd.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  302. 20:39:47.1105996","exp3.tmp.exe","4028","ReadFile","C:\WINDOWS\system32\cmd.exe","SUCCESS","Offset: 247,296, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  303. 20:39:47.1130055","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\system32\cmd.exe","SUCCESS",""
  304. 20:39:47.1132162","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
  305. 20:39:47.1197111","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
  306. 20:39:47.1197352","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  307. 20:39:47.1197570","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther"
  308. 20:39:47.1199500","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther"
  309. 20:39:47.1201204","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  310. 20:39:47.1202132","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  311. 20:39:47.1205177","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened"
  312. 20:39:47.1220740","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  313. 20:39:47.1222771","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  314. 20:39:47.1222983","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  315. 20:39:47.1223352","exp3.tmp.exe","4028","CreateFileMapping","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","SyncType: SyncTypeOther"
  316. 20:39:47.1238094","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS","AllocationSize: 1,212,416, EndOfFile: 1,202,774, NumberOfLinks: 1, DeletePending: False, Directory: False"
  317. 20:39:47.1240868","exp3.tmp.exe","4028","CreateFile","C:\WINDOWS\AppPatch\systest.sdb","NAME NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a"
  318. 20:39:47.1244235","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  319. 20:39:47.1255415","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Filter: KB00777165.exe, 1: KB00777165.exe"
  320. 20:39:47.1256747","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data","SUCCESS",""
  321. 20:39:47.1272576","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  322. 20:39:47.1273638","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  323. 20:39:47.1274560","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  324. 20:39:47.1285980","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  325. 20:39:47.1286486","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","Filter: rik, 1: rik"
  326. 20:39:47.1287131","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS",""
  327. 20:39:47.1306664","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  328. 20:39:47.1307740","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  329. 20:39:47.1308670","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  330. 20:39:47.1319283","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  331. 20:39:47.1319783","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\rik","SUCCESS","Filter: rik, 1: rik"
  332. 20:39:47.1335489","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS",""
  333. 20:39:47.1337244","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  334. 20:39:47.1338185","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  335. 20:39:47.1349838","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\AppPatch\sysmain.sdb","SUCCESS",""
  336. 20:39:47.1354481","exp3.tmp.exe","4028","QueryNameInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Name: \Documents and Settings\RIK\Application Data\KB00777165.exe"
  337. 20:39:47.1368728","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
  338. 20:39:47.1369812","exp3.tmp.exe","4028","QueryBasicInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","CreationTime: 2013/01/26 20:39:06, LastAccessTime: 2013/01/26 0:00:00, LastWriteTime: 2013/01/26 20:39:40, ChangeTime: 1601/01/01 9:00:00, FileAttributes: A"
  339. 20:39:47.1370742","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  340. 20:39:47.1378199","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
  341. 20:39:47.1378704","exp3.tmp.exe","4028","QueryDirectory","C:\Documents and Settings\RIK","SUCCESS","Filter: RIK, 1: rik"
  342. 20:39:47.1389756","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings","SUCCESS",""
  343. 20:39:47.1391231","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  344. 20:39:47.1392195","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY"
  345. 20:39:47.1392396","exp3.tmp.exe","4028","QueryStandardInformationFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","AllocationSize: 114,688, EndOfFile: 110,592, NumberOfLinks: 1, DeletePending: False, Directory: False"
  346. 20:39:47.1392756","exp3.tmp.exe","4028","CreateFileMapping","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","SyncType: SyncTypeOther"
  347. 20:39:47.1417818","exp3.tmp.exe","4028","CreateFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe.Manifest","NAME NOT FOUND","Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a"
  348. 20:39:47.1418620","exp3.tmp.exe","4028","ReadFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS","Offset: 78,848, Length: 16,384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O"
  349. 20:39:47.1485715","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik\Application Data\KB00777165.exe","SUCCESS",""
  350. 20:39:47.1506142","exp3.tmp.exe","4028","CloseFile","C:\Documents and Settings\rik","SUCCESS",""
  351. 20:39:47.1508439","exp3.tmp.exe","4028","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83","SUCCESS",""
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!