Stripped RealMode Disk Operating System (DOS) 2.00
(C) Norman ASA 2001
Starting Windows kernel.
Installing driver : "VMM     ", DDB at 0x0xC0004E94
Installing driver : "IFSMgr  ", DDB at 0x0xC00050F2
Installing driver : "VWIN32  ", DDB at 0x0xC0005D44
Installing driver : "VFAT    ", DDB at 0x0xC0007648
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\KERNEL32.DLL",0x00031E9A)
PageFault tbl, 0x00000013 entries, fhandle=0x720013C8
 |offset 0x7C800000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x7C801000, seek 0x00000600, size 0x00001000, flags=0x00000004
 |offset 0x7C802000, seek 0x00001600, size 0x00001000, flags=0x00000004
 |offset 0x7C803000, seek 0x00002600, size 0x00001000, flags=0x00000004
 |offset 0x7C804000, seek 0x00003600, size 0x00001000, flags=0x00000004
 |offset 0x7C805000, seek 0x00004600, size 0x00001000, flags=0x00000004
 |offset 0x7C806000, seek 0x00005600, size 0x00001000, flags=0x00000004
 |offset 0x7C807000, seek 0x00006600, size 0x00001000, flags=0x00000004
 |offset 0x7C808000, seek 0x00007600, size 0x00001000, flags=0x00000004
 |offset 0x7C809000, seek 0x00008600, size 0x00001000, flags=0x00000004
 |offset 0x7C80A000, seek 0x00009600, size 0x00001000, flags=0x00000004
 |offset 0x7C80B000, seek 0x0000A600, size 0x00001000, flags=0x00000004
 |offset 0x7C80C000, seek 0x0000B600, size 0x00001000, flags=0x00000004
 |offset 0x7C80D000, seek 0x0000C600, size 0x00000600, flags=0x00000004
 |offset 0x7C80E000, seek 0x0000CC00, size 0x00001000, flags=0x00000000
 |offset 0x7C80F000, seek 0x0000DC00, size 0x00000200, flags=0x00000000
 |offset 0x7C810000, seek 0x0000DE00, size 0x00001000, flags=0x00000000
 |offset 0x7C811000, seek 0x0000EE00, size 0x00001000, flags=0x00000000
 |offset 0x7C812000, seek 0x0000FE00, size 0x00000600, flags=0x00000008
KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\NTDLL.DLL")
KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\NTDLL.DLL")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\NTDLL.DLL",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\NTDLL.DLL",0x00000000)
PageFault tbl, 0x00000004 entries, fhandle=0x72001158
 |offset 0x7C900000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x7C901000, seek 0x00000600, size 0x00000A00, flags=0x00000000
 |offset 0x7C902000, seek 0x00001000, size 0x00000200, flags=0x00000000
 |offset 0x7C903000, seek 0x00001200, size 0x00000400, flags=0x00000008
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x7C900000,"CPlApplet")
KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL")
KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\ADVAPI32.DLL",0x00000000)
PageFault tbl, 0x00000007 entries, fhandle=0x7200207F
 |offset 0x77DC0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x77DC1000, seek 0x00000600, size 0x00001000, flags=0x00000000
 |offset 0x77DC2000, seek 0x00001600, size 0x00001000, flags=0x00000000
 |offset 0x77DC3000, seek 0x00002600, size 0x00001000, flags=0x00000000
 |offset 0x77DC4000, seek 0x00003600, size 0x00000400, flags=0x00000000
 |offset 0x77DC5000, seek 0x00003A00, size 0x00000200, flags=0x00000000
 |offset 0x77DC6000, seek 0x00003C00, size 0x00000E00, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"lstrcmp")
KERNEL32!GetProcAddress (0x7C800000,"lstrcpy")
KERNEL32!GetProcAddress (0x7C800000,"WinExec")
KERNEL32!GetProcAddress (0x7C800000,"ExpandEnvironmentStringsA")
KERNEL32!GetProcAddress (0x7C800000,"CreateHandle")
KERNEL32!GetProcAddress (0x7C800000,"Sleep")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!strcpy (0x04FFFB16,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","user32.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\user32.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\user32.dll",0x00000000)
PageFault tbl, 0x0000000B entries, fhandle=0x72001E27
 |offset 0x77D30000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x77D31000, seek 0x00000600, size 0x00001000, flags=0x00000000
 |offset 0x77D32000, seek 0x00001600, size 0x00001000, flags=0x00000000
 |offset 0x77D33000, seek 0x00002600, size 0x00001000, flags=0x00000000
 |offset 0x77D34000, seek 0x00003600, size 0x00001000, flags=0x00000000
 |offset 0x77D35000, seek 0x00004600, size 0x00001000, flags=0x00000000
 |offset 0x77D36000, seek 0x00005600, size 0x00000800, flags=0x00000000
 |offset 0x77D37000, seek 0x00005E00, size 0x00000C00, flags=0x00000000
 |offset 0x77D38000, seek 0x00006A00, size 0x00000200, flags=0x00000000
 |offset 0x77D39000, seek 0x00006C00, size 0x00001000, flags=0x00000000
 |offset 0x77D3A000, seek 0x00007C00, size 0x00000800, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"CreateHandle")
KERNEL32!GetProcAddress (0x7C800000,"ExitProcess")
KERNEL32!GetProcAddress (0x7C800000,"FindResourceA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x77D30000,"CPlApplet")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x77DC0000,"CPlApplet")
KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\GDI32.DLL")
KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\GDI32.DLL")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\GDI32.DLL",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\GDI32.DLL",0x00000000)
PageFault tbl, 0x00000005 entries, fhandle=0x72001FE4
 |offset 0x77F10000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x77F11000, seek 0x00000600, size 0x00001000, flags=0x00000000
 |offset 0x77F12000, seek 0x00001600, size 0x00000A00, flags=0x00000000
 |offset 0x77F13000, seek 0x00002000, size 0x00000200, flags=0x00000000
 |offset 0x77F14000, seek 0x00002200, size 0x00000A00, flags=0x00000008
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x77F10000,"CPlApplet")
KERNEL32!LoadLibraryA ("C:\WINDOWS\SYSTEM32\USER32.DLL")
KERNEL32!GetModuleHandleA ("C:\WINDOWS\SYSTEM32\USER32.DLL")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!SetCurrentDirectory ("C:\WINDOWS")
KERNEL32!WinExec ("c:\sample.exe",0x00000000)
PageFault tbl, 0x0000003C entries, fhandle=0x720024BC
 |offset 0x00400000, seek 0x00000000, size 0x00001000, flags=0x00000004
 |offset 0x00401000, seek 0x00001000, size 0x00001000, flags=0x00000000
 |offset 0x00402000, seek 0x00002000, size 0x00001000, flags=0x00000000
 |offset 0x00403000, seek 0x00003000, size 0x00001000, flags=0x00000000
 |offset 0x00404000, seek 0x00004000, size 0x00001000, flags=0x00000000
 |offset 0x00405000, seek 0x00005000, size 0x00001000, flags=0x00000000
 |offset 0x00406000, seek 0x00006000, size 0x00001000, flags=0x00000000
 |offset 0x00407000, seek 0x00007000, size 0x00001000, flags=0x00000000
 |offset 0x00408000, seek 0x00008000, size 0x00001000, flags=0x00000000
 |offset 0x00409000, seek 0x00009000, size 0x00001000, flags=0x00000000
 |offset 0x0040A000, seek 0x0000A000, size 0x00000400, flags=0x00000000
 |offset 0x0040B000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0040C000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0040D000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0040E000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0040F000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00410000, seek 0x0000A400, size 0x00001000, flags=0x00000000
 |offset 0x00411000, seek 0x0000B400, size 0x00000200, flags=0x00000000
 |offset 0x00412000, seek 0x0000B600, size 0x00001000, flags=0x00000000
 |offset 0x00413000, seek 0x0000C600, size 0x00001000, flags=0x00000000
 |offset 0x00414000, seek 0x0000D600, size 0x00001000, flags=0x00000000
 |offset 0x00415000, seek 0x0000E600, size 0x00001000, flags=0x00000000
 |offset 0x00416000, seek 0x0000F600, size 0x00001000, flags=0x00000000
 |offset 0x00417000, seek 0x00010600, size 0x00001000, flags=0x00000000
 |offset 0x00418000, seek 0x00011600, size 0x00001000, flags=0x00000000
 |offset 0x00419000, seek 0x00012600, size 0x00001000, flags=0x00000000
 |offset 0x0041A000, seek 0x00013600, size 0x00001000, flags=0x00000000
 |offset 0x0041B000, seek 0x00014600, size 0x00001000, flags=0x00000000
 |offset 0x0041C000, seek 0x00015600, size 0x00001000, flags=0x00000000
 |offset 0x0041D000, seek 0x00016600, size 0x00000C00, flags=0x00000000
 |offset 0x0041E000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0041F000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00420000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00421000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00422000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00423000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00424000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00425000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00426000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00427000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00428000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00429000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042A000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042B000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042C000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042D000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042E000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x0042F000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00430000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00431000, seek 0x00017200, size 0x00001000, flags=0x00000000
 |offset 0x00432000, seek 0x00018200, size 0x00000A00, flags=0x00000000
 |offset 0x00433000, seek 0x00018C00, size 0x00000E00, flags=0x00000000
 |offset 0x00434000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00435000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00436000, seek 0x00019A00, size 0x00000E00, flags=0x00000000
 |offset 0x00437000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00438000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000000
 |offset 0x00439000, seek 0x0001A800, size 0x00001000, flags=0x00000000
 |offset 0x0043A000, seek 0x0001B800, size 0x00000400, flags=0x00000000
 |offset 0x0043B000, seek 0xFFFFFFFF, size 0x00001000, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"GetProcAddress")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"LoadLibraryA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000100)
KERNEL32!CreateThread (0x00000000,0x00000000,0x00439001,0x7C801000,0x00000000,0x04FFFE2A)
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAlloc")
KERNEL32!GetProcAddress (0x7C800000,"VirtualFree")
KERNEL32!VirtualAlloc (0x00000000,0x00001800,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x74000000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74001000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualAlloc (0x00000000,0x0000930E,0x00001000,0x00000004)
PageFault tbl, 0x0000000A entries, fhandle=0xFFFFFFFF
 |offset 0x74002000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74003000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74004000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74005000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74006000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74007000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74008000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74009000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7400A000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7400B000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74002000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000110E,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x7400C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7400D000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7400C000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000BB0E,0x00001000,0x00000004)
PageFault tbl, 0x0000000C entries, fhandle=0xFFFFFFFF
 |offset 0x7400E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7400F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74010000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74011000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74012000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74013000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74014000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74015000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74016000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74017000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74018000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74019000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7400E000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x00000B0E,0x00001000,0x00000004)
PageFault tbl, 0x00000001 entries, fhandle=0xFFFFFFFF
 |offset 0x7401A000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7401A000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x00000F0E,0x00001000,0x00000004)
PageFault tbl, 0x00000001 entries, fhandle=0xFFFFFFFF
 |offset 0x7401B000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7401B000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000150E,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x7401C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7401D000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7401C000,0x00000000,0x00008000)
KERNEL32!VirtualFree (0x74000000,0x00000000,0x00008000)
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"GetProcAddress")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"LoadLibraryA")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAlloc")
KERNEL32!GetProcAddress (0x7C800000,"VirtualFree")
KERNEL32!VirtualAlloc (0x00000000,0x00001800,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x7401E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7401F000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualAlloc (0x00000000,0x0000910E,0x00001000,0x00000004)
PageFault tbl, 0x0000000A entries, fhandle=0xFFFFFFFF
 |offset 0x74020000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74021000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74022000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74023000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74024000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74025000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74026000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74027000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74028000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74029000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74020000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000110E,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x7402A000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7402B000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7402A000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000BB0E,0x00001000,0x00000004)
PageFault tbl, 0x0000000C entries, fhandle=0xFFFFFFFF
 |offset 0x7402C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7402D000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7402E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7402F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74030000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74031000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74032000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74033000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74034000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74035000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74036000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74037000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7402C000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000090E,0x00001000,0x00000004)
PageFault tbl, 0x00000001 entries, fhandle=0xFFFFFFFF
 |offset 0x74038000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74038000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000150E,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x74039000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7403A000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74039000,0x00000000,0x00008000)
KERNEL32!VirtualFree (0x7401E000,0x00000000,0x00008000)
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"GetProcAddress")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"LoadLibraryA")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAlloc")
KERNEL32!GetProcAddress (0x7C800000,"VirtualFree")
KERNEL32!VirtualAlloc (0x00000000,0x00001800,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x7403B000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7403C000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualAlloc (0x00000000,0x0000910E,0x00001000,0x00000004)
PageFault tbl, 0x0000000A entries, fhandle=0xFFFFFFFF
 |offset 0x7403D000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7403E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7403F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74040000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74041000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74042000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74043000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74044000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74045000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74046000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7403D000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000210E,0x00001000,0x00000004)
PageFault tbl, 0x00000003 entries, fhandle=0xFFFFFFFF
 |offset 0x74047000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74048000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74049000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74047000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000C10E,0x00001000,0x00000004)
PageFault tbl, 0x0000000D entries, fhandle=0xFFFFFFFF
 |offset 0x7404A000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7404B000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7404C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7404D000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7404E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7404F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74050000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74051000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74052000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74053000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74054000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74055000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74056000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7404A000,0x00000000,0x00008000)
KERNEL32!VirtualAlloc (0x00000000,0x0000110E,0x00001000,0x00000004)
PageFault tbl, 0x00000002 entries, fhandle=0xFFFFFFFF
 |offset 0x74057000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74058000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74057000,0x00000000,0x00008000)
KERNEL32!VirtualFree (0x7403B000,0x00000000,0x00008000)
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"GetProcAddress")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"LoadLibraryA")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAlloc")
KERNEL32!GetProcAddress (0x7C800000,"VirtualFree")
KERNEL32!VirtualAlloc (0x00000000,0x00008F34,0x00001000,0x00000004)
PageFault tbl, 0x00000009 entries, fhandle=0xFFFFFFFF
 |offset 0x74059000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405A000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405B000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405D000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405E000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7405F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74060000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74061000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74059000,0x00008F34,0x00004000)
KERNEL32!VirtualAlloc (0x00000000,0x0000B96A,0x00001000,0x00000004)
PageFault tbl, 0x0000000C entries, fhandle=0xFFFFFFFF
 |offset 0x74062000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74063000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74064000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74065000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74066000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74067000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74068000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74069000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7406A000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7406B000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7406C000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x7406D000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x74062000,0x0000B96A,0x00004000)
KERNEL32!VirtualAlloc (0x00000000,0x00000007,0x00001000,0x00000004)
PageFault tbl, 0x00000001 entries, fhandle=0xFFFFFFFF
 |offset 0x7406E000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!VirtualFree (0x7406E000,0x00000007,0x00004000)
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"MessageBoxA")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"ExitProcess")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
KERNEL32!GetProcAddress (0x7C800000,"GetVersionExA")
KERNEL32!GetProcAddress (0x7C800000,"VirtualProtect")
KERNEL32!GetProcAddress (0x7C800000,"GetTickCount")
KERNEL32!GetVersionExA (0x004328AD)
KERNEL32!CreateFileA ("\\.\ntice",0x80000000,0x00000000,0x00000000,0x00000003,0x00000080,0x00000000)
KERNEL32!GetModuleHandleA ("KERNEL32.dll")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileW")
KERNEL32!GetProcAddress (0x7C800000,"CopyFileW")
USER32!wsprintfA (0x4FFD09BC,"** Could not resolve API %x - %s [%x]
",0x7C800000....)
KERNEL32!GetProcAddress (0x7C800000,"GetCurrentDirectoryW")
USER32!wsprintfA (0x4FFD09BC,"** Could not resolve API %x - %s [%x]
",0x7C800000....)
KERNEL32!GetProcAddress (0x7C800000,"GetModuleFileNameW")
KERNEL32!GetProcAddress (0x7C800000,"FindFirstFileW")
KERNEL32!GetProcAddress (0x7C800000,"SystemTimeToFileTime")
KERNEL32!GetProcAddress (0x7C800000,"GetSystemDirectoryW")
KERNEL32!GetProcAddress (0x7C800000,"OpenProcess")
KERNEL32!GetProcAddress (0x7C800000,"CreateRemoteThread")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleW")
KERNEL32!GetProcAddress (0x7C800000,"WideCharToMultiByte")
KERNEL32!GetProcAddress (0x7C800000,"GetCurrentProcessId")
KERNEL32!GetProcAddress (0x7C800000,"WriteProcessMemory")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAllocEx")
KERNEL32!GetProcAddress (0x7C800000,"GetExitCodeThread")
KERNEL32!GetProcAddress (0x7C800000,"DeleteFileA")
KERNEL32!GetProcAddress (0x7C800000,"FreeLibrary")
KERNEL32!GetProcAddress (0x7C800000,"MultiByteToWideChar")
KERNEL32!GetProcAddress (0x7C800000,"OutputDebugStringA")
KERNEL32!GetProcAddress (0x7C800000,"GetVersionExA")
KERNEL32!GetProcAddress (0x7C800000,"GetWindowsDirectoryA")
KERNEL32!GetProcAddress (0x7C800000,"TerminateProcess")
KERNEL32!GetProcAddress (0x7C800000,"GetCurrentProcess")
KERNEL32!GetProcAddress (0x7C800000,"SetFileAttributesA")
KERNEL32!GetProcAddress (0x7C800000,"GetDriveTypeA")
KERNEL32!GetProcAddress (0x7C800000,"GetTimeZoneInformation")
KERNEL32!GetProcAddress (0x7C800000,"FileTimeToSystemTime")
KERNEL32!GetProcAddress (0x7C800000,"GlobalFree")
KERNEL32!GetProcAddress (0x7C800000,"FindClose")
KERNEL32!GetProcAddress (0x7C800000,"ExitProcess")
KERNEL32!GetProcAddress (0x7C800000,"lstrcpyA")
KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
KERNEL32!GetProcAddress (0x7C800000,"GetProcessHeap")
KERNEL32!GetProcAddress (0x7C800000,"lstrcmpiA")
KERNEL32!GetProcAddress (0x7C800000,"SetFileTime")
KERNEL32!GetProcAddress (0x7C800000,"HeapFree")
KERNEL32!GetProcAddress (0x7C800000,"InterlockedDecrement")
KERNEL32!GetProcAddress (0x7C800000,"InterlockedIncrement")
KERNEL32!GetProcAddress (0x7C800000,"GlobalAlloc")
KERNEL32!GetProcAddress (0x7C800000,"GetFileSize")
KERNEL32!GetProcAddress (0x7C800000,"GetTempFileNameA")
KERNEL32!GetProcAddress (0x7C800000,"GetTempPathA")
KERNEL32!GetProcAddress (0x7C800000,"ReadFile")
KERNEL32!GetProcAddress (0x7C800000,"GetEnvironmentVariableA")
KERNEL32!GetProcAddress (0x7C800000,"UnmapViewOfFile")
KERNEL32!GetProcAddress (0x7C800000,"MapViewOfFile")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileMappingA")
KERNEL32!GetProcAddress (0x7C800000,"GetCurrentThread")
KERNEL32!GetProcAddress (0x7C800000,"SetFilePointer")
KERNEL32!GetProcAddress (0x7C800000,"GetSystemTime")
KERNEL32!GetProcAddress (0x7C800000,"CreateEventA")
KERNEL32!GetProcAddress (0x7C800000,"WritePrivateProfileStringA")
KERNEL32!GetProcAddress (0x7C800000,"SetFileAttributesW")
KERNEL32!GetProcAddress (0x7C800000,"SetThreadPriority")
KERNEL32!GetProcAddress (0x7C800000,"VirtualFree")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
KERNEL32!GetProcAddress (0x7C800000,"WriteFile")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleHandleA")
KERNEL32!GetProcAddress (0x7C800000,"GetLastError")
KERNEL32!GetProcAddress (0x7C800000,"WaitForSingleObject")
KERNEL32!GetProcAddress (0x7C800000,"CreateSemaphoreA")
KERNEL32!GetProcAddress (0x7C800000,"CloseHandle")
KERNEL32!GetProcAddress (0x7C800000,"ReleaseSemaphore")
KERNEL32!GetProcAddress (0x7C800000,"GetTickCount")
KERNEL32!GetProcAddress (0x7C800000,"lstrcpynA")
KERNEL32!GetProcAddress (0x7C800000,"lstrlenA")
KERNEL32!GetProcAddress (0x7C800000,"CopyFileA")
KERNEL32!GetProcAddress (0x7C800000,"FindFirstFileA")
KERNEL32!GetProcAddress (0x7C800000,"FindNextFileA")
KERNEL32!GetProcAddress (0x7C800000,"LoadLibraryA")
KERNEL32!GetProcAddress (0x7C800000,"GetProcAddress")
KERNEL32!GetProcAddress (0x7C800000,"ExitThread")
KERNEL32!GetProcAddress (0x7C800000,"lstrcmpA")
KERNEL32!GetProcAddress (0x7C800000,"Sleep")
KERNEL32!GetProcAddress (0x7C800000,"CreateThread")
KERNEL32!GetProcAddress (0x7C800000,"GetSystemDirectoryA")
KERNEL32!GetProcAddress (0x7C800000,"lstrcatA")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleFileNameA")
KERNEL32!GetProcAddress (0x7C800000,"GetLocalTime")
KERNEL32!GetProcAddress (0x7C800000,"FileTimeToLocalFileTime")
KERNEL32!GetProcAddress (0x7C800000,"VirtualAlloc")
KERNEL32!GetProcAddress (0x7C800000,"GetStdHandle")
KERNEL32!GetProcAddress (0x7C800000,"GetFileType")
KERNEL32!GetProcAddress (0x7C800000,"HeapCreate")
KERNEL32!GetProcAddress (0x7C800000,"HeapDestroy")
KERNEL32!GetProcAddress (0x7C800000,"GetVersion")
KERNEL32!GetProcAddress (0x7C800000,"GetCommandLineA")
KERNEL32!GetProcAddress (0x7C800000,"GetStartupInfoA")
KERNEL32!GetProcAddress (0x7C800000,"GetSystemTimeAsFileTime")
KERNEL32!GetProcAddress (0x7C800000,"RtlUnwind")
KERNEL32!GetProcAddress (0x7C800000,"SetCurrentDirectoryA")
KERNEL32!GetProcAddress (0x7C800000,"GetCurrentDirectoryA")
KERNEL32!GetProcAddress (0x7C800000,"SetEnvironmentVariableA")
KERNEL32!GetProcAddress (0x7C800000,"SetStdHandle")
KERNEL32!GetProcAddress (0x7C800000,"HeapReAlloc")
KERNEL32!GetProcAddress (0x7C800000,"GetStringTypeW")
KERNEL32!GetProcAddress (0x7C800000,"GetStringTypeA")
KERNEL32!GetProcAddress (0x7C800000,"CompareStringW")
KERNEL32!GetProcAddress (0x7C800000,"CompareStringA")
KERNEL32!GetProcAddress (0x7C800000,"SetEndOfFile")
KERNEL32!GetProcAddress (0x7C800000,"GetOEMCP")
KERNEL32!GetProcAddress (0x7C800000,"GetACP")
KERNEL32!GetProcAddress (0x7C800000,"GetCPInfo")
KERNEL32!GetProcAddress (0x7C800000,"FlushFileBuffers")
KERNEL32!GetProcAddress (0x7C800000,"LCMapStringA")
KERNEL32!GetProcAddress (0x7C800000,"GetEnvironmentStringsW")
KERNEL32!GetProcAddress (0x7C800000,"GetEnvironmentStrings")
KERNEL32!GetProcAddress (0x7C800000,"FreeEnvironmentStringsA")
KERNEL32!GetProcAddress (0x7C800000,"SetHandleCount")
KERNEL32!GetProcAddress (0x7C800000,"FreeEnvironmentStringsW")
KERNEL32!GetProcAddress (0x7C800000,"LCMapStringW")
KERNEL32!GetProcAddress (0x7C800000,"UnhandledExceptionFilter")
KERNEL32!GetModuleHandleA ("USER32.dll")
KERNEL32!GetProcAddress (0x77D30000,"CharUpperA")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!GetProcAddress (0x77D30000,"CharUpperBuffA")
KERNEL32!GetProcAddress (0x77D30000,"CharLowerA")
KERNEL32!GetProcAddress (0x77D30000,"DispatchMessageA")
KERNEL32!GetProcAddress (0x77D30000,"TranslateMessage")
KERNEL32!GetProcAddress (0x77D30000,"GetMessageA")
KERNEL32!GetProcAddress (0x77D30000,"CreateWindowExA")
KERNEL32!GetProcAddress (0x77D30000,"RegisterClassA")
KERNEL32!GetProcAddress (0x77D30000,"LoadCursorA")
KERNEL32!GetProcAddress (0x77D30000,"LoadIconA")
KERNEL32!GetProcAddress (0x77D30000,"DefWindowProcA")
KERNEL32!GetProcAddress (0x77D30000,"SetTimer")
KERNEL32!GetProcAddress (0x77D30000,"KillTimer")
KERNEL32!GetProcAddress (0x77D30000,"wvsprintfA")
KERNEL32!GetProcAddress (0x77D30000,"PostQuitMessage")
KERNEL32!GetModuleHandleA ("GDI32.dll")
KERNEL32!GetProcAddress (0x77F10000,"GetStockObject")
KERNEL32!GetModuleHandleA ("ADVAPI32.dll")
KERNEL32!GetProcAddress (0x77DC0000,"OpenServiceA")
KERNEL32!GetProcAddress (0x77DC0000,"StartServiceA")
KERNEL32!GetProcAddress (0x77DC0000,"QueryServiceStatus")
KERNEL32!GetProcAddress (0x77DC0000,"StartServiceCtrlDispatcherA")
KERNEL32!GetProcAddress (0x77DC0000,"RegisterServiceCtrlHandlerA")
KERNEL32!GetProcAddress (0x77DC0000,"SetServiceStatus")
KERNEL32!GetProcAddress (0x77DC0000,"RegOpenKeyExA")
KERNEL32!GetProcAddress (0x77DC0000,"RegCloseKey")
KERNEL32!GetProcAddress (0x77DC0000,"RegSetValueExA")
KERNEL32!GetProcAddress (0x77DC0000,"CreateServiceA")
KERNEL32!GetProcAddress (0x77DC0000,"OpenSCManagerA")
KERNEL32!GetProcAddress (0x77DC0000,"CloseServiceHandle")
KERNEL32!GetProcAddress (0x77DC0000,"RegSetValueExW")
USER32!wsprintfA (0x4FFD09BC,"** Could not resolve API %x - %s [%x]
",0x77DC0000....)
KERNEL32!GetProcAddress (0x77DC0000,"RegQueryValueExW")
KERNEL32!GetProcAddress (0x77DC0000,"RegOpenKeyExW")
KERNEL32!GetProcAddress (0x77DC0000,"AdjustTokenPrivileges")
KERNEL32!GetProcAddress (0x77DC0000,"LookupPrivilegeValueA")
KERNEL32!GetProcAddress (0x77DC0000,"OpenProcessToken")
KERNEL32!GetProcAddress (0x77DC0000,"RegQueryValueExA")
KERNEL32!GetProcAddress (0x77DC0000,"RegCreateKeyA")
KERNEL32!GetProcAddress (0x77DC0000,"RegOpenKeyA")
KERNEL32!GetProcAddress (0x77DC0000,"RegEnumKeyA")
KERNEL32!GetModuleHandleA ("SHELL32.dll")
KERNEL32!LoadLibraryA ("SHELL32.dll")
KERNEL32!GetModuleHandleA ("SHELL32.dll")
KERNEL32!strcpy (0x4FFD0AC0,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","SHELL32.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\SHELL32.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\SHELL32.dll",0x00000000)
PageFault tbl, 0x00000006 entries, fhandle=0x720045BD
 |offset 0x7C9C0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x7C9C1000, seek 0x00000600, size 0x00001000, flags=0x00000000
 |offset 0x7C9C2000, seek 0x00001600, size 0x00000400, flags=0x00000000
 |offset 0x7C9C3000, seek 0x00001A00, size 0x00000200, flags=0x00000000
 |offset 0x7C9C4000, seek 0x00001C00, size 0x00000200, flags=0x00000000
 |offset 0x7C9C5000, seek 0x00001E00, size 0x00000400, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"CloseHandle")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
KERNEL32!GetProcAddress (0x7C800000,"DeleteFileA")
KERNEL32!GetProcAddress (0x7C800000,"CreateProcessA")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x7C9C0000,"CPlApplet")
KERNEL32!GetProcAddress (0x7C9C0000,"ShellExecuteA")
KERNEL32!GetModuleHandleA ("WSOCK32.dll")
KERNEL32!LoadLibraryA ("WSOCK32.dll")
KERNEL32!GetModuleHandleA ("WSOCK32.dll")
KERNEL32!strcpy (0x4FFD0AC0,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","WSOCK32.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\WSOCK32.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\WSOCK32.dll",0x00000000)
PageFault tbl, 0x00000008 entries, fhandle=0x72004351
 |offset 0x733C0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x733C1000, seek 0x00000800, size 0x00001000, flags=0x00000000
 |offset 0x733C2000, seek 0x00001800, size 0x00001000, flags=0x00000000
 |offset 0x733C3000, seek 0x00002800, size 0x00000C00, flags=0x00000000
 |offset 0x733C4000, seek 0x00003400, size 0x00000400, flags=0x00000000
 |offset 0x733C5000, seek 0x00003800, size 0x00000400, flags=0x00000000
 |offset 0x733C6000, seek 0x00003C00, size 0x00001000, flags=0x00000000
 |offset 0x733C7000, seek 0x00004C00, size 0x00000C00, flags=0x00000008
KERNEL32!LoadLibraryA ("ipstack.dll")
KERNEL32!GetModuleHandleA ("ipstack.dll")
KERNEL32!strcpy (0x4FFD0890,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","ipstack.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\ipstack.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\ipstack.dll",0x00000000)
PageFault tbl, 0x0000000B entries, fhandle=0x72004A0D
 |offset 0x73350000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x73351000, seek 0x00000600, size 0x00001000, flags=0x00000000
 |offset 0x73352000, seek 0x00001600, size 0x00001000, flags=0x00000000
 |offset 0x73353000, seek 0x00002600, size 0x00000A00, flags=0x00000000
 |offset 0x73354000, seek 0x00003000, size 0x00001000, flags=0x00000000
 |offset 0x73355000, seek 0x00004000, size 0x00001000, flags=0x00000000
 |offset 0x73356000, seek 0x00005000, size 0x00001000, flags=0x00000000
 |offset 0x73357000, seek 0x00006000, size 0x00001000, flags=0x00000000
 |offset 0x73358000, seek 0x00007000, size 0x00000A00, flags=0x00000000
 |offset 0x73359000, seek 0x00007A00, size 0x00000200, flags=0x00000000
 |offset 0x7335A000, seek 0x00007C00, size 0x00000200, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"WriteFile")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
KERNEL32!GetProcAddress (0x7C800000,"CloseHandle")
KERNEL32!GetProcAddress (0x7C800000,"GetFileAttributesA")
KERNEL32!GetProcAddress (0x7C800000,"ReadFile")
KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
KERNEL32!GetProcAddress (0x7C800000,"HeapFree")
KERNEL32!GetProcAddress (0x7C800000,"EnterCriticalSection")
KERNEL32!GetProcAddress (0x7C800000,"LeaveCriticalSection")
KERNEL32!GetProcAddress (0x7C800000,"ExitThread")
KERNEL32!GetProcAddress (0x7C800000,"GetFileSize")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x73350000,"CPlApplet")
KERNEL32!GetProcAddress (0x73350000,"ip_reverse_dns")
KERNEL32!GetProcAddress (0x73350000,"ip_close")
KERNEL32!GetProcAddress (0x73350000,"ip_connect")
KERNEL32!GetProcAddress (0x73350000,"ip_transfer_data")
KERNEL32!GetProcAddress (0x73350000,"ip_receive_data")
KERNEL32!GetProcAddress (0x73350000,"ip_gethostbyname")
KERNEL32!GetProcAddress (0x73350000,"ip_gethostname")
KERNEL32!GetProcAddress (0x73350000,"ip_retrieve_socket_data")
KERNEL32!GetProcAddress (0x73350000,"ip_release_socket")
KERNEL32!GetProcAddress (0x73350000,"ip_allocate_socket")
KERNEL32!GetProcAddress (0x73350000,"ip_bind_port")
KERNEL32!GetProcAddress (0x73350000,"ip_listen_port")
KERNEL32!GetProcAddress (0x73350000,"ip_getservbyname")
KERNEL32!GetProcAddress (0x73350000,"ip_query_protocol")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"Sleep")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x733C0000,"CPlApplet")
KERNEL32!GetProcAddress (0x733C0000,00020)
KERNEL32!GetProcAddress (0x733C0000,00018)
KERNEL32!GetProcAddress (0x733C0000,00015)
KERNEL32!GetProcAddress (0x733C0000,00021)
KERNEL32!GetProcAddress (0x733C0000,00002)
KERNEL32!GetProcAddress (0x733C0000,00008)
KERNEL32!GetProcAddress (0x733C0000,00011)
KERNEL32!GetProcAddress (0x733C0000,00014)
KERNEL32!GetProcAddress (0x733C0000,00115)
KERNEL32!GetProcAddress (0x733C0000,00023)
KERNEL32!GetProcAddress (0x733C0000,00052)
KERNEL32!GetProcAddress (0x733C0000,00009)
KERNEL32!GetProcAddress (0x733C0000,00010)
KERNEL32!GetProcAddress (0x733C0000,00057)
KERNEL32!GetProcAddress (0x733C0000,00004)
KERNEL32!GetProcAddress (0x733C0000,00016)
KERNEL32!GetProcAddress (0x733C0000,00019)
KERNEL32!GetProcAddress (0x733C0000,00003)
KERNEL32!GetProcAddress (0x733C0000,00116)
KERNEL32!GetModuleHandleA ("MPR.dll")
KERNEL32!LoadLibraryA ("MPR.dll")
KERNEL32!GetModuleHandleA ("MPR.dll")
KERNEL32!strcpy (0x4FFD0AC0,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","MPR.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\MPR.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\MPR.dll",0x00000000)
PageFault tbl, 0x00000005 entries, fhandle=0x72004805
 |offset 0x733D0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x733D1000, seek 0x00000600, size 0x00000A00, flags=0x00000000
 |offset 0x733D2000, seek 0x00001000, size 0x00000800, flags=0x00000000
 |offset 0x733D3000, seek 0x00001800, size 0x00000200, flags=0x00000000
 |offset 0x733D4000, seek 0x00001A00, size 0x00000200, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x733D0000,"CPlApplet")
KERNEL32!GetProcAddress (0x733D0000,"WNetCancelConnection2A")
KERNEL32!GetProcAddress (0x733D0000,"WNetAddConnection2A")
KERNEL32!GetModuleHandleA ("WS2_32.dll")
KERNEL32!LoadLibraryA ("WS2_32.dll")
KERNEL32!GetModuleHandleA ("WS2_32.dll")
KERNEL32!strcpy (0x4FFD0AC0,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","WS2_32.dll")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\WS2_32.dll",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\WS2_32.dll",0x00000000)
PageFault tbl, 0x00000008 entries, fhandle=0x72004996
 |offset 0x733B0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x733B1000, seek 0x00000800, size 0x00001000, flags=0x00000000
 |offset 0x733B2000, seek 0x00001800, size 0x00001000, flags=0x00000000
 |offset 0x733B3000, seek 0x00002800, size 0x00000C00, flags=0x00000000
 |offset 0x733B4000, seek 0x00003400, size 0x00000400, flags=0x00000000
 |offset 0x733B5000, seek 0x00003800, size 0x00000400, flags=0x00000000
 |offset 0x733B6000, seek 0x00003C00, size 0x00001000, flags=0x00000000
 |offset 0x733B7000, seek 0x00004C00, size 0x00000400, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"HeapFree")
KERNEL32!GetProcAddress (0x7C800000,"HeapAlloc")
KERNEL32!GetProcAddress (0x7C800000,"CloseHandle")
KERNEL32!GetProcAddress (0x7C800000,"Sleep")
KERNEL32!GetProcAddress (0x7C800000,"ExitThread")
KERNEL32!GetProcAddress (0x7C800000,"WriteFile")
KERNEL32!GetProcAddress (0x7C800000,"CreateFileA")
KERNEL32!LoadLibraryA ("user32.dll")
KERNEL32!GetModuleHandleA ("user32.dll")
KERNEL32!GetProcAddress (0x77D30000,"wsprintfA")
KERNEL32!LoadLibraryA ("ipstack.dll")
KERNEL32!GetModuleHandleA ("ipstack.dll")
KERNEL32!GetProcAddress (0x73350000,"ip_gethostname")
KERNEL32!GetProcAddress (0x73350000,"ip_gethostbyname")
KERNEL32!GetProcAddress (0x73350000,"ip_receive_data")
KERNEL32!GetProcAddress (0x73350000,"ip_transfer_data")
KERNEL32!GetProcAddress (0x73350000,"ip_getservbyname")
KERNEL32!GetProcAddress (0x73350000,"ip_retrieve_socket_data")
KERNEL32!GetProcAddress (0x73350000,"ip_connect")
KERNEL32!GetProcAddress (0x73350000,"ip_listen_port")
KERNEL32!GetProcAddress (0x73350000,"ip_bind_port")
KERNEL32!GetProcAddress (0x73350000,"ip_close")
KERNEL32!GetProcAddress (0x73350000,"ip_allocate_socket")
KERNEL32!GetProcAddress (0x73350000,"ip_query_protocol")
KERNEL32!GetProcAddress (0x73350000,"ip_reverse_dns")
KERNEL32!GetProcAddress (0x73350000,"ip_release_socket")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x733B0000,"CPlApplet")
KERNEL32!GetProcAddress (0x733B0000,"WSAIoctl")
KERNEL32!GetModuleHandleA ("PSAPI.DLL")
KERNEL32!LoadLibraryA ("PSAPI.DLL")
KERNEL32!GetModuleHandleA ("PSAPI.DLL")
KERNEL32!strcpy (0x4FFD0AC0,"C:\WINDOWS\SYSTEM32")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\")
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32\","PSAPI.DLL")
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\PSAPI.DLL",0x00000000)
KERNEL32!GetFileSize (0x00000020,0x00000000)
KERNEL32!_lclose (0x00000020)
KERNEL32!CloseHandle (0x00000020)
KERNEL32!WinExec ("C:\WINDOWS\SYSTEM32\PSAPI.DLL",0x00000000)
PageFault tbl, 0x00000005 entries, fhandle=0x72005123
 |offset 0x76BE0000, seek 0x00000000, size 0x00000400, flags=0x00000004
 |offset 0x76BE1000, seek 0x00000600, size 0x00000400, flags=0x00000000
 |offset 0x76BE2000, seek 0x00000A00, size 0x00000200, flags=0x00000000
 |offset 0x76BE3000, seek 0x00000C00, size 0x00000200, flags=0x00000000
 |offset 0x76BE4000, seek 0x00000E00, size 0x00000200, flags=0x00000008
KERNEL32!LoadLibraryA ("kernel32.dll")
KERNEL32!GetModuleHandleA ("kernel32.dll")
KERNEL32!GetProcAddress (0x7C800000,"ProcessHead")
KERNEL32!GetProcAddress (0x7C800000,"GetModuleFileNameA")
KERNEL32!HeapAlloc (0x00000000,0x00000008,0x00000118)
KERNEL32!GetProcAddress (0x76BE0000,"CPlApplet")
KERNEL32!GetProcAddress (0x76BE0000,"EnumProcesses")
KERNEL32!GetProcAddress (0x76BE0000,"GetModuleBaseNameW")
KERNEL32!GetProcAddress (0x76BE0000,"EnumProcessModules")
KERNEL32!GetVersion ()
KERNEL32!HeapCreate (0x00000001,0x00001000,0x00000000)
KERNEL32!HeapAlloc (0x00000001,0x00000000,0x00000140)
KERNEL32!HeapAlloc (0x00000001,0x00000008,0x000041C4)
KERNEL32!VirtualAlloc (0x00000000,0x00100000,0x00002000,0x00000004)
KERNEL32!VirtualAlloc (0x7406F000,0x00008000,0x00001000,0x00000004)
PageFault tbl, 0x00000008 entries, fhandle=0xFFFFFFFF
 |offset 0x7406F000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74070000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74071000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74072000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74073000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74074000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74075000, seek 0x00000000, size 0x00001000, flags=0x00000000
 |offset 0x74076000, seek 0x00000000, size 0x00001000, flags=0x00000008
KERNEL32!GetStartupInfo (0x4FFD0B2C)
KERNEL32!GetStdHandle (0xFFFFFFF6)
KERNEL32!GetStdHandle (0xFFFFFFF5)
KERNEL32!GetStdHandle (0xFFFFFFF4)
KERNEL32!SetHandleCount (0x00000020)
KERNEL32!GetCommandLineA ()
KERNEL32!GetEnvironmentStringsW ()
KERNEL32!GetEnvironmentStrings ()
KERNEL32!FreeEnvironmentStringsA ("=C:=C:\WINDOWS")
KERNEL32!GetACP ()
KERNEL32!GetCPInfo (0x000004E4,0x4FFD0B30)
KERNEL32!GetCPInfo (0x000004E4,0x4FFD0B08)
KERNEL32!GetStringTypeW (0x00000001,0x00410C54,0x00000001,0x4FFD05C4)
KERNEL32!GetStringTypeA (0x00000000,0x00000001,0x0042E32C,0x00000001,0x4FFD05C4)
KERNEL32!LCMapStringW (0x00000000,0x00000100,0x00410C54,0x00000001,0x00000000,0x00000000)
KERNEL32!MultiByteToWideChar (0x000004E4,0x00000001,0x4FFD0A08,0x00000100,0x00000000,0x00000000)
KERNEL32!MultiByteToWideChar (0x000004E4,0x00000001,0x4FFD0A08,0x00000100,0x4FFD0388,0x00000100)
KERNEL32!LCMapStringW (0x00000000,0x00000100,0x4FFD0388,0x00000100,0x00000000,0x00000000)
KERNEL32!LCMapStringW (0x00000000,0x00000100,0x4FFD0388,0x00000100,0x4FFD0384,0x00000001)
KERNEL32!WideCharToMultiByte (0x000004E4,0x00000220,0x4FFD0384,0x00000001,0x4FFD0908,0x00000100,0x00000000,0x00000000)
KERNEL32!MultiByteToWideChar (0x000004E4,0x00000001,0x4FFD0A08,0x00000100,0x00000000,0x00000000)
KERNEL32!MultiByteToWideChar (0x000004E4,0x00000001,0x4FFD0A08,0x00000100,0x4FFD0368,0x00000100)
KERNEL32!LCMapStringW (0x00000000,0x00000200,0x4FFD0368,0x00000100,0x00000000,0x00000000)
KERNEL32!LCMapStringW (0x00000000,0x00000200,0x4FFD0368,0x00000100,0x4FFD0364,0x00000001)
KERNEL32!WideCharToMultiByte (0x000004E4,0x00000220,0x4FFD0364,0x00000001,0x4FFD0808,0x00000100,0x00000000,0x00000000)
KERNEL32!GetModuleFileNameA (0x00000000,0x0042EB64,0x00000104)
KERNEL32!HeapAlloc (0x00000001,0x00000008,0x00000800)
KERNEL32!GetStartupInfo (0x4FFD0B8C)
KERNEL32!GetModuleHandleA (NULL)
KERNEL32!LoadLibraryA ("PSAPI.DLL")
KERNEL32!GetModuleHandleA ("PSAPI.DLL")
KERNEL32!GetProcAddress (0x76BE0000,"EnumProcesses")
KERNEL32!GetProcAddress (0x76BE0000,"EnumProcessModules")
KERNEL32!GetProcAddress (0x76BE0000,"GetModuleFileNameExA")
PSAPI!EnumProcesses (0x4FFCFB00,0x00001000,0x4FFD0B00)
USER32!LoadIconA (0x00000000,0x00007F00)
USER32!LoadCursorA (0x00000000,0x00007F00)
GDI32!GetStockObject (0x00000000)
USER32!RegisterClassA (0x4FFD0B18)
USER32!CreateWindowExA (0x00000000,"TEST","TEST 666",0x00CF0000,00000066,00000030,00000006,00000006,0x00000000,0x00000000,0x00400000,0x00000000)
USER32!SetTimer (0x00000020,0x00000315,0x0000EA60,0x00000000)
KERNEL32!GetSystemDirectoryA (0x4FFD0868,0x00000104)
KERNEL32!GetModuleFileNameA (0x00000000,0x4FFD096C,0x00000104)
KERNEL32!lstrcat ("C:\WINDOWS\SYSTEM32","\RAVMOND.exe")
KERNEL32!CopyFileA ("c:\sample.exe","C:\WINDOWS\SYSTEM32\RAVMOND.exe",0x00000001)
KERNEL32!GetFileAttributesA ("C:\WINDOWS\SYSTEM32\RAVMOND.exe")
KERNEL32!GetFileAttributesA ("C:\WINDOWS\SYSTEM32\RAVMOND.exe")
KERNEL32!CreateFileA ("c:\sample.exe",0x80000000,0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000021,0x00000000)
KERNEL32!CreateFileA ("C:\WINDOWS\SYSTEM32\RAVMOND.exe",0x40000000,0x00000000,0x00000000,0x00000002,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000022,0x00000000)
KERNEL32!GetFileSize (0x00000021,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00008000)
KERNEL32!ReadFile (0x00000021,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000022,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000021,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000022,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000021,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000022,0x7300588C,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000021,0x7300588C,0x00003E00,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000022,0x7300588C,0x00003E00,0x00000000,0x00000000)
KERNEL32!CloseHandle (0x00000022)
KERNEL32!CloseHandle (0x00000021)
KERNEL32!GetWindowsDirectoryA (0x4FFD0764,0x00000104)
KERNEL32!lstrcat ("C:\WINDOWS","\win.ini")
KERNEL32!WritePrivateProfileStringA ("WINDOWS","run","RAVMOND.exe","C:\WINDOWS\win.ini")
KERNEL32!CreateFileA ("C:\WINDOWS\win.ini",0xC0000000,0x00000000,0x00000000,0x00000004,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000021,0x00000000)
KERNEL32!WriteFile (0x00000021,0x4FFD0644,0x00000020,0x00000000,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00001010)
KERNEL32!CloseHandle (0x00000021)
KERNEL32!HeapFree (0x00000000,0x00000000,0x7300D894)
KERNEL32!CreateProcessA ("RAVMOND.exe",NULL,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000)
KERNEL32!_lopen ("RAVMOND.exe",0x00000000)
KERNEL32!_lopen ("C:\WINDOWS\RAVMOND.exe",0x00000000)
KERNEL32!_lopen ("C:\WINDOWS\SYSTEM32\RAVMOND.exe",0x00000000)
KERNEL32!GetFileSize (0x00000021,0x00000000)
KERNEL32!ReadFile (0x00000021,0x4FFD01C0,0x00000004,0x4FFD03C4,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00001010)
KERNEL32!CloseHandle (0x00000021)
KERNEL32!HeapFree (0x00000000,0x00000000,0x7300D894)
KERNEL32!SetFileAttributesA ("C:\WINDOWS\SYSTEM32\RAVMOND.exe",0x00000001)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000100)
KERNEL32!CreateEventA (0x00000000,0x00000000,0x00000001,"Anti_virus_v99")
KERNEL32!GetLastError ()
KERNEL32!Sleep (0x00007530)
KERNEL32!CreateThread (0x4FFD0A60,0x00000000,0x00402884,0x00000000,0x00000000,0x4FFD0A6C)
KERNEL32!CreateFileA ("c:\NetLog.txt",0x80000000,0x00000003,0x4FFCF9D4,0x00000003,0x00000080,0x00000000)
KERNEL32!GetLastError ()
KERNEL32!CreateThread (0x4FFD0A60,0x00000000,0x00403032,0x00000000,0x00000000,0x4FFD0A6C)
KERNEL32!CreateThread (0x4FFD0A60,0x00000000,0x00401FA0,0x00000000,0x00000000,0x4FFD0A6C)
KERNEL32!GetModuleFileNameA (0x00000000,0x0042E150,0x00000104)
KERNEL32!CreateThread (0x4FFD0A64,0x00000000,0x0040111E,0x00000000,0x00000000,0x0042E260)
KERNEL32!GetModuleFileNameA (0x00000000,0x4FFD0790,0x00000104)
KERNEL32!GetLocalTime (0x4FFD0768)
KERNEL32!GetSystemTime (0x4FFD0758)
KERNEL32!GetTimeZoneInformation (0x4FFD06AC)
KERNEL32!GetTimeZoneInformation (0x0042EA80)
KERNEL32!WideCharToMultiByte (0x00000000,0x00000220,0x0042EA84,0xFFFFFFFF,0x00421924,0x0000003F,0x00000000,0x4FFD064C)
KERNEL32!WideCharToMultiByte (0x00000000,0x00000220,0x0042EAD8,0xFFFFFFFF,0x00421964,0x0000003F,0x00000000,0x4FFD064C)
USER32!wsprintfA (0x4FFD0894,"%s%s%s",0x4FFD0A6C....)
USER32!wsprintfA (0x4FFD095C,"%s%s",0x00421180....)
KERNEL32!CreateFileA ("c:\sample.exe",0x80000000,0x00000003,0x00000000,0x00000003,0x00000080,0x00000000)
KERNEL32!GetFileSize (0x00000022,0x00000000)
KERNEL32!CreateFileA ("C:\bak.RAR",0x40000000,0x00000003,0x00000000,0x00000002,0x00000080,0x00000000)
KERNEL32!GetFileSize (0x00000023,0x00000000)
KERNEL32!GetSystemTime (0x4FFD029C)
KERNEL32!SetFilePointer (0x00000022,0x00000000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00001010)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!ReadFile (0x00000022,0x4FFCFEA0,0x00000400,0x4FFD02A4,0x00000000)
KERNEL32!LoadLibraryA ("MPR.DLL")
KERNEL32!GetModuleHandleA ("MPR.DLL")
KERNEL32!GetProcAddress (0x733D0000,"WNetOpenEnumA")
KERNEL32!GetProcAddress (0x733D0000,"WNetCloseEnum")
KERNEL32!GetProcAddress (0x733D0000,"WNetEnumResourceA")
MPR!WNetOpenEnumA (0x00000002,0x00000000,0x00000003,0x00000000,0x4FF53BE0)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000012)
KERNEL32!HeapAlloc (0x00000001,0x00000000,0x00000400)
MPR!WNetEnumResourceA (0x7300D99C,0x4FF53BE8,0x7300D9B6,0x4FF53BE4)
MPR!WNetEnumResourceA (0x7300D99C,0x4FF53BE8,0x7406FE60,0x4FF53BE4)
KERNEL32!LoadLibraryA ("MPR.DLL")
KERNEL32!GetModuleHandleA ("MPR.DLL")
KERNEL32!GetProcAddress (0x733D0000,"WNetOpenEnumA")
KERNEL32!GetProcAddress (0x733D0000,"WNetCloseEnum")
KERNEL32!GetProcAddress (0x733D0000,"WNetEnumResourceA")
MPR!WNetOpenEnumA (0x00000002,0x00000000,0x00000003,0x7406FE60,0x4FF53BBC)
Open network resource "Microsoft Windows-nettverk" ("Microsoft Windows-nettverk")
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000012)
KERNEL32!HeapAlloc (0x00000001,0x00000000,0x00000400)
MPR!WNetEnumResourceA (0x7300DDBE,0x4FF53BC4,0x7300DDD8,0x4FF53BC0)
MPR!WNetEnumResourceA (0x7300DDBE,0x4FF53BC4,0x7406FDF0,0x4FF53BC0)
KERNEL32!LoadLibraryA ("MPR.DLL")
KERNEL32!GetModuleHandleA ("MPR.DLL")
KERNEL32!GetProcAddress (0x733D0000,"WNetOpenEnumA")
KERNEL32!GetProcAddress (0x733D0000,"WNetCloseEnum")
KERNEL32!GetProcAddress (0x733D0000,"WNetEnumResourceA")
MPR!WNetOpenEnumA (0x00000002,0x00000000,0x00000003,0x7406FDF0,0x4FF53B98)
Open network resource "MSHOME" ("Microsoft Windows-nettverk")
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000012)
KERNEL32!HeapAlloc (0x00000001,0x00000000,0x00000400)
MPR!WNetEnumResourceA (0x7300E1E0,0x4FF53BA0,0x7300E1FA,0x4FF53B9C)
MPR!WNetEnumResourceA (0x7300E1E0,0x4FF53BA0,0x7406FBD0,0x4FF53B9C)
KERNEL32!LoadLibraryA ("MPR.DLL")
KERNEL32!GetModuleHandleA ("MPR.DLL")
KERNEL32!GetProcAddress (0x733D0000,"WNetOpenEnumA")
KERNEL32!GetProcAddress (0x733D0000,"WNetCloseEnum")
KERNEL32!GetProcAddress (0x733D0000,"WNetEnumResourceA")
MPR!WNetOpenEnumA (0x00000002,0x00000000,0x00000003,0x7406FBD0,0x4FF53B74)
Open network resource "\\FRATTE" ("ANJA SIN")
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00000012)
KERNEL32!HeapAlloc (0x00000001,0x00000000,0x00000400)
MPR!WNetEnumResourceA (0x7300E602,0x4FF53B7C,0x7300F8C4,0x4FF53B78)
MPR!WNetEnumResourceA (0x7300E602,0x4FF53B7C,0x7406FB80,0x4FF53B78)
KERNEL32!lstrcat ("","*.exe")
KERNEL32!SetCurrentDirectory ("\\FRATTE\HP")
KERNEL32!GetCurrentDirectory (0x00000105,0x4FF536A0)
KERNEL32!SetEnvironmentVariableA ("=N:","N:\")
KERNEL32!CopyFileA ("c:\sample.exe","Adobe Photoshop6.0.zip.exe",0x00000001)
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!CreateFileA ("c:\sample.exe",0x80000000,0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!CreateFileA ("Adobe Photoshop6.0.zip.exe",0x40000000,0x00000000,0x00000000,0x00000002,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000025,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00008000)
KERNEL32!ReadFile (0x00000024,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7300FCCC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7300FCCC,0x00003E00,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7300FCCC,0x00003E00,0x00000000,0x00000000)
KERNEL32!CloseHandle (0x00000025)
KERNEL32!CloseHandle (0x00000024)
KERNEL32!lstrcpynA (0x4FF53A08,"\\FRATTE\HP",0x00000103)
KERNEL32!lstrlenA ("\\FRATTE\HP")
KERNEL32!lstrlenA ("\\FRATTE\HP")
KERNEL32!lstrlenA ("\\FRATTE\HP")
KERNEL32!lstrcpynA (0x4FF53A13,"\*",0x000000F9)
KERNEL32!FindFirstFileA ("\\FRATTE\HP\*",0x4FF537C0)
KERNEL32!lstrcmpA (".",".")
KERNEL32!FindNextFileA (0xFFFF1087,0x4FF537C0)
KERNEL32!lstrcmpA ("..",".")
KERNEL32!lstrcmpA ("..","..")
KERNEL32!FindNextFileA (0xFFFF1087,0x4FF537C0)
KERNEL32!lstrcmpA ("AUTOEXEC.BAT",".")
KERNEL32!lstrcmpA ("AUTOEXEC.BAT","..")
KERNEL32!FindNextFileA (0xFFFF1087,0x4FF537C0)
KERNEL32!lstrcmpA ("WINDOWS",".")
KERNEL32!lstrcmpA ("WINDOWS","..")
KERNEL32!lstrcpynA (0x4FF53900,"\\FRATTE\HP",0x00000103)
KERNEL32!lstrlenA ("\\FRATTE\HP")
KERNEL32!lstrcat ("\\FRATTE\HP","\")
KERNEL32!lstrlenA ("\\FRATTE\HP\")
KERNEL32!lstrlenA ("\\FRATTE\HP\")
KERNEL32!lstrcpynA (0x4FF5390C,"WINDOWS",0x000000F8)
KERNEL32!lstrcat ("","*.exe")
KERNEL32!SetCurrentDirectory ("\\FRATTE\HP\WINDOWS")
KERNEL32!GetCurrentDirectory (0x00000105,0x4FF532F4)
KERNEL32!SetEnvironmentVariableA ("=N:","N:\WINDOWS")
KERNEL32!CopyFileA ("c:\sample.exe","Adobe Photoshop6.0.zip.exe",0x00000001)
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!CreateFileA ("c:\sample.exe",0x80000000,0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!CreateFileA ("Adobe Photoshop6.0.zip.exe",0x40000000,0x00000000,0x00000000,0x00000002,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000025,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00008000)
KERNEL32!ReadFile (0x00000024,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x73017CD4,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x73017CD4,0x00003E00,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x73017CD4,0x00003E00,0x00000000,0x00000000)
KERNEL32!CloseHandle (0x00000025)
KERNEL32!CloseHandle (0x00000024)
KERNEL32!lstrcpynA (0x4FF5365C,"\\FRATTE\HP\WINDOWS",0x00000103)
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS")
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS")
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS")
KERNEL32!lstrcpynA (0x4FF5366F,"\*",0x000000F1)
KERNEL32!FindFirstFileA ("\\FRATTE\HP\WINDOWS\*",0x4FF53414)
KERNEL32!lstrcmpA (".",".")
KERNEL32!FindNextFileA (0xFFFF10B1,0x4FF53414)
KERNEL32!lstrcmpA ("..",".")
KERNEL32!lstrcmpA ("..","..")
KERNEL32!FindNextFileA (0xFFFF10B1,0x4FF53414)
KERNEL32!lstrcmpA ("WIN.INI",".")
KERNEL32!lstrcmpA ("WIN.INI","..")
KERNEL32!FindNextFileA (0xFFFF10B1,0x4FF53414)
KERNEL32!lstrcmpA ("NOTEPAD.EXE",".")
KERNEL32!lstrcmpA ("NOTEPAD.EXE","..")
KERNEL32!FindNextFileA (0xFFFF10B1,0x4FF53414)
KERNEL32!lstrcmpA ("StartM~1",".")
KERNEL32!lstrcmpA ("StartM~1","..")
KERNEL32!lstrcpynA (0x4FF53554,"\\FRATTE\HP\WINDOWS",0x00000103)
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS")
KERNEL32!lstrcat ("\\FRATTE\HP\WINDOWS","\")
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS\")
KERNEL32!lstrlenA ("\\FRATTE\HP\WINDOWS\")
KERNEL32!lstrcpynA (0x4FF53568,"StartM~1",0x000000F0)
KERNEL32!lstrcat ("","*.exe")
KERNEL32!SetCurrentDirectory ("\\FRATTE\HP\WINDOWS\StartM~1")
KERNEL32!GetCurrentDirectory (0x00000105,0x4FF52F48)
KERNEL32!SetEnvironmentVariableA ("=N:","N:\WINDOWS\StartM~1")
KERNEL32!CopyFileA ("c:\sample.exe","Adobe Photoshop6.0.zip.exe",0x00000001)
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!GetFileAttributesA ("Adobe Photoshop6.0.zip.exe")
KERNEL32!CreateFileA ("c:\sample.exe",0x80000000,0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!CreateFileA ("Adobe Photoshop6.0.zip.exe",0x40000000,0x00000000,0x00000000,0x00000002,0x00000000,0x00000000)
KERNEL32!GetFileSize (0x00000025,0x00000000)
KERNEL32!GetFileSize (0x00000024,0x00000000)
KERNEL32!HeapAlloc (0x00000000,0x00000000,0x00008000)
KERNEL32!ReadFile (0x00000024,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7301FCDC,0x00008000,0x00000000,0x00000000)
KERNEL32!ReadFile (0x00000024,0x7301FCDC,0x00003E00,0x00000000,0x00000000)
KERNEL32!WriteFile (0x00000025,0x7301FCDC,0x00003E00,0x00000000,0x00000000)
KERNEL32!CloseHandle (0x00000025)