/abbreviated behaviors Secret

## abbreviated behaviors
2: ['bind', 'listen']
2: ['bsearch', 'LoadLibrary']
2: ['CoCreateInstance', 'GetAcceptLanguages']
2: ['CoCreateInstance', 'gethostbyname']
2: ['CoCreateInstance', 'MapMemRegion']
2: ['CoCreateInstance', 'socket']
2: ['CoInitialize', 'MapMemRegion']
2: ['CreateDirectory', 'GetProcAddress']
2: ['CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'GetTempPath']
2: ['createevent', 'socket']
2: ['CreateFileMapping,NtCreateSection', 'NtClose']
2: ['CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtClose']
2: ['CreateFile', 'SHGetFolderPath']
2: ['CreateRemoteThread', 'CoCreateInstance']
2: ['CreateRemoteThread', 'GetVersion']
2: ['CreateRemoteThread', 'LdrLoadDll']
2: ['CreateRemoteThread', 'NtClose']
2: ['CreateRemoteThread', 'RegOpenKey']
2: ['CreateThread', 'GetAdaptersInfo']
2: ['CreateToolhelp32Snapshot', 'CloseHandle']
2: ['CreateWindow,MapMemRegion,MemWrite,RegisterClass', 'DialogBoxParam']
2: ['CryptAcquireContext', 'KiUserApcDispatcher']
2: ['DialogBoxParam', 'LoadLibrary']
2: ['EnumProcesses,LocalAlloc,LocalFree,NtQuerySystemInformation', 'KiUserApcDispatcher']
2: ['EnumSystemLocales,MapMemRegion', 'IsValidLocale']
2: ['eventselect', 'socket']
2: ['ExitProcess', 'SHGetFolderPath']
2: ['ExitThread', 'ConvertStringSecurityDescriptorToSecurityDescriptor']
2: ['FindFirstFile', 'FindNextFile']
2: ['FindFirstFile', 'GetCommandLine']
2: ['FindFirstFile', 'NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection']
2: ['FindFirstFile', 'NtQueryDirectoryFile']
2: ['FindNextFile', 'FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove']
2: ['FreeLibrary,GetProcAddress,LoadLibrary,SHGetFolderPath', 'GetFileAttributes,SetErrorMode']
2: ['GetAdaptersInfo,MemWrite', 'GetComputerName']
2: ['GetAdaptersInfo,MemWrite', 'GetVolumeInformation']
2: ['GetCommandLine', 'GetFileAttributes']
2: ['GetCommandLine', 'GetProcAddress']
2: ['GetFileAttributes', 'FindFirstFile']
2: ['GetLocalTime', 'SystemTimeToFileTime']
2: ['GetModuleFileName', 'CreateFile']
2: ['GetProcAddress,startup', 'LoadLibrary,stricmp']
2: ['GetProcessVersion,NtQuerySystemInformation', 'GetVersion']
2: ['GetSystemDirectory', 'GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['GetSystemDirectory', 'LoadLibrary']
2: ['GetSystemTimeAsFileTime', 'CreateEvent']
2: ['GetSystemTimeAsFileTime', 'send']
2: ['GetSystemTime', 'RtlTimeFieldsToTime']
2: ['GetTempFileName', 'CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['GetTickCount', 'CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['GetTickCount', 'send']
2: ['GetTokenInformation', 'OpenProcessToken']
2: ['GetVersion', 'CreateFile']
2: ['GetVersion', 'GetProcAddress']
2: ['GetVersion', 'LoadLibrary,MemWrite']
2: ['GetVersion', 'NtGetContextThread']
2: ['GetVersion', 'recv']
2: ['GetVersion', 'RtlCreateHeap']
2: ['HeapCreate', 'NtAllocateVirtualMemory']
2: ['IcfGetCurrentProfileType,InterlockedIncrement', 'ConvertStringSecurityDescriptorToSecurityDescriptor']
2: ['InitializeCriticalSection,startup', 'ExitThread']
2: ['InitializeCriticalSection,startup', 'socket']
2: ['InternetGetConnectedState', 'LoadLibrary,stricmp']
2: ['InternetSetOption', 'GetUserName']
2: ['InternetSetOption', 'SHGetFolderPath']
2: ['KiUserApcDispatcher', 'CoInitialize,MapMemRegion']
2: ['KiUserApcDispatcher', 'LdrGetDllHandle']
2: ['KiUserApcDispatcher', 'RtlEnterCriticalSection,RtlLeaveCriticalSection,SysFreeString,i64tow,wcslen']
2: ['listen', 'ntohs,socket']
2: ['LoadLibrary', 'MapMemRegion']
2: ['LoadLibrary', 'NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError']
2: ['LoadLibrary', 'socket']
2: ['LoadLibrary,stricmp', 'CoCreateInstance']
2: ['LoadLibrary,stricmp', 'FreeLibrary,LdrUnloadDll']
2: ['LoadLibrary,stricmp', 'GlobalAddAtom,NtAddAtom,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['LookupPrivilegeValue', 'ConvertStringSecurityDescriptorToSecurityDescriptor']
2: ['MapMemRegion', 'GetLocalTime']
2: ['MapMemRegion', 'GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['MapMemRegion', 'LoadTypeLib']
2: ['MapMemRegion', 'NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove']
2: ['MapMemRegion', 'OpenSCManager']
2: ['MapMemRegion', 'SHGetFolderPath']
2: ['MemWrite', 'GetProcAddress']
2: ['MemWrite', 'SHGetFolderPath']
2: ['NtClose', 'GetVersion']
2: ['NtClose', 'NtDeviceIoControlFile']
2: ['NtClose', 'NtMapViewOfSection']
2: ['NtCreateMutant,RtlInitUnicodeString', 'LoadLibrary']
2: ['NtCreateMutant,RtlInitUnicodeString', 'WaitForSingleObject']
2: ['NtDeviceIoControlFile', 'closesocket']
2: ['NtDuplicateObject', 'WaitForSingleObject']
2: ['NtQueryDefaultUILanguage', 'socket']
2: ['NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', 'FindFirstFile']
2: ['NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', 'GetProcAddress']
2: ['NtQueryInformationProcess,NtReadVirtualMemory,ReadProcessMemory', 'LoadLibrary,MapMemRegion']
2: ['NtQueryPerformanceCounter', 'GetProcAddress']
2: ['NtQuerySystemInformation', 'NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection']
2: ['NtQuerySystemInformation', 'RtlAllocateHeap']
2: ['NtSetInformationFile', 'NtQueryInformationFile']
2: ['OpenProcess', 'CloseHandle']
2: ['QueryPerformanceCounter', 'GetFileAttributes,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['rand', 'Sleep']
2: ['recv', 'CoCreateInstance']
2: ['recv', 'CreateFileMapping,NtCreateSection']
2: ['recv', 'GetProcAddress']
2: ['recv,recvfrom', 'socket']
2: ['recv', 'socket']
2: ['recv', 'socket']
2: ['RegCloseKey', 'NtOpenKey,RegOpenKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError']
2: ['RegCreateKey', 'GetProcAddress']
2: ['RegCreateKey', 'NtClose']
2: ['RegOpenKey', 'NtClose']
2: ['RegOpenKey', 'RegCreateKey']
2: ['RegOpenKey', 'RegEnumKey']
2: ['RegOpenKey', 'SE_InstallBeforeInit']
2: ['RtlAllocateHeap', 'HeapCreate']
2: ['RtlAllocateHeap', 'RtlFreeHeap']
2: ['RtlEnterCriticalSection,RtlLeaveCriticalSection,SysFreeString,i64tow,wcslen', 'KiUserApcDispatcher']
2: ['RtlFreeHeap', 'CoInitialize']
2: ['RtlpWaitForCriticalSection', 'RtlpUnWaitCriticalSection']
2: ['RtlRandom', 'NtCreateFile']
2: ['send', 'GetVersion']
2: ['socket', 'bind']
2: ['socket', 'connect']
2: ['socket', 'connect']
2: ['socket', 'GetAddrInfo,RtlAllocateHeap,RtlFreeHeap,setlasterror']
2: ['socket', 'recv,recvfrom']
2: ['socket', 'recv,recvfrom']
2: ['socket', 'recv,recvfrom']
2: ['socket', 'recv,recvfrom']
2: ['socket', 'send,sendto']
2: ['socket', 'send,sendto']
2: ['socket', 'send,sendto']
2: ['socket', 'send,sendto']
2: ['socket', 'send,sendto']
2: ['socket', 'send,sendto']
2: ['socket', 'WaitForMultipleObjects']
2: ['VerifyConsoleIoHandle', 'CsrClientCallServer']
2: ['WaitForMultipleObjects', 'createevent']
2: ['WaitForSingleObject', 'CreateMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
2: ['WaitForSingleObject', 'NtReleaseSemaphore']
3: ['addresstostring', 'socket', 'InitializeCriticalSection,startup']
3: ['bind', 'IcfGetCurrentProfileType,InterlockedIncrement', 'listen']
3: ['CloseHandle,NtClose', 'NtSetEvent,SetEvent', 'CreateEvent']
3: ['CloseHandle,NtClose,ReleaseMutex', 'CreateMutex', 'WaitForSingleObject']
3: ['CloseServiceHandle', 'OpenService', 'OpenSCManager']
3: ['CoCreateInstance', 'FreeLibrary,GetProcAddress,LoadLibrary,SHGetFolderPath', 'MapMemRegion']
3: ['CreateEvent', 'MapMemRegion,MemWrite', 'socket']
3: ['CreateFile', 'CreateMutex', 'CloseHandle']
3: ['CreateFile', 'GetFileSize', 'ReadFile']
3: ['CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'GetFileSize', 'NtClose']
3: ['CreateRemoteThread', 'GetAdaptersInfo', 'LoadLibrary']
3: ['CreateRemoteThread', 'GetProcessVersion,NtQuerySystemInformation', 'GetVersion']
3: ['CreateRemoteThread', 'GetSystemTimeAsFileTime', 'MapMemRegion']
3: ['CreateRemoteThread', 'LoadLibrary,stricmp', 'GetProcAddress']
3: ['CreateRemoteThread', 'NtResumeThread', 'NtClose']
3: ['CreateThread', 'CloseHandle,TerminateThread', 'WaitForSingleObject']
3: ['CreateThread', 'DuplicateHandle', 'WaitForSingleObject']
3: ['CreateThread', 'QueryPerformanceCounter', 'GetProcAddress']
3: ['CreateThread', 'WaitForSingleObject', 'ResumeThread,RtlLeaveCriticalSection']
3: ['CsrClientCallServer', 'VirtualAlloc', 'VirtualQuery']
3: ['DeviceIoControl', 'CreateFile', 'CloseHandle']
3: ['EnumProcesses,LocalAlloc,LocalFree,NtQuerySystemInformation', 'ExitThread', 'ConvertStringSecurityDescriptorToSecurityDescriptor']
3: ['EnumSystemLocales,MapMemRegion', 'IsValidLocale', 'LCMapString']
3: ['ExitProcess', 'SHGetFolderPath', 'LoadLibrary']
3: ['FindFirstFile', 'NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection', 'GetCommandLine']
3: ['FindNextFile', 'FindClose', 'FindFirstFile']
3: ['FindNextFile', 'FindFirstFile', 'FindClose']
3: ['GetAdaptersInfo,MemWrite', 'GetSystemTime', 'send']
3: ['GetAddrInfo,RtlAllocateHeap,RtlFreeHeap,setlasterror', 'GetCommandLine', 'send']
3: ['GetCPInfo,GetConsoleOutputCP', 'VirtualAlloc', 'VirtualQuery']
3: ['GetFileSize', 'MapMemRegion', 'NtClose']
3: ['GetLocalTime', 'GetTimeFormat', 'GetDateFormat']
3: ['GetNativeSystemInfo', 'CreateThread', 'GetVersion']
3: ['GetProcAddress,startup', 'LoadLibrary,stricmp', 'socket']
3: ['GetSystemTime', 'GetFileSize', 'CreateFileMapping,NtCreateSection']
3: ['GetSystemTime', 'RtlTimeFieldsToTime', 'WaitForSingleObject']
3: ['GetSystemTime', 'SystemTimeToFileTime', 'WaitForSingleObject']
3: ['GetTempFileName', 'FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove', 'RemoveDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
3: ['GetTempFileName', 'LoadLibrary,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'MapMemRegion']
3: ['GetTempPath', 'CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'GetTempFileName']
3: ['GetTempPath', 'GetFileAttributes', 'CreateFile']
3: ['GetTempPath', 'MapMemRegion', 'GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
3: ['GetTokenInformation', 'OpenProcessToken', 'CloseHandle']
3: ['GetUserDefaultUILanguage', 'socket', 'InitializeCriticalSection,startup']
3: ['GetVersion', 'GetAdaptersInfo', 'recv']
3: ['GetVersion', 'GetThreadContext,SuspendThread', 'GetSystemInfo,GetVersion']
3: ['GetVolumeInformation,LoadLibrary', 'GetAdaptersInfo', 'SHGetFolderPath']
3: ['IcfGetCurrentProfileType,InterlockedIncrement', 'CoCreateInstance', 'ConvertStringSecurityDescriptorToSecurityDescriptor']
3: ['InitializeCriticalSection,startup', 'socket', 'bind']
3: ['InitializeCriticalSection,startup', 'socket', 'connect']
3: ['InternetSetOption', 'RegCreateKey', 'RegOpenKey']
3: ['I_RpcSendReceive', 'MapMemRegion', 'MapMemRegion,MemWrite']
3: ['listen', 'socket', 'bind']
3: ['LoadLibrary', 'CreateMutex', 'CreateFile']
3: ['LoadLibrary', 'GetProcAddress', 'GetVersion']
3: ['LoadLibrary,MapMemRegion', 'ExitProcess', 'LoadLibrary']
3: ['LoadLibrary,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtAddAtom,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtDeleteAtom']
3: ['LoadLibrary', 'SHGetFolderPath', 'CreateMutex,RtlLeaveCriticalSection']
3: ['LoadLibrary,stricmp', 'GetSystemDirectory', 'GetProcAddress']
3: ['MapMemRegion', 'GetProcAddress', 'GetVersion']
3: ['MapMemRegion', 'MapMemRegion,MemWrite', 'GetProcAddress']
3: ['MapMemRegion', 'socket', 'CoCreateInstance']
3: ['MemWrite,getaddrinfo,setlasterror', 'createevent', 'socket']
3: ['MemWrite', 'GetProcAddress', 'GetVersion']
3: ['MemWrite', 'MapMemRegion', 'LsaClose,LsaLookupPrivilegeValue,LsaOpenPolicy,RtlInitUnicodeString']
3: ['MemWrite', 'MapMemRegion,MemWrite', 'CoCreateInstance']
3: ['NtClose,RtlEnterCriticalSection,RtlFreeHeap,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', 'RtlpWaitForCriticalSection', 'RtlpUnWaitCriticalSection']
3: ['NtCreateMutant,RtlInitUnicodeString', 'WaitForSingleObject', 'NtClose']
3: ['NtDuplicateObject', 'CreateFileMapping,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtClose']
3: ['NtDuplicateObject', 'NtClose', 'NtOpenProcess']
3: ['NtDuplicateObject', 'WaitForSingleObject', 'MapMemRegion,MemWrite']
3: ['NtOpenProcess', 'NtQueryInformationToken', 'recv,recvfrom']
3: ['NtOpenProcess', 'NtTerminateProcess,RtlNtStatusToDosError', 'NtClose']
3: ['NtOpenProcessToken', 'NtAdjustPrivilegesToken,RtlNtStatusToDosError,RtlSetLastWin32Error', 'NtClose']
3: ['NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', 'GetProcAddress', 'NtClose,NtOpenFile,NtSetInformationFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap']
3: ['NtQueryInformationToken', 'NtOpenProcess', 'GetProcAddress']
3: ['NtQueryInformationToken,RtlNtStatusToDosError,RtlSetLastWin32Error', 'CreateRemoteThread', 'NtCreateEvent']
3: ['NtQueryPerformanceCounter', 'ioctl', 'GetProcAddress']
3: ['NtQuerySystemInformation', 'NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', 'NtOpenProcess']
3: ['NtReadVirtualMemory', 'GetProcAddress', 'NtQueryVirtualMemory']
3: ['NtSetEvent', 'CreateEvent,NtCreateEvent', 'NtClearEvent']
3: ['NtSetEvent', 'NtCreateEvent', 'NtClose']
3: ['NtSetValueKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError', 'GetSystemTimeAsFileTime', 'recv']
3: ['OpenProcess', 'CloseHandle', 'OpenProcessToken']
3: ['recv,recvfrom', 'NtDeviceIoControlFile', 'socket']
3: ['recv', 'send', 'socket']
3: ['recv', 'socket', 'ioctlsocket']
3: ['recv', 'socket', 'select']
3: ['RegCreateKey', 'MapMemRegion', 'NtClose']
3: ['RegisterEventSource', 'DeregisterEventSource,ReportEvent', 'InternetGetConnectedState,MemWrite']
3: ['RegOpenKey', 'SHGetFolderPath', 'LoadLibrary']
3: ['ResetEvent,SignalObjectAndWait,WaitForSingleObject', 'CreateMutex', 'CreateEvent']
3: ['SetEvent', 'WaitForMultipleObjects', 'CreateEvent']
3: ['SHGetFolderPath', 'MapMemRegion', 'LoadLibrary,stricmp']
3: ['socket', 'ioctl', 'NtClose']
3: ['socket', 'NtDeviceIoControlFile', 'closesocket']
3: ['socket', 'recv', 'CreateEvent']
3: ['socket', 'recv,recvfrom', 'CreateEvent']
3: ['socket', 'recv,recvfrom', 'CreateEvent']
3: ['socket', 'send', 'accept']
3: ['socket', 'startup', 'KiUserApcDispatcher']
3: ['socket', 'WaitForMultipleObjects', 'CreateEvent']
3: ['WaitForMultipleObjects', 'createevent', 'CreateEvent']
4: ['addresstostring', 'socket', 'InitializeCriticalSection,startup', 'ioctl']
4: ['CloseServiceHandle', 'OpenService', 'MapMemRegion,MemWrite', 'OpenSCManager']
4: ['CreateEvent', 'NtSetEvent', 'NtCreateEvent', 'WaitForMultipleObjects']
4: ['CreateEvent,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'LoadLibrary,stricmp', 'GetProcAddress', 'CreateEvent,NtCreateEvent,RtlAnsiStringToUnicodeString,RtlInitAnsiString,RtlInitUnicodeString']
4: ['CreateEvent', 'socket', 'bind', 'send,sendto']
4: ['CreateFile', 'GetFileSize', 'ReadFile', 'VirtualAlloc']
4: ['CreateRemoteThread', 'GetAdaptersInfo', 'recv', 'LoadLibrary']
4: ['CreateRemoteThread', 'GetSystemTimeAsFileTime', 'LoadLibrary,stricmp', 'GetProcAddress']
4: ['CreateRemoteThread', 'GetSystemTimeAsFileTime', 'recv', 'GetVersion']
4: ['CreateRemoteThread', 'ioctl', 'NtQueryPerformanceCounter', 'GetProcAddress']
4: ['CreateRemoteThread', 'listen', 'GetProcAddress,InterlockedIncrement,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrcpy', 'LoadLibrary']
4: ['CreateRemoteThread', 'NtQuerySystemInformation', 'RtlAllocateHeap', 'OpenProcess']
4: ['CreateRemoteThread', 'NtResumeThread', 'WaitForSingleObject', 'socket']
4: ['CreateRemoteThread', 'recv', 'socket', 'MapMemRegion']
4: ['CreateRemoteThread', 'RtlAllocateHeap', 'NtClose', 'WaitForSingleObject']
4: ['CreateSemaphore,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'SHGetFolderPath', 'CreateMutex', 'OpenEvent']
4: ['CreateToolhelp32Snapshot', 'OpenProcess', 'CloseHandle', 'VirtualAlloc']
4: ['CreateToolhelp32Snapshot', 'Thread32Next', 'Thread32First', 'CloseHandle']
4: ['DialogBoxParam,MapMemRegion', 'RegCreateKey', 'GetVolumeInformation', 'SHGetSpecialFolderPath']
4: ['eventselect', 'socket', 'LoadLibrary', 'GetProcAddress']
4: ['eventselect', 'socket', 'recv,recvfrom', 'createevent']
4: ['FindFirstFile', 'NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection', 'NtQueryDirectoryFile', 'NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove']
4: ['GetCommandLine', 'NtOpenSymbolicLinkObject', 'FindFirstFile', 'NtQueryInformationFile']
4: ['GetComputerName', 'MapMemRegion', 'GetAdaptersInfo,MemWrite', 'CoCreateInstance']
4: ['GetProcAddress', 'MapMemRegion,MemWrite', 'MapMemRegion', 'LoadLibrary']
4: ['GetSystemTimeAsFileTime', 'MapMemRegion,MemWrite', 'GetCommandLine', 'GetVersion']
4: ['GetSystemTimeAsFileTime', 'NtQueryAttributesFile', 'recv', 'socket']
4: ['GetSystemTime', 'CreateFileMapping,NtCreateSection', 'RtlTimeFieldsToTime', 'SetProcessPriorityBoost']
4: ['GetTokenInformation', 'CloseHandle', 'OpenProcessToken', 'CreateEvent']
4: ['GetTokenInformation', 'CreateThread', 'CloseHandle', 'OpenProcessToken']
4: ['GetTokenInformation', 'OpenProcessToken', 'NtCreateEvent', 'CloseHandle']
4: ['GetTokenInformation', 'OpenProcessToken', 'OpenProcess', 'CloseHandle']
4: ['GetUserDefaultUILanguage', 'addresstostring', 'socket', 'InitializeCriticalSection,startup']
4: ['InitializeCriticalSection,startup', 'CreateThread', 'socket', 'send,sendto']
4: ['InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', 'MapMemRegion,MemWrite', 'GetProcAddress', 'socket']
4: ['ioctl', 'MapMemRegion,MemWrite', 'NtQueryPerformanceCounter', 'GetProcAddress']
4: ['MapMemRegion', 'GetProcAddress', 'CoCreateInstance', 'socket']
4: ['MapMemRegion,MemWrite', 'recv', 'socket', 'bind']
4: ['MapMemRegion,MemWrite', 'setsockopt', 'socket', 'bind']
4: ['NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', 'CreateRemoteThread', 'GetProcAddress', 'GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
4: ['NtClearEvent,ResetEvent', 'CreateEvent', 'NtSetEvent,SetEvent', 'CloseHandle,NtClose']
4: ['NtClose', 'GetFileSize', 'recv', 'CreateFileMapping,NtCreateSection']
4: ['NtCreateEvent', 'NtClose', 'NtOpenProcessToken', 'NtQueryInformationToken,RtlNtStatusToDosError,RtlSetLastWin32Error']
4: ['NtCreateEvent', 'NtCreateFile', 'NtDeviceIoControlFile', 'GetProcAddress']
4: ['NtCreateEvent', 'socket', 'WaitForMultipleObjects', 'CreateEvent']
4: ['NtCreateMutant,RtlInitUnicodeString', 'MapMemRegion', 'LoadLibrary', 'LoadLibrary,stricmp']
4: ['NtCreateSection', 'NtMapViewOfSection,NtUnmapViewOfSection', 'NtClose', 'NtMapViewOfSection']
4: ['NtDuplicateObject', 'GetSystemInfo', 'CreateFileMapping,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtMapViewOfSection']
4: ['NtDuplicateObject', 'MapMemRegion', 'NtOpenProcess', 'NtClose']
4: ['NtDuplicateObject', 'NtOpenProcessToken', 'NtCreateEvent', 'NtOpenProcess']
4: ['NtEnumerateValueKey,RtlNtStatusToDosError,memmove', 'NtQueryKey', 'NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError', 'NtClose']
4: ['NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', 'NtQueryInformationToken', 'NtOpenProcess', 'GetProcAddress']
4: ['NtOpenThread', 'NtQueryInformationThread', 'NtGetContextThread', 'NtSuspendThread']
4: ['NtQueryInformationFile,NtSetInformationFile', 'NtClose', 'NtFlushBuffersFile', 'NtQueryInformationFile']
4: ['NtQueryInformationToken', 'NtOpenProcess', 'NtClose', 'NtOpenProcessToken']
4: ['NtQueryInformationToken,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlSetLastWin32Error', 'NtOpenProcessToken', 'NtClose', 'NtQueryInformationToken']
4: ['NtReadVirtualMemory', 'GetProcAddress', 'NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', 'NtQueryVirtualMemory']
4: ['NtSetEvent', 'NtCreateEvent', 'NtClose', 'NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast']
4: ['NtSetEvent', 'WaitForMultipleObjects', 'NtCreateEvent', 'NtClose']
4: ['NtSetEvent', 'WaitForSingleObject', 'NtCreateEvent', 'NtClose']
4: ['NtSetValueKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError', 'CreateRemoteThread', 'GetCommandLine', 'GetProcAddress']
4: ['OpenProcessToken', 'OpenProcess', 'DuplicateHandle', 'CreateEvent']
4: ['RtlNtStatusToDosError,RtlTimeFieldsToTime', 'OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', 'GetSystemTimeAsFileTime']
4: ['SetEvent', 'CloseHandle', 'WaitForMultipleObjects', 'CreateEvent']
4: ['SetEvent', 'recv,recvfrom', 'WaitForMultipleObjects', 'CreateEvent']
4: ['SetEvent', 'recv,recvfrom', 'WaitForMultipleObjects', 'CreateEvent']
4: ['SetEvent', 'recv,recvfrom', 'WaitForMultipleObjects', 'CreateEvent']
4: ['SHDeleteValue', 'RegOpenKey', 'SHGetFolderPath', 'LoadLibrary']
4: ['SHGetSpecialFolderPath', 'SHGetFolderPath,SetEnvironmentVariable', 'InternetGetConnectedState,MemWrite', 'SHGetFolderPath']
4: ['socket', 'bind', 'InitializeCriticalSection,startup', 'RegCloseKey,RegOpenKey,RegQueryValue']
4: ['socket', 'MemWrite,gethostname', 'bind,ntohs', 'closesocket']
4: ['socket', 'NtDeviceIoControlFile', 'LoadLibrary', 'GetProcAddress']
4: ['socket', 'send', 'LoadLibrary', 'CreateEvent']
4: ['socket', 'WaitForMultipleObjects', 'CreateEvent', 'createevent']
4: ['WaitForSingleObject', 'NtReleaseMutant', 'NtClose', 'CreateMutex,NtCreateMutant,RtlAnsiStringToUnicodeString,RtlInitAnsiString,RtlInitUnicodeString']
4: ['WaitForSingleObject', 'NtReleaseMutant', 'socket', 'GetVersion']
4: ['WriteProcessMemory', 'VirtualQuery', 'LoadLibrary', 'GetProcAddress']
5: ['bind', 'CreateThread', 'InitializeCriticalSection,startup', 'send,sendto', 'socket']
5: ['bind', 'InitializeCriticalSection,startup', 'listen', 'send,sendto', 'socket']
5: ['CreateFileMapping,NtCreateSection', 'MapViewOfFile', 'GetFileSize', 'SetProcessPriorityBoost', 'NtClose']
5: ['CreateRemoteThread', 'CoCreateInstance', 'NtDelayExecution', 'MapMemRegion', 'recv']
5: ['CreateRemoteThread', 'GetCommandLine', 'RtlAllocateHeap', 'NtClose', 'GetProcAddress']
5: ['CreateRemoteThread', 'GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtClose', 'GetProcAddress', 'recv']
5: ['CreateRemoteThread', 'MapMemRegion', 'NtAllocateVirtualMemory', 'LoadLibrary,stricmp', 'NtClose']
5: ['CreateRemoteThread', 'NtResumeThread', 'NtClose', 'GetSystemTimeAsFileTime', 'GetProcAddress']
5: ['CreateRemoteThread', 'OpenProcess', 'GetProcAddress', 'GetTokenInformation', 'RtlFreeHeap']
5: ['CreateThread', 'InterlockedExchange,MapMemRegion,MemWrite,startup', 'LoadLibrary', 'GetProcAddress', 'MapMemRegion,MemWrite,socket']
5: ['CreateWindow,MapMemRegion,MemWrite,RegisterClass', 'CreateFile', 'CreateFileMapping', 'GetModuleFileName', 'GetFileSize']
5: ['eventselect', 'closeevent', 'socket', 'WaitForMultipleObjects', 'createevent']
5: ['GetAdaptersInfo,MemWrite', 'CoCreateInstance', 'GetComputerName', 'LsaICLookupNames', 'MapMemRegion']
5: ['GetFileSize', 'CreateFile', 'CreateMutex', 'ReadFile', 'CloseHandle']
5: ['GetFileSize', 'SetFilePointer', 'CreateFile', 'SetFileTime', 'ReadFile']
5: ['GetSystemTime', 'send', 'GetAdaptersInfo,MemWrite', 'NtDeviceIoControlFile', 'GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString']
5: ['GetTokenInformation', 'GetNativeSystemInfo', 'OpenProcessToken', 'CreateThread', 'GetVersion']
5: ['InitializeCriticalSection,startup', 'CreateThread', 'socket', 'send,sendto', 'bind']
5: ['ioctlsocket', 'select', 'send', 'recv', 'socket']
5: ['MemWrite,socket', 'socket', 'bind', 'MemWrite', 'closesocket']
5: ['NtCreateMutant,RtlInitUnicodeString', 'MapMemRegion', 'LoadLibrary', 'NtOpenEvent,RtlInitUnicodeString,RtlNtStatusToDosError', 'NtCreateMutant']
5: ['NtQueueApcThread,RtlQueryInformationActivationContext', 'WaitForSingleObject', 'CreateEvent,NtCreateEvent', 'NtClose', 'WaitForMultipleObjects']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'CreateEvent', 'NtCreateEvent', 'WaitForMultipleObjects', 'socket']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
5: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'WaitForMultipleObjects', 'CreateEvent']
5: ['NtWaitForSingleObject,RtlpWaitForCriticalSection', 'NtCreateEvent,NtWaitForSingleObject', 'NtSetEventBoostPriority,RtlpUnWaitCriticalSection', 'NtWaitForSingleObject', 'NtSetEventBoostPriority']
5: ['ReadProcessMemory,memset', 'VirtualQuery', 'LoadLibrary', 'GetProcAddress', 'WriteProcessMemory']
5: ['recv,recvfrom', 'CreateEvent', 'socket', 'bind', 'send,sendto']
5: ['recv,recvfrom', 'CreateEvent', 'socket', 'bind', 'send,sendto']
5: ['recv,recvfrom', 'CreateEvent', 'socket', 'bind', 'send,sendto']
5: ['recv,recvfrom', 'CreateEvent', 'socket', 'bind', 'send,sendto']
5: ['recv,recvfrom', 'CreateEvent', 'socket', 'bind', 'send,sendto']
5: ['send', 'GetProcAddress', 'CreateEvent', 'LoadLibrary,stricmp', 'socket']
5: ['SetEvent', 'WaitForMultipleObjects', 'CloseHandle', 'WaitForSingleObject', 'CreateEvent']
5: ['socket', 'bind', 'NtDeviceIoControlFile', 'recv,recvfrom', 'send,sendto']
5: ['socket', 'NtCreateEvent', 'WaitForMultipleObjects', 'CreateEvent', 'NtQueryObject']
5: ['socket', 'NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
5: ['WaitForSingleObject', 'CreateEvent', 'MapMemRegion,MemWrite', 'CloseHandle', 'socket']
6: ['bind', 'InitializeCriticalSection,startup', 'socket', 'recv,recvfrom', 'listen', 'send,sendto']
6: ['CreateRemoteThread', 'RtlNtStatusToDosError,RtlTimeFieldsToTime', 'RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', 'OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'GetSystemTimeAsFileTime', 'recv']
6: ['eventselect', 'KiUserApcDispatcher', 'connect', 'GetProcAddress', 'CreateEvent', 'socket']
6: ['FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove', 'RemoveDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'NtSetInformationFile', 'NtQueryDirectoryFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlNtStatusToDosError,memmove', 'NtClose', 'NtOpenFile']
6: ['GetFileSize', 'ReadFile', 'CreateMutex', 'LoadLibrary', 'CreateFile', 'CloseHandle']
6: ['GetTokenInformation', 'CreateRemoteThread', 'OpenProcessToken', 'OpenProcess', 'RtlFreeHeap', 'GetProcAddress']
6: ['GetTokenInformation', 'RtlAllocateHeap', 'OpenProcess', 'CreateRemoteThread', 'RtlFreeHeap', 'GetProcAddress']
6: ['I_RpcSendReceive', 'NtFsControlFile,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb', 'MapMemRegion', 'GetUserName', 'NtWaitForSingleObject', 'I_RpcGetBuffer']
6: ['MapMemRegion', 'NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError', 'GetSystemTimeAsFileTime', 'LoadLibrary,stricmp', 'RegOpenKey', 'NtOpenKey']
6: ['NtCreateIoCompletion', 'NtRemoveIoCompletion', 'socket', 'NtSetInformationFile', 'NtClose', 'NtSetIoCompletion']
6: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtCreateEvent', 'InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', 'WaitForMultipleObjects', 'CreateEvent', 'socket']
6: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'WaitForMultipleObjects', 'CreateEvent']
6: ['NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast,WaitForMultipleObjects', 'NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtSetEvent', 'NtCreateEvent', 'recv,recvfrom', 'CreateEvent']
6: ['socket', 'CreateThread', 'bind', 'InitializeCriticalSection,startup', 'send,sendto', 'listen']
6: ['socket', 'eventselect', 'WaitForSingleObject', 'setevent', 'CreateEvent', 'send']
6: ['socket', 'NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtCreateEvent', 'InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', 'recv,recvfrom', 'CreateEvent']
6: ['socket', 'NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'NtCreateEvent', 'InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', 'recv,recvfrom', 'CreateEvent']
7: ['CreateRemoteThread', 'RtlNtStatusToDosError,RtlTimeFieldsToTime', 'OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', 'RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', 'GetSystemTimeAsFileTime', 'GetVersion', 'recv']
7: ['eventselect', 'startup', 'KiUserApcDispatcher', 'socket', 'connect', 'GetProcAddress', 'CreateEvent']
7: ['GetFileAttributes,RtlDetermineDosPathNameType_U,SetErrorMode,memmove,wcslen', 'FindFirstFile', 'NtQueryAttributesFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap', 'NtOpenSymbolicLinkObject', 'GetCommandLine', 'NtQueryInformationFile', 'NtQueryAttributesFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlIsDosDeviceName_U,RtlNtStatusToDosError']
7: ['GetTokenInformation', 'CreateRemoteThread', 'RtlAllocateHeap', 'OpenProcessToken', 'OpenProcess', 'RtlFreeHeap', 'GetProcAddress']
7: ['NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', 'NtClose', 'NtOpenProcess', 'NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', 'NtQuerySystemInformation', 'NtAllocateVirtualMemory', 'NtProtectVirtualMemory']
7: ['NtQueryInformationToken,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlSetLastWin32Error', 'NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', 'NtOpenProcess', 'NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', 'MapMemRegion', 'NtQueryInformationToken', 'GetProcAddress']
7: ['NtSetEvent,SetEvent', 'send', 'NtClearEvent,ResetEvent', 'socket', 'WaitForSingleObject', 'MapMemRegion,MemWrite', 'CreateEvent']
7: ['NtSetInformationFile', 'ioctlsocket', 'closesocket', 'send', 'NtCreateIoCompletion', 'recv', 'socket']
7: ['socket', 'bind', 'InitializeCriticalSection,startup', 'connect', 'recv,recvfrom', 'send,sendto', 'listen']
8: ['GetQueuedCompletionStatus', 'CreateIoCompletionPort', 'GetQueuedCompletionStatus,RtlGetLastWin32Error,RtlSetLastWin32Error', 'PostQueuedCompletionStatus', 'CloseHandle', 'setlasterror,socket', 'GetQueuedCompletionStatus,RtlGetLastWin32Error,RtlLeaveCriticalSection,RtlSetLastWin32Error', 'InterlockedExchange,InterlockedExchangeAdd,PostQueuedCompletionStatus']
8: ['socket', 'NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlAllocateHeap,RtlDeactivateActivationContextUnsafeFast', 'MapMemRegion,MemWrite,startup', 'MemWrite', 'GetProcAddress', 'InterlockedCompareExchange', 'NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'MapMemRegion,MemWrite,socket']
9: ['CreateEvent', 'send', 'WaitForSingleObject', 'MapMemRegion,MemWrite', 'NtClearEvent,ResetEvent', 'CloseHandle', 'NtSetEvent,SetEvent', 'NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', 'socket']
9: ['CreateThread', 'bind', 'eventselect', 'InitializeCriticalSection,startup', 'addresstostring', 'createevent', 'recv,recvfrom', 'send,sendto', 'socket']
9: ['enumnetworkevents', 'CreateEvent', 'bind', 'eventselect', 'startup', 'recv,recvfrom', 'listen', 'send,sendto', 'socket']
9: ['listen', 'socket', 'LdrGetDllHandle', 'bind', 'startup', 'KiUserApcDispatcher', 'connect', 'RtlAcquirePebLock,RtlAllocateHeap,RtlDetermineDosPathNameType_U,RtlReleasePebLock,memmove', 'RegCloseKey,RegOpenKey,RegQueryValue']
9: ['WaitForSingleObject', 'InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', 'CreateEvent', 'MapMemRegion,MemWrite', 'NtClearEvent,ResetEvent', 'CloseHandle', 'recv', 'socket', 'NtSetEvent,SetEvent']
10: ['enumnetworkevents', 'eventselect', 'InitializeCriticalSection,startup', 'ioctl', 'socket', 'connect', 'shutdown', 'GetProcAddress', 'InterlockedDecrement,NtDeviceIoControlFile,TlsGetValue,WahReferenceContextByHandle,send', 'createevent']
11: ['NtDuplicateObject', 'NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', 'NtOpenProcess', 'NtCreateEvent', 'NtClose', 'NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', 'NtAllocateVirtualMemory', 'GetProcAddress', 'NtWriteVirtualMemory', 'NtProtectVirtualMemory', 'NtFlushInstructionCache']

## long behaviors
2: ([('bind', [DllName: ws2_32.dll: 1]), ('listen', [])], '0xaf9e3ec')
2: ([('bsearch', [ModuleName: kernel32: 0.166666666667, DllName: advapi32.dll: 0.5, ObjectAttributes: \kernelobjects\critsecoutofmemoryevent: 1, SubKey: software\microsoft\rpc\pagedbuffers: 0.166666666667]), ('LoadLibrary', [DllName: user32.dll: 1])], '0xaddebac')
2: ([('CoCreateInstance', []), ('GetAcceptLanguages', [Filename: c:\windows\system32\mlang.dll: 1, ObjectAttributes: c:\windows\system32\mlang.dll: 1, ValueName: acceptlanguage: 1, ModuleName: nspr4.dll: 1, Filename: [array_len_mb16]: 1, DllName: mlang.dll: 1])], '0xaf9586c')
2: ([('CoCreateInstance', []), ('gethostbyname', [])], '0x95ee6ec')
2: ([('CoCreateInstance', []), ('MapMemRegion', [DllName: shell32.dll: 0.133333333333, ObjectAttributes: basenamedobjects\ctf.timlistcache.fmpdefaults-1-5-2: 1, ObjectAttributes: c:: 0.0666666666667, DllName: c:\windows\system32\msctf.dll: 0.866666666667, Filename: c:\windows\system32\msctf.dll: 1])], '0x99c808c')
2: ([('CoCreateInstance', []), ('socket', [])], '0x99de20c')
2: ([('CoInitialize', []), ('MapMemRegion', [ObjectAttributes: hklm\software\microsoft\ctf\compatibility\dwm.exe: 1, DllName: c:\windows\system32\msctf.dll: 0.938461538462, Filename: c:\windows\system32\msctf.dll: 1])], '0x97e4f0c')
2: ([('CreateDirectory', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\smtmp\1\programs\games\: 1]), ('GetProcAddress', [])], '0x9cee68c')
2: ([('CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\: 1]), ('GetTempPath', [])], '0x986178c')
2: ([('createevent', []), ('socket', [])], '0xb00564c')
2: ([('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\0deb.7f8: 1]), ('NtClose', [])], '0x95f944c')
2: ([('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\desktop\icsmanifest.xml: 1]), ('SHGetFolderPath', [])], '0xa84dd4c')
2: ([('CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\documents and settings\administrator\application data\dwm.exe: 1]), ('NtClose', [])], '0x97e284c')
2: ([('CreateRemoteThread', []), ('CoCreateInstance', [])], '0x9ce9b4c')
2: ([('CreateRemoteThread', []), ('GetVersion', [])], '0xad931cc')
2: ([('CreateRemoteThread', []), ('LdrLoadDll', [DllName: ws2_32.dll: 1])], '0x9ced36c')
2: ([('CreateRemoteThread', []), ('NtClose', [])], '0x97e378c')
2: ([('CreateRemoteThread', []), ('RegOpenKey', [ObjectAttributes: \registry\user\s-1-5-21-842925246-1425521274-308236825-500: 1])], '0x9ced86c')
2: ([('CreateThread', []), ('GetAdaptersInfo', [ObjectAttributes: \device\tcp6: 1, ValueName: dhcpserver: 1])], '0xa87cf8c')
2: ([('CreateToolhelp32Snapshot', []), ('CloseHandle', [])], '0xaba48cc')
2: ([('CreateWindow,MapMemRegion,MemWrite,RegisterClass', []), ('DialogBoxParam', [])], '0xa4ddcac')
2: ([('CryptAcquireContext', [ModuleName: rsaenh.dll: 1, ObjectAttributes: hklm\software\microsoft\cryptography\defaults\provider types\type 001: 1, ValueName: type: 1]), ('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 1, ObjectAttributes: \registry\machine\software\classes\mime\database\content type\text/html; charset: 1, ValueName: regdbversion: 1, SubKey: environment: 1, ModuleName: kernel32: 0.166666666667, pszName: [array_nt_mb16]: 1, FileName: administrator: 0.833333333333, DllName: sensapi.dll: 1, ObjectAttributes: {}: 1, ForeignIP: (0, 0, 3): 0.5])], '0xb4bceac')
2: ([('DialogBoxParam', []), ('LoadLibrary', [DllName: c:\windows\system32\1033\dwintl.dll: 1])], '0x987838c')
2: ([('EnumProcesses,LocalAlloc,LocalFree,NtQuerySystemInformation', []), ('KiUserApcDispatcher', [SubKey: clsid\{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}: 1, ObjectAttributes: hklm\software\microsoft\rpc\pagedbuffers: 1, ValueName: checkversion: 0.6, SubKey: treatas: 1, ModuleName: kernel32: 1, DllName: advapi32.dll: 1])], '0xb449eac')
2: ([('EnumSystemLocales,MapMemRegion', [ObjectAttributes: \nls\nlssectioncp1250: 1]), ('IsValidLocale', [])], '0xa62fb4c')
2: ([('eventselect', []), ('socket', [])], '0xb02baec')
2: ([('ExitProcess', []), ('SHGetFolderPath', [])], '0xaada24c')
2: ([('ExitThread', []), ('ConvertStringSecurityDescriptorToSecurityDescriptor', [])], '0xab52f2c')
2: ([('FindFirstFile', [ObjectAttributes: c:\: 1, FileName: delus.bat: 1]), ('GetCommandLine', [])], '0x9edf82c')
2: ([('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\application data\macromedia\flash player\macromedia.com\support\: 1, FileName: *: 1]), ('NtQueryDirectoryFile', [])], '0xac16c2c')
2: ([('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\cookies\: 1, FileName: *: 0.875]), ('NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection', [])], '0xafb46cc')
2: ([('FindFirstFile', [ObjectAttributes: c:\users\: 1, FileName: *: 1]), ('FindNextFile', [])], '0xa827c8c')
2: ([('FindNextFile', []), ('FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove', [])], '0x965a52c')
2: ([('FreeLibrary,GetProcAddress,LoadLibrary,SHGetFolderPath', [DllName: userenv.dll: 1]), ('GetFileAttributes,SetErrorMode', [ObjectAttributes: c:\documents and settings\administrator\desktop\icsmanifest.xml: 1])], '0xa87338c')
2: ([('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1, ValueName: dhcpserver: 0.613756613757, ObjectAttributes: scsi6:: 0.021164021164]), ('GetComputerName', [])], '0xa84d44c')
2: ([('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1, ValueName: dhcpserver: 1, ObjectAttributes: physicaldrive2: 0.0625]), ('GetVolumeInformation', [ObjectAttributes: c:\: 1])], '0xaa7346c')
2: ([('GetCommandLine', []), ('GetFileAttributes', [ObjectAttributes: c:\documents and settings\administrator\start menu\programs\startup\youtube.video.exe: 1])], '0x964e64c')
2: ([('GetCommandLine', []), ('GetProcAddress', [])], '0x926564c')
2: ([('GetFileAttributes', [ObjectAttributes: c:\program files\common files: 1]), ('FindFirstFile', [ObjectAttributes: c:\: 1, FileName: program files: 1])], '0x94c496c')
2: ([('GetLocalTime', []), ('SystemTimeToFileTime', [])], '0xb02bdac')
2: ([('GetModuleFileName', []), ('CreateFile', [ObjectAttributes: c:\windows\system32\gdi32.dll: 1])], '0xa4ddd6c')
2: ([('GetProcAddress,startup', []), ('LoadLibrary,stricmp', [DllName: ws2_32.dll: 1, ObjectAttributes: c:\windows\system32\ws2help.dll: 1, Filename: c:\windows\system32\ws2help.dll: 0.571428571429])], '0x91a7c8c')
2: ([('GetProcessVersion,NtQuerySystemInformation', []), ('GetVersion', [])], '0xaba5c4c')
2: ([('GetSystemDirectory', []), ('GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1])], '0x964ccec')
2: ([('GetSystemDirectory', []), ('LoadLibrary', [DllName: ws2_32.dll: 0.124031007752, DllName: c:\windows\system32\ws2_32: 0.976744186047])], '0xa86e24c')
2: ([('GetSystemTimeAsFileTime', []), ('CreateEvent', [])], '0xa8718ac')
2: ([('GetSystemTimeAsFileTime', []), ('send', [LocalAddress: (['tcp'], '(53, 0, 510)', ['1028', '1031', '1030', '1032', '1052', '1050', '1057', '1063', '1054', '1029', '1056', '1049', '1181', '1051', '1177', '1055', '1174', '1172', '1179', '1047', '1036', '1037', '1183', '1166', '1061', '1224', '1222', '1221', '1185', '1208', '1053', '1059', '1171', '1041', '1045', '1048', '1070', '1149', '1087', '1320', '1135', '1209', '1039', '1033', '1212', '1188', '1107', '1058', '1168', '1169', '1176', '1175', '1178', '1043', '1044', '1143', '1145', '59455', '1076', '1371', '1372', '61111', '61192', '1060', '1062', '1182', '1173', '1133', '1336', '1331', '1065', '1348', '1225', '1220', '1038', '1211', '1216', '53192', '1214', '1355', '1186', '1180', '1167', '1163', '1204', '54667', '1197', '1191', '1218', '1170', '1042', '1040', '1046', '1190', '1142', '1269', '1268', '1300', '1147', '1144', '1262', '1260', '1267', '1309', '1265', '1141', '50364', '1074', '1075', '1071', '51677', '1317', '1316', '1315', '1159', '1158', '59717', '1154', '55333', '1156', '1151', '1150', '1153', '60020', '1069', '1068', '51273', '57939', '1067', '1066', '55455', '1384', '1278', '1082', '1081', '1122', '62283', '55939', '58242', '1304', '64202', '60505', '64364', '58889', '55980', '1255', '1250', '1392', '59677', '1230', '1232', '1335', '1131', '1239', '1333', '1332', '1134', '52364', '58545', '1307', '1240', '64808', '1247', '1129', '1128', '1223', '1340', '1341', '57273', '1337', '63111', '54889', '56586', '1161', '1165', '60727', '1034', '1213', '52505', '1215', '1351', '1357', '1356', '59758', '1126', '1227', '58061', '59333', '1189', '1187', '1184', '52020', '1104', '1105', '1108', '1094', '1160', '1162', '1207', '1203', '51798', '58202', '63677', '1198', '1217', '54970', '1193', '1192', '1195', '1196', '1111', '52323', '49152', '1291', '53111', '57333', '56020', '1272', '54061', '63414', '1086', '1288', '55495', '1366', '1367', '1364', '1365', '1363', '1360', '53152', '1368']): 1])], '0x97e3c8c')
2: ([('GetSystemTime', []), ('RtlTimeFieldsToTime', [])], '0x9cef3ac')
2: ([('GetTempFileName', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsf7.tmp: 1, PathName: c:\docume~1\admini~1\locals~1\temp\: 1]), ('CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\: 1])], '0x9861bec')
2: ([('GetTickCount', []), ('CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\documents and settings\administrator\application data\microsoft\gb_965281.bat: 1])], '0x97d45ec')
2: ([('GetTickCount', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 435)', ['1028', '1030', '1029', '1031', '1038', '1040', '1041', '1039', '1032', '1043', '1042', '1036', '1034', '1035']): 1])], '0xaa106cc')
2: ([('GetTokenInformation', []), ('OpenProcessToken', [])], '0xb4b9e8c')
2: ([('GetVersion', []), ('CreateFile', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\db1dc.dmp: 1])], '0xa4dde0c')
2: ([('GetVersion', []), ('GetProcAddress', [])], '0xae3676c')
2: ([('GetVersion', []), ('LoadLibrary,MemWrite', [DllName: psapi.dll: 1])], '0x987866c')
2: ([('GetVersion', []), ('NtGetContextThread', [])], '0x96565ac')
2: ([('GetVersion', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 93)', ['1031', '1029', '1038', '1037', '1032', '1030', '1028', '1033', '1039', '1040', '1036', '1035', '1034', '1041', '1043']): 1])], '0xa86b9ac')
2: ([('GetVersion', []), ('RtlCreateHeap', [])], '0x9cee16c')
2: ([('HeapCreate', []), ('NtAllocateVirtualMemory', [])], '0xa87cd0c')
2: ([('IcfGetCurrentProfileType,InterlockedIncrement', []), ('ConvertStringSecurityDescriptorToSecurityDescriptor', [])], '0xae3764c')
2: ([('InitializeCriticalSection,startup', []), ('ExitThread', [])], '0xab5202c')
2: ([('InitializeCriticalSection,startup', []), ('socket', [])], '0xabf6a8c')
2: ([('InternetGetConnectedState', []), ('LoadLibrary,stricmp', [DllName: wininet.dll: 1, ObjectAttributes: c:\windows\system32\wsock32.dll: 1, Filename: c:\windows\system32\mlang.dll: 1])], '0xa88082c')
2: ([('InternetSetOption', [DllName: shell32.dll: 1, ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_temporaryfiles_for_nocache_840387: 1, ValueName: paths: 1]), ('GetUserName', [])], '0xa16c76c')
2: ([('InternetSetOption', [DllName: shell32.dll: 1, ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_temporaryfiles_for_nocache_840387: 1, ValueName: paths: 1]), ('SHGetFolderPath', [])], '0xa16c2ac')
2: ([('KiUserApcDispatcher', [SubKey: clsid\{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}: 1, Filename: c:\windows\windowsshell.manifest: 0.666666666667, ObjectAttributes: hklm\software\microsoft\rpc\pagedbuffers: 1, ValueName: checkversion: 0.777777777778, SubKey: treatas: 1, ModuleName: kernel32: 1, DllName: advapi32.dll: 0.666666666667]), ('CoInitialize,MapMemRegion', [ObjectAttributes: c:\windows\system32\rpcss.dll: 1, Filename: c:\windows\system32\rpcss.dll: 1])], '0xad994ec')
2: ([('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 0.75, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}: 1, ValueName: defaultuserprofile: 1, SubKey: treatas: 1, pszName: [array_nt_mb16]: 0.75, DllName: rasadhlp.dll: 1, ObjectAttributes: {}: 0.75]), ('LdrGetDllHandle', [ObjectAttributes: c:\windows\system32\msoeacct.dll: 1, Filename: c:\windows\system32\hnetcfg.dll: 1])], '0xaf9ea4c')
2: ([('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 0.8, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{304ce942-6e39-40d8-943a-b913c40c9cd4}: 1, ValueName: defaultuserprofile: 1, SubKey: treatas: 1, pszName: [array_nt_mb16]: 0.8, DllName: rasadhlp.dll: 1, ObjectAttributes: {}: 0.8]), ('RtlEnterCriticalSection,RtlLeaveCriticalSection,SysFreeString,i64tow,wcslen', [ObjectAttributes: hklm\software\classes\clsid\{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}\treatas: 1])], '0xb029f4c')
2: ([('listen', []), ('ntohs,socket', [])], '0x987878c')
2: ([('LoadLibrary', [DllName: iphlpapi.dll: 1]), ('socket', [])], '0xaa0e4cc')
2: ([('LoadLibrary', [DllName: shlwapi.dll: 1, DllName: c:\program files\common files\system\wab32res.dll: 1]), ('NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError', [])], '0xb4bbdcc')
2: ([('LoadLibrary', [DllName: ws2_32.dll: 1]), ('MapMemRegion', [DllName: oleaut32.dll: 1, ObjectAttributes: c:\windows\winsxs\x86_microsoft.windows.common-cont: 1, Filename: c:\windows\system32\wininet.dll: 0.65])], '0xad99f0c')
2: ([('LoadLibrary,stricmp', [DllName: uxtheme.dll: 1]), ('FreeLibrary,LdrUnloadDll', [])], '0x9835f0c')
2: ([('LoadLibrary,stricmp', [DllName: uxtheme.dll: 1]), ('GlobalAddAtom,NtAddAtom,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [AtomName: controlofs0040000000000520: 1])], '0x91fc92c')
2: ([('LoadLibrary,stricmp', [DllName: ws2_32.dll: 1, ObjectAttributes: c:\windows\system32\ws2help.dll: 1, Filename: c:\windows\system32\ws2help.dll: 0.4]), ('CoCreateInstance', [])], '0x91a7dec')
2: ([('LookupPrivilegeValue', [ObjectAttributes: pipe\lsarpc: 1]), ('ConvertStringSecurityDescriptorToSecurityDescriptor', [])], '0xaf958ec')
2: ([('MapMemRegion', [DllName: c:\windows\system32\msctf.dll: 0.2, Filename: c:\windows\system32\msctf.dll: 0.581818181818, ObjectAttributes: hklm\software\microsoft\ctf\compatibility\dvhhccfblujqw.exe: 1, ValueName: recent: 0.0727272727273, ObjectName: hklm\software\classes\drive\shellex\folderextensions: 0.127272727273, DllName: shell32.dll: 0.854545454545, ObjectAttributes: ide#cdromqemu_qemu_cd-rom________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}: 0.490909090909]), ('SHGetFolderPath', [])], '0x95f9eac')
2: ([('MapMemRegion', []), ('GetLocalTime', [])], '0x9ee6dcc')
2: ([('MapMemRegion', []), ('NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', [])], '0xa825f6c')
2: ([('MapMemRegion', [ObjectAttributes: c:\windows\system32\rpcss.dll: 1, Filename: c:\windows\system32\rpcss.dll: 0.996855345912]), ('OpenSCManager', [DllName: rpcrt4.dll: 0.187861271676, ObjectAttributes: hklm\software\microsoft\rpc\pagedbuffers: 1])], '0xa86fb6c')
2: ([('MapMemRegion', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.478873239437, DllName: c:\windows\system32\cryptnet.dll: 0.0281690140845, Filename: c:\windows\system32\winhttp.dll: 0.676056338028, ObjectAttributes: hklm\software\microsoft\cryptography\oid\encodingtype 0\cryptdlldecodeobjectex: 1, ObjectName: c:\docume~1\admini~1\locals~1\temp\upg8b.tmp: 0.0140845070423, DllName: netapi32.dll: 1]), ('GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1])], '0xa910c8c')
2: ([('MapMemRegion', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.990476190476, DllName: c:\windows\system32\cryptnet.dll: 0.942857142857, Filename: c:\windows\system32\winhttp.dll: 1, ObjectAttributes: hklm\software\microsoft\cryptography\oid\encodingtype 0\cryptdlldecodeobjectex: 1, DllName: shell32.dll: 1, ObjectAttributes: scsi10:: 0.00952380952381]), ('LoadTypeLib', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\upg7d.tmp: 1])], '0xa882d2c')
2: ([('MemWrite', [DllName: shell32.dll: 1, ObjectAttributes: c:\windows\system32\imm32.dll: 1, DllName: c:\windows\system32\imm32.dll: 1, Filename: c:\windows\system32\riched20.dll: 1]), ('GetProcAddress', [])], '0xa4d8bac')
2: ([('MemWrite', []), ('SHGetFolderPath', [])], '0xa62ecec')
2: ([('NtClose', []), ('GetVersion', [])], '0xa87984c')
2: ([('NtClose', []), ('NtDeviceIoControlFile', [])], '0xa86f36c')
2: ([('NtClose', []), ('NtMapViewOfSection', [])], '0x97e462c')
2: ([('NtCreateMutant,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\global\{5d329b3c-4cd7-40b7-e811-5333c5ed7021}: 1]), ('WaitForSingleObject', [])], '0xaada92c')
2: ([('NtCreateMutant,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\global\{c84914f5-c31e-d5cc-e811-5333c5ed7021}: 1]), ('LoadLibrary', [DllName: ws2_32.dll: 1])], '0xae3618c')
2: ([('NtDeviceIoControlFile', []), ('closesocket', [])], '0xa87b26c')
2: ([('NtDuplicateObject', []), ('WaitForSingleObject', [])], '0xad9314c')
2: ([('NtQueryDefaultUILanguage', []), ('socket', [ObjectAttributes: \device\afd\endpoint: 1])], '0xab55fec')
2: ([('NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', []), ('FindFirstFile', [ObjectAttributes: c:\users\: 1, FileName: *: 1])], '0xa826aac')
2: ([('NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', []), ('GetProcAddress', [])], '0xaff3f2c')
2: ([('NtQueryInformationProcess,NtReadVirtualMemory,ReadProcessMemory', []), ('LoadLibrary,MapMemRegion', [DllName: c:\windows\system32\gdi32.dll: 1])], '0x95d0dcc')
2: ([('NtQueryPerformanceCounter', []), ('GetProcAddress', [])], '0xaf9582c')
2: ([('NtQuerySystemInformation', []), ('NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', [])], '0x91ffb6c')
2: ([('NtQuerySystemInformation', []), ('RtlAllocateHeap', [])], '0x9ce736c')
2: ([('NtSetInformationFile', []), ('NtQueryInformationFile', [])], '0xb5c760c')
2: ([('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('CloseHandle', [])], '0xb3ea30c')
2: ([('QueryPerformanceCounter', []), ('GetFileAttributes,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\windows\system32\notepad.exe: 1])], '0x97cebec')
2: ([('rand', []), ('Sleep', [])], '0x964e7ec')
2: ([('recv', [LocalAddress: (['tcp'], '(0, 0, 15)', ['1030', '1190', '1029', '1040', '1188', '1183', '1153', '1032', '1031']): 1]), ('CoCreateInstance', [])], '0x9cef88c')
2: ([('recv', [LocalAddress: (['tcp'], '(0, 0, 17)', ['1069', '1070', '1360', '1051', '1058', '1059', '1049', '1064', '1067', '1073', '1367', '1364', '1376', '1384']): 1]), ('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\3e14.ccc: 1])], '0x99de3cc')
2: ([('recv', [LocalAddress: (['tcp'], '(0, 0, 210)', ['1028', '1031', '1185', '1057', '1030', '1219', '1188', '1184', '1052', '1047', '1147', '1315', '1320', '1230', '1331', '1229', '1189', '1180', '1178', '1041', '1040', '1048', '1317', '1157', '1129', '1126', '1232', '1225', '1224', '1220', '1038', '1039', '1032', '1033', '1046', '1186', '1209', '1191', '1198', '1179', '1049', '1140', '1307', '1302', '1265', '1268', '1072', '1372', '1153', '1068', '1063', '1065', '1389', '1387', '1087', '1321', '1328', '1123', '1335', '1390', '1231', '1133', '1336', '1330', '1332', '1249', '1248', '1221', '1342', '1347', '1036', '1037', '1212', '1213', '1210', '1353', '1218', '1354', '1239', '1029', '1183', '1181', '1103', '1164', '1202', '1051', '1190', '1196', '1112', '1279', '1175', '1174', '1172', '1271', '1272', '1275', '1285', '1042', '1043', '1282', '1362', '1361']): 1]), ('GetProcAddress', [])], '0x97d488c')
2: ([('recv', [LocalAddress: (['tcp'], '(215, 0, 0)', ['1028', '1031', '1034', '1037', '1043', '1052', '1040', '1055', '1049', '1046', '1058', '1064', '1061', '1038', '1355']): 1]), ('socket', [])], '0xa82006c')
2: ([('recv', [LocalAddress: (['tcp'], '(84, 0, 4219)', ['1028', '1031', '1030', '1184', '1032', '1063', '1052', '1172', '1225', '1185', '1044', '1038', '1153', '1218', '1164', '1196', '1072', '1103', '1112', '1140', '1123', '1133', '1087', '1181', '1210', '1057', '1043', '1029', '1211', '1191', '1224', '1033', '1186', '1202', '1174', '1107', '1231', '1108', '1199', '1042', '1049', '1152', '1041', '1098', '1232', '1239', '1188', '1053', '1061', '1090', '1086', '1046', '1249', '1165', '1204', '1055', '1097', '1205', '1179', '1050', '1037', '1189', '1190', '1175', '1178', '1045', '1208', '1115', '1062', '1320', '1132', '1244', '1101', '1171', '1272', '1209', '1170', '1248', '1160', '1176', '1040', '1047', '1156', '1265', '1354', '1168', '1056', '1183', '1073', '1279', '1255', '1331', '1330', '1048', '1147', '1328', '1348', '1347', '1282', '1317', '1166', '1111', '1271', '1361', '1149', '1302', '1157', '1067', '1122', '1129', '1221', '1285', '1126', '1169', '1177', '1315', '1230', '1222', '1212', '1198', '1367', '1307', '1278', '1321', '1335', '1342', '1161', '1036', '1180', '1167', '1054', '1144', '1269', '1124', '1104', '1362', '1143', '1372', '1069', '1065', '1336', '1213', '1058', '1105', '1051', '1059', '1257', '1068', '1220', '1039', '1034', '1163', '1173', '1288', '1264', '1076', '1155', '1128', '1121', '1229', '1251', '1193', '1195', '1148', '1071', '1373', '1316', '1093', '1182', '1389', '1387', '1083', '62283', '1127', '1337', '1333', '1035', '1215', '1351', '1219', '1356', '1100', '1116', '1145', '1141', '1376', '1094', '1154', '1082', '1233', '1137', '1247', '1201', '1206', '1203', '1197', '53111', '61111', '1142', '1262', '1159', '1151', '1150', '1384', '1125', '58889', '54970', '1240', '1340', '54889', '53192', '1352', '53152', '1207', '1313', '1192', '1364', '1363', '1263', '52505', '59414', '1326', '51677', '56586', '1136', '1268', '1341', '1080', '1301', '1216', '62808', '1355', '56020', '1187', '1217', '1291', '1275', '54667', '1332', '1300', '53980', '1309', '59455', '1074', '1060', '55455', '1380', '1324', '64283', '1138', '64202', '1318', '1252', '1390', '59677', '52364', '1299', '1346', '1084', '51636', '1353', '55333', '58202', '1117', '1119', '1270', '1319', '1323', '63414', '57333', '1070', '61192', '1334', '1158', '1064', '55980', '1099', '1235', '1139', '1135', '1260', '1243', '1223', '1371', '1081', '1162', '59333', '1226', '1322', '49152', '1214', '1366']): 1]), ('socket', [ObjectAttributes: \device\afd\endpoint: 1])], '0x95f94ec')
2: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 17)', ['20661', '20871', '26302', '17304']): 1]), ('socket', [])], '0xafb450c')
2: ([('RegCloseKey', []), ('NtOpenKey,RegOpenKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\internet explorer\typedurls: 1])], '0x91a7b8c')
2: ([('RegCreateKey', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\control panel: 1]), ('GetProcAddress', [])], '0xa16ceac')
2: ([('RegCreateKey', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\windows\currentversion\explorer: 1]), ('NtClose', [])], '0x9ceef0c')
2: ([('RegOpenKey', []), ('NtClose', [])], '0xa62e6cc')
2: ([('RegOpenKey', [ObjectAttributes: hklm\software\microsoft: 1]), ('RegCreateKey', [ObjectAttributes: hklm\software\microsoft\drwatson: 1])], '0x92651cc')
2: ([('RegOpenKey', [ObjectAttributes: hklm\software\microsoft: 1]), ('SE_InstallBeforeInit', [ObjectAttributes: basenamedobjects\hookswitchhookenabledevent: 1, Filename: c:\windows\system32\msacm32.dll: 1])], '0x98c7dac')
2: ([('RegOpenKey', [SubKey: software\microsoft\windows\currentversion\uninstall\ie40: 1, ObjectAttributes: hklm\software\microsoft\windows\currentversion\uninstall\kazaalite202_is1: 1, SubKey: softwa: 0.181818181818]), ('RegEnumKey', [])], '0xa87eacc')
2: ([('RtlAllocateHeap', []), ('HeapCreate', [])], '0xa6d354c')
2: ([('RtlAllocateHeap', []), ('RtlFreeHeap', [])], '0xa827a4c')
2: ([('RtlEnterCriticalSection,RtlLeaveCriticalSection,SysFreeString,i64tow,wcslen', [ObjectAttributes: hklm\software\classes\clsid\{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}\treatas: 1]), ('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 0.25, ObjectAttributes: \registry\user\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}\inprocserver32: 1, ValueName: parseautoexec: 0.25, SubKey: treatas: 1, pszName: asl48pulyjylrm19b18p22p62b28bzbycynzer.com: 0.75, DllName: rasadhlp.dll: 0.75, ObjectAttributes: {}: 0.25])], '0xb3d08ec')
2: ([('RtlFreeHeap', []), ('CoInitialize', [])], '0x9ceff8c')
2: ([('RtlpWaitForCriticalSection', []), ('RtlpUnWaitCriticalSection', [])], '0xaf08dac')
2: ([('RtlRandom', []), ('NtCreateFile', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\000c0370.tmp: 1])], '0xa870e2c')
2: ([('send', [LocalAddress: (['tcp'], '(0, 0, 27)', ['1040', '1058', '1067', '1043', '1041', '1488', '1518', '1596', '1487', '1442', '1567', '1539', '1512']): 1]), ('GetVersion', [])], '0xa8208cc')
2: ([('socket', []), ('bind', [DllName: ws2_32.dll: 1])], '0xaed5d0c')
2: ([('socket', []), ('connect', [ForeignIP: 223.175: 0.314960629921, ForeignPort: ['3128', '0', '31', '50684', '11149', '3']: 1, ObjectAttributes: \device\rasacd: 0.0590551181102, pszName: 186.216.160.http: 0.00590551181102, ForeignIP: ['4']: 0.0551181102362, pszName: (0, 0, 21): 0.0413385826772, ForeignIP: (0, 0, 27174): 1])], '0x927fc0c')
2: ([('socket', []), ('connect', [ForeignPort: ['27112', '11199', '28515', '11305', '28416', '13130', '20114']: 1, ForeignIP: (0, 0, 22): 1])], '0xb1489cc')
2: ([('socket', []), ('GetAddrInfo,RtlAllocateHeap,RtlFreeHeap,setlasterror', [DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, pszName: awesomefile.com: 1, DllName: dnsapi.dll: 1, ObjectAttributes: h: 0.272727272727])], '0x98cc76c')
2: ([('socket', [ObjectAttributes: \device\afd\endpoint: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 27)', ['14241', '29336', '11525', '28463']): 1])], '0xaf9edac')
2: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 10)', ['28233', '10171', '28516']): 1])], '0xb14a14c')
2: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 15)', ['29129', '14007']): 1])], '0xad97eec')
2: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['15143', '13494', '21525']): 1])], '0xac1602c')
2: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 7)', ['14241', '11525']): 1])], '0xad93e6c')
2: ([('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 12)', ['21845', '21741']): 1])], '0xb512bac')
2: ([('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 13)', ['29129', '14007']): 1])], '0xaef94ec')
2: ([('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 23)', ['21525', '13806', '13494', '15143', '18856']): 1])], '0xafb686c')
2: ([('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 28)', ['20661', '20871', '17304', '26302', '15866', '29588']): 1])], '0xb3d054c')
2: ([('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 28)', ['28233', '28516', '10171', '13122', '14929']): 1])], '0xb14ad6c')
2: ([('socket', []), ('WaitForMultipleObjects', [])], '0xb53240c')
2: ([('VerifyConsoleIoHandle', []), ('CsrClientCallServer', [])], '0x9856bac')
2: ([('WaitForMultipleObjects', []), ('createevent', [])], '0xb4b93ec')
2: ([('WaitForSingleObject', []), ('CreateMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: basenamedobjects\{b37c48af-b05c-4520-8b38-2fe181d5dc78}: 1])], '0x97d4dcc')
2: ([('WaitForSingleObject', []), ('NtReleaseSemaphore', [])], '0xb52fb8c')
3: ([('addresstostring', [SubKey: system\currentcontrolset\services\tcpip\parameters\winsock: 1, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1, ObjectAttributes: c:\windows\system32\wshtcpip.dll: 1, ValueName: defaultauthlevel: 1, ModuleName: nspr4.dll: 1, DllName: hnetcfg.dll: 1]), ('socket', []), ('InitializeCriticalSection,startup', [])], '0xb44beec')
3: ([('bind', [DllName: ws2_32.dll: 1]), ('IcfGetCurrentProfileType,InterlockedIncrement', []), ('listen', [])], '0xaad878c')
3: ([('CloseHandle,NtClose', []), ('NtSetEvent,SetEvent', []), ('CreateEvent', [])], '0x91fc1ac')
3: ([('CloseHandle,NtClose,ReleaseMutex', []), ('CreateMutex', [ObjectAttributes: basenamedobjects\global\{3be6af24-78cf-2663-e811-5333c5ed7021}: 1]), ('WaitForSingleObject', [])], '0xad83d2c')
3: ([('CloseServiceHandle', []), ('OpenService', []), ('OpenSCManager', [ObjectAttributes: basenamedobjects\global\svcctrlstartevent_a3752dx: 1])], '0xaa856ac')
3: ([('CoCreateInstance', []), ('FreeLibrary,GetProcAddress,LoadLibrary,SHGetFolderPath', [DllName: userenv.dll: 1]), ('MapMemRegion', [DllName: shell32.dll: 1, ObjectAttributes: hklm\software\microsoft\cryptography\oid\encodingtype 0\cryptdlldecodeobjectex: 1, PathName: c:\docume~1\admini~1\locals~1\temp\: 0.777777777778, DllName: c:\windows\system32\cryptnet.dll: 0.888888888889, Filename: c:\windows\system32\winhttp.dll: 1])], '0xa91042c')
3: ([('CreateEvent', []), ('MapMemRegion,MemWrite', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.00249376558603, DllName: c:\windows\system32\mswsock.dll: 0.750623441397, Filename: c:\windows\system32\winhttp.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters: 1, pszName: tei.fivemillionfriends.com: 1, DllName: rasadhlp.dll: 1, ObjectAttributes: hklm: 0.0149625935162]), ('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock\parameters: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1])], '0xa87ae6c')
3: ([('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\apwobi\ceqi.exe: 1]), ('GetFileSize', []), ('ReadFile', [])], '0xaba55ac')
3: ([('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\osjehe\iwguq.exe: 1]), ('CreateMutex', [ObjectAttributes: basenamedobjects\local\{774aab35-7cde-6acf-e811-5333c5ed7021}: 1]), ('CloseHandle', [])], '0xad974cc')
3: ([('CreateFile,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\windows\explorer.exe: 1]), ('GetFileSize', []), ('NtClose', [])], '0xa8796cc')
3: ([('CreateRemoteThread', []), ('GetAdaptersInfo', [ObjectAttributes: \device\tcp6: 1]), ('LoadLibrary', [DllName: iphlpapi.dll: 1])], '0xaa1a94c')
3: ([('CreateRemoteThread', []), ('GetProcessVersion,NtQuerySystemInformation', []), ('GetVersion', [])], '0xaa713cc')
3: ([('CreateRemoteThread', []), ('GetSystemTimeAsFileTime', []), ('MapMemRegion', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.980769230769, DllName: c:\windows\system32\cryptnet.dll: 0.932692307692, Filename: c:\windows\system32\winhttp.dll: 1, ObjectAttributes: hklm\software\microsoft\cryptography\oid\encodingtype 0\cryptdlldecodeobjectex: 1, DllName: shell32.dll: 1, ObjectAttributes: scsi10:: 0.00961538461538])], '0xaa7268c')
3: ([('CreateRemoteThread', []), ('LoadLibrary,stricmp', [DllName: kernel32.dll: 1]), ('GetProcAddress', [])], '0xa740bcc')
3: ([('CreateRemoteThread', []), ('NtResumeThread', []), ('NtClose', [])], '0xa875fac')
3: ([('CreateThread', []), ('CloseHandle,TerminateThread', []), ('WaitForSingleObject', [])], '0xab52b6c')
3: ([('CreateThread', []), ('DuplicateHandle', []), ('WaitForSingleObject', [])], '0xaf08bac')
3: ([('CreateThread', []), ('QueryPerformanceCounter', []), ('GetProcAddress', [])], '0xae341ec')
3: ([('CreateThread', []), ('WaitForSingleObject', []), ('ResumeThread,RtlLeaveCriticalSection', [])], '0xadda52c')
3: ([('CsrClientCallServer', []), ('VirtualAlloc', []), ('VirtualQuery', [])], '0x98569ac')
3: ([('DeviceIoControl', []), ('CreateFile', [ObjectAttributes: physicaldrive9: 1]), ('CloseHandle', [])], '0xa86e94c')
3: ([('EnumProcesses,LocalAlloc,LocalFree,NtQuerySystemInformation', []), ('ExitThread', []), ('ConvertStringSecurityDescriptorToSecurityDescriptor', [])], '0xaf0896c')
3: ([('EnumSystemLocales,MapMemRegion', [ObjectAttributes: \nls\nlssectioncp1250: 1]), ('IsValidLocale', []), ('LCMapString', [ObjectAttributes: \nls\nlssectionsortkey00000419: 1])], '0xa7405cc')
3: ([('ExitProcess', []), ('SHGetFolderPath', []), ('LoadLibrary', [DllName: user32.dll: 1])], '0xaba4b4c')
3: ([('FindFirstFile', [ObjectAttributes: c:\: 1, FileName: pos8e.tmp.bat: 1]), ('NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection', []), ('GetCommandLine', [])], '0x91ffdac')
3: ([('FindNextFile', []), ('FindClose', []), ('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\cookies\: 1, FileName: *: 1])], '0xad830ac')
3: ([('FindNextFile', []), ('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\application data\: 1, FileName: kb00286167.exe: 1]), ('FindClose', [])], '0x982c70c')
3: ([('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1, ObjectAttributes: physicaldrive13: 0.08]), ('GetSystemTime', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 75)', ['1030', '1029', '1028']): 1])], '0xa910eec')
3: ([('GetAddrInfo,RtlAllocateHeap,RtlFreeHeap,setlasterror', [DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: c:\documents and settings\administrator\application data\dnsapi.dll: 1, pszName: awesomefile.com: 1, DllName: rpcrt4.dll: 1, ObjectAttributes: h: 0.285714285714]), ('GetCommandLine', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 8)', ['1053', '1217', '1171', '1215', '1205', '1136', '1133', '1211']): 1])], '0x98cc9ac')
3: ([('GetCPInfo,GetConsoleOutputCP', []), ('VirtualAlloc', []), ('VirtualQuery', [])], '0x9ce728c')
3: ([('GetFileSize', []), ('MapMemRegion', []), ('NtClose', [])], '0x92716ac')
3: ([('GetLocalTime', []), ('GetTimeFormat', []), ('GetDateFormat', [])], '0xad9934c')
3: ([('GetNativeSystemInfo', []), ('CreateThread', []), ('GetVersion', [])], '0xaad87ec')
3: ([('GetProcAddress,startup', []), ('LoadLibrary,stricmp', [DllName: ws2_32.dll: 1]), ('socket', [])], '0x91a7f0c')
3: ([('GetSystemTime', []), ('GetFileSize', []), ('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\63c6.9c2: 1])], '0x9cefc8c')
3: ([('GetSystemTime', []), ('RtlTimeFieldsToTime', []), ('WaitForSingleObject', [])], '0xaf95d4c')
3: ([('GetSystemTime', []), ('SystemTimeToFileTime', []), ('WaitForSingleObject', [])], '0xad838ec')
3: ([('GetTempFileName', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsk5.tmp: 1, PathName: c:\docume~1\admini~1\locals~1\temp: 1]), ('FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove', []), ('RemoveDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\: 1])], '0x9a0868c')
3: ([('GetTempFileName', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsk5.tmp: 1, PathName: c:\docume~1\admini~1\locals~1\temp: 1]), ('LoadLibrary,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [DllName: msvcrt.dll: 1, ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\dllwebcount.dll: 1, DllName: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\selfdelete.dll: 1, Filename: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\dllwebcount.dll: 1]), ('MapMemRegion', [DllName: msvcrt.dll: 0.0819672131148, ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\selfdelete.dll: 1, ObjectAttributes: basenamedobjec: 0.0327868852459, DllName: c:\docume~1\admini~1\locals~1\temp\nsk3.tmp\system.dll: 0.781420765027, Filename: c:\docume~1\admini~1\locals~1\temp\nsy6.tmp\selfdelete.dll: 1])], '0x9edf46c')
3: ([('GetTempPath', []), ('CreateDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\: 1]), ('GetTempFileName', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsk5.tmp: 1, PathName: c:\docume~1\admini~1\locals~1\temp\: 1])], '0x9ee576c')
3: ([('GetTempPath', []), ('GetFileAttributes', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp: 1]), ('CreateFile', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\db1dc.dmp: 1])], '0xa4dd5ac')
3: ([('GetTempPath', []), ('MapMemRegion', [DllName: shell32.dll: 1, ObjectAttributes: hklm\software\classes\directory\curver: 1, FileName: windows: 0.166666666667]), ('GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1])], '0x9cf186c')
3: ([('GetTokenInformation', []), ('OpenProcessToken', []), ('CloseHandle', [])], '0xb02b68c')
3: ([('GetUserDefaultUILanguage', []), ('socket', []), ('InitializeCriticalSection,startup', [])], '0xb3ea66c')
3: ([('GetVersion', []), ('GetAdaptersInfo', [ObjectAttributes: \device\tcp6: 1, ValueName: dhcpserver: 0.2]), ('recv', [LocalAddress: (['tcp'], '(0, 0, 32)', ['1029', '1028', '1037', '1034', '1033', '1036', '1030', '1035', '1040', '1038', '1032', '1031']): 1])], '0xaa0efac')
3: ([('GetVersion', []), ('GetThreadContext,SuspendThread', []), ('GetSystemInfo,GetVersion', [])], '0x98789ec')
3: ([('GetVolumeInformation,LoadLibrary', [DllName: iphlpapi.dll: 0.991150442478, ObjectAttributes: hklm\system\currentcontrolset\services\netbt\parameters: 1, ObjectAttributes: ip: 1, Filename: c:\windows\system32\iphlpapi.dll: 0.982300884956]), ('GetAdaptersInfo', [ObjectAttributes: \device\tcp6: 1, ValueName: dhcpserver: 1, ObjectAttributes: physicaldrive6: 0.0175438596491]), ('SHGetFolderPath', [])], '0xaa739ac')
3: ([('IcfGetCurrentProfileType,InterlockedIncrement', []), ('CoCreateInstance', []), ('ConvertStringSecurityDescriptorToSecurityDescriptor', [])], '0xaad892c')
3: ([('InitializeCriticalSection,startup', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1])], '0xb00556c')
3: ([('InitializeCriticalSection,startup', []), ('socket', []), ('connect', [ForeignPort: ['29821', '26613', '23143', '13367', '16841', '22625', '18847', '19819', '23407']: 1, ForeignIP: (0, 0, 26): 1])], '0xabf68ec')
3: ([('InternetSetOption', [DllName: shell32.dll: 1, ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_temporaryfiles_for_nocache_840387: 1, ValueName: paths: 1]), ('RegCreateKey', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\internet explorer\download: 1]), ('RegOpenKey', [ObjectAttributes: hklm\system\controlset001\services\disk\enum: 1])], '0x95f9bcc')
3: ([('I_RpcSendReceive', []), ('MapMemRegion', []), ('MapMemRegion,MemWrite', [DllName: rasadhlp.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters: 1, pszName: ics.fivemillionfriends.com: 1, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1])], '0xaa8566c')
3: ([('listen', []), ('socket', [ObjectAttributes: \device\afd\endpoint: 1]), ('bind', [DllName: ws2_32.dll: 1])], '0xaed5dec')
3: ([('LoadLibrary', [DllName: advapi32.dll: 1, ObjectAttributes: knowndlls\msvcrt.dll: 0.0222222222222]), ('GetProcAddress', []), ('GetVersion', [])], '0xa880d2c')
3: ([('LoadLibrary', [DllName: advapi32.dll: 1]), ('SHGetFolderPath', []), ('CreateMutex,RtlLeaveCriticalSection', [])], '0xaad794c')
3: ([('LoadLibrary', [DllName: user32.dll: 1]), ('CreateMutex', [ObjectAttributes: basenamedobjects\global\{3e84d413-03f8-2301-c9ec-b06de410937f}: 1, ObjectAttributes: basena: 0.345454545455]), ('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\osjehe\iwguq.exe: 1])], '0xaf0812c')
3: ([('LoadLibrary,MapMemRegion', [DllName: comctl32.dll: 1]), ('ExitProcess', []), ('LoadLibrary', [DllName: msvcrt.dll: 1])], '0xac3036c')
3: ([('LoadLibrary,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [DllName: uxtheme.dll: 1, ObjectAttributes: c:\programdata\ws2help.dll: 1, Filename: c:\windows\system32\uxtheme.dll: 1]), ('NtAddAtom,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [AtomName: controlofs00400000000004c4: 1]), ('NtDeleteAtom', [])], '0x95eea4c')
3: ([('LoadLibrary,stricmp', [ObjectAttributes: c:\windows\system32\ws2_32.dll: 0.997267759563, DllName: c:\windows\system32\ws2_32: 0.997267759563]), ('GetSystemDirectory', []), ('GetProcAddress', [])], '0xa87266c')
3: ([('MapMemRegion', [DllName: oleaut32.dll: 1, ObjectAttributes: hklm\software\microsoft\windows nt\currentversion\msasn1: 1, AtomName: themepropscrollbarctl: 0.6875, Filename: c:\windows\system32\wininet.dll: 0.8125]), ('GetProcAddress', []), ('GetVersion', [])], '0xac30b8c')
3: ([('MapMemRegion', [DllName: shell32.dll: 0.142857142857, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{9ba05972-f6a8-11cf-a442-00a0c90a8f39}: 1, ObjectName: hklm\software\classes\interface\{93f2f68c-1d1b-11d3-a30e-00c04f79abd1}\proxystubclsid32: 0.0793650793651, Filename: c:\windows\system32\riched20.dll: 1]), ('MapMemRegion,MemWrite', [ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation: 1, AtomName: themepropscrollbarctl: 0.214814814815]), ('GetProcAddress', [])], '0x97e63ac')
3: ([('MapMemRegion', [ObjectAttributes: hklm\software\microsoft\ctf\compatibility\dwm.exe: 1, DllName: c:\windows\system32\msctf.dll: 0.923076923077, Filename: c:\windows\system32\msctf.dll: 1]), ('socket', []), ('CoCreateInstance', [])], '0x97e2c4c')
3: ([('MemWrite', [DllName: user32.dll: 1, ObjectAttributes: c:\windows\system32\ws2_32.dll: 1, Filename: c:\windows\system32\ws2_32.dll: 1]), ('GetProcAddress', []), ('GetVersion', [])], '0x9fd442c')
3: ([('MemWrite,getaddrinfo,setlasterror', []), ('createevent', []), ('socket', [])], '0xaa733cc')
3: ([('MemWrite', []), ('MapMemRegion', []), ('LsaClose,LsaLookupPrivilegeValue,LsaOpenPolicy,RtlInitUnicodeString', [ObjectAttributes: pipe\lsarpc: 1])], '0x9656b8c')
3: ([('MemWrite', [ObjectAttributes: hklm\software\classes\clsid\{d68af00a-29cb-43fa-8504-ce99a996d9ea}\localserver: 1, DllName: c:\windows\system32\wbem\wbemsvc.dll: 0.625, Filename: c:\windows\syst: 0.1]), ('MapMemRegion,MemWrite', [ObjectAttributes: \registry\user\s-1-5-21-842925246-1425521274-308236825-500: 1, Filename: c:\windows\system32\clbcatq.dll: 0.745283018868]), ('CoCreateInstance', [])], '0x964ea4c')
3: ([('NtClose,RtlEnterCriticalSection,RtlFreeHeap,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', []), ('RtlpWaitForCriticalSection', []), ('RtlpUnWaitCriticalSection', [])], '0xa8204cc')
3: ([('NtCreateMutant,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\global\{3be6af24-78cf-2663-e811-5333c5ed7021}: 1]), ('WaitForSingleObject', []), ('NtClose', [])], '0xae367cc')
3: ([('NtDuplicateObject', []), ('CreateFileMapping,RtlAnsiStringToUnicodeString,RtlInitAnsiString', []), ('NtClose', [])], '0xa82580c')
3: ([('NtDuplicateObject', []), ('NtClose', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1])], '0xaad844c')
3: ([('NtDuplicateObject', []), ('WaitForSingleObject', []), ('MapMemRegion,MemWrite', [])], '0xad8320c')
3: ([('NtOpenProcess', [ObjectName: c:\program files\common files\exec.exe: 1]), ('NtTerminateProcess,RtlNtStatusToDosError', []), ('NtClose', [])], '0x9cf2f0c')
3: ([('NtOpenProcess', [ObjectName: c:\program files\common files\stimulator.exe: 1]), ('NtQueryInformationToken', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 6)', ['21845', '21741']): 1])], '0xb4bc54c')
3: ([('NtOpenProcessToken', []), ('NtAdjustPrivilegesToken,RtlNtStatusToDosError,RtlSetLastWin32Error', []), ('NtClose', [])], '0x91ff8ac')
3: ([('NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', []), ('GetProcAddress', []), ('NtClose,NtOpenFile,NtSetInformationFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap', [ObjectAttributes: c:\documents and settings\administrator\cookies\administrator@google[1].txt: 1])], '0xad93fcc')
3: ([('NtQueryInformationToken', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('GetProcAddress', [])], '0xabf612c')
3: ([('NtQueryInformationToken,RtlNtStatusToDosError,RtlSetLastWin32Error', []), ('CreateRemoteThread', []), ('NtCreateEvent', [])], '0x91ff0cc')
3: ([('NtQueryPerformanceCounter', []), ('ioctl', []), ('GetProcAddress', [])], '0xad9386c')
3: ([('NtQuerySystemInformation', []), ('NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', []), ('NtOpenProcess', [ObjectName: c:\windows\explorer.exe: 1])], '0x97dd42c')
3: ([('NtReadVirtualMemory', []), ('GetProcAddress', []), ('NtQueryVirtualMemory', [])], '0xae36ccc')
3: ([('NtSetEvent', []), ('CreateEvent,NtCreateEvent', []), ('NtClearEvent', [])], '0x91a774c')
3: ([('NtSetEvent', []), ('NtCreateEvent', []), ('NtClose', [])], '0xae364cc')
3: ([('NtSetValueKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError', [ValueName: id3: 1]), ('GetSystemTimeAsFileTime', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 51)', ['1039', '1030', '1040', '1066', '1057', '1063', '1518', '1033', '1512', '1058', '1596', '1539']): 1])], '0xa740f8c')
3: ([('OpenProcess', [ObjectName: c:\windows\system32\svchost.exe: 1]), ('CloseHandle', []), ('OpenProcessToken', [])], '0xabf67cc')
3: ([('recv', [LocalAddress: (['tcp'], '(0, 0, 18)', ['1033', '1307', '1158', '1031', '1043', '1216', '1155', '1185', '1267', '1330', '1354', '1030', '1036']): 1]), ('socket', []), ('select', [])], '0x965a24c')
3: ([('recv', [LocalAddress: (['tcp'], '(0, 0, 2180)', ['1087', '1140', '1072', '1063', '1103', '1112', '1052', '1123', '1164', '1133', '1202', '1153', '1196', '1225', '1210', '1231', '1184', '1199', '1098', '1044', '1090', '1239', '1108', '1097', '1172', '1086', '1038', '1205', '1152', '1191', '1185', '1115', '1211', '1244', '1165', '1062', '1132', '1249', '1042', '1224', '1073', '1232', '1043', '1101', '1248', '1124', '1255', '1271', '1272', '1265', '1171', '1279', '1033', '1056', '1302', '1218', '1053', '1069', '1067', '1285', '1282', '1342', '1050', '1046', '1264', '1335', '1317', '1336', '1362', '1307', '1100', '1054', '1049', '1076', '1376', '1321', '1330', '1057', '1051', '1372', '1389', '1387', '1257', '1229', '1036', '1354', '1055', '1040', '1048', '1373', '1093', '1136', '1083', '1127', '1390', '1219', '1107', '1116', '1047', '1148', '1094', '1064', '1121', '1340', '1037', '1367', '1058', '1059', '1147', '1074', '1371', '1316', '1156', '1061', '1082', '1125', '1135', '1353', '1352', '1104', '1160', '1168', '1111', '1275', '1149', '1306', '1077', '1075', '1070', '1378', '1155', '1066', '1384', '1081', '1120', '1126', '1176', '1392', '1137', '1240', '1128', '1188', '1180', '1167', '1208', '1313', '1175', '1174', '1206', '1041', '1364', '1365', '1368', '1300', '1141', '1309', '1144', '1071', '1099', '1060', '1334', '1339', '1029', '1341', '1357', '1182', '1198', '1366', '1363']): 1]), ('send', [LocalAddress: (['tcp'], '(35, 0, 1379)', ['1028', '1140', '1072', '1063', '1087', '1133', '1038', '1184', '1103', '1112', '1123', '1044', '1191', '1108', '1164', '1196', '1172', '1090', '1098', '1202', '1199', '1153', '1086', '1225', '1031', '1210', '1205', '1052', '1211', '1185', '1231', '1165', '1115', '1132', '1224', '1218', '1152', '1062', '1232', '1239', '1043', '1073', '1097', '1244', '1101', '1124', '1032', '1057', '1171', '1255', '1249', '1248', '1030', '1100', '1053', '1056', '1042', '1069', '1033', '1047', '1046', '1155', '1067', '1229', '1036', '1037', '1048', '1076', '1135', '1208', '1107', '1054', '1055', '1190', '1367', '1093', '1050', '1061', '1083', '1121', '1330', '1354', '1127', '1186', '1029', '1180', '1166', '1168', '1169', '1051', '1058', '1116', '1174', '1040', '1147', '1265', '1264', '1257', '1064', '1176', '1328', '1126', '1177', '1348', '1220', '1347', '1209', '53980', '1181', '1049', '1167', '1160', '1204', '1175', '1170', '1271', '1272', '1361', '1206', '1179', '1041', '1059', '1307', '1302', '1148', '1149', '1077', '1371', '1372', '1094', '1317', '1136', '1066', '1384', '1320', '1082', '1120', '62283', '1125', '1183', '1173', '1335', '1331', '1128', '1221', '1340', '63111', '1137', '1212', '1285', '1216', '53192', '1214', '1355', '1188', '1104', '1161', '1213', '1203', '1193', '1111', '1278', '1279', '61111', '1282', '1364', '1142', '1227', '1306', '1300', '1145', '1267', '1268', '1309', '1222', '1144', '1074', '1075', '1070', '1071', '1373', '1376', '63192', '1316', '1315', '56586', '1154', '1251', '1150', '61192', '60020', '1269', '49980', '1068', '1182', '1060', '1065', '55455', '1389', '1387', '1321', '1081', '59677', '58889', '51273', '55980', '1250', '1392', '1390', '1230', '1233', '1336', '1141', '1333', '1332', '58545', '54970', '1240', '1243', '1247', '1129', '59455', '1341', '1342', '57273', '51636', '1163', '1156', '1219', '1357', '64283', '59333', '52020', '1217', '54667', '1143', '51798', '58202', '1198', '1158', '1192', '1197', '59717', '1291', '1351', '55939', '57333', '1045', '1201', '1288', '1366', '1365', '1362', '1368']): 1]), ('socket', [])], '0x97e432c')
3: ([('recv', [LocalAddress: (['tcp'], '(113, 0, 942)', ['1052', '1087', '1063', '1055', '1140', '1072', '1133', '1103', '1164', '1112', '1123', '1056', '1196', '1153', '1184', '1172', '1057', '1033', '1210', '1202', '1054', '1050', '1053', '1059', '1199', '1098', '1231', '1225', '1051', '1239', '1307', '1302', '1265', '1317', '1097', '1152', '1285', '1321', '1279', '55939', '1249', '60727', '1282', '1031', '51798', '1272', '1044', '54970', '1248', '59455', '1185', '1205', '1042', '56970', '1049', '1073', '1372', '1090', '1086', '1191', '1132', '1336', '1216', '1354', '56020', '1046', '1108', '1171', '1043', '1076', '1371', '1330', '1244', '1342', '1032', '1030', '58061', '1165', '1048', '1058', '1115', '49152', '55333', '1271', '1362', '1363', '1070', '1373', '1335', '1155', '1211', '1124', '1029', '1366', '1300', '1148', '1309', '1264', '53980', '59414', '1144', '1376', '1093', '1116', '1069', '1136', '1062', '1064', '1067', '1384', '1083', '62283', '1127', '1255', '1326', '1080', '1039', '1037', '53192', '1218', '1219', '1357', '1107', '1101', '1160', '1168', '1322', '1313', '1352', '1175', '1156', '61111', '1364', '1147', '1263', '1262', '1141', '1094', '1158', '1154', '1157', '1099', '1182', '1061', '1060', '1389', '1367', '1387', '1121', '1174', '58242', '51273', '1257', '55980', '1251', '1259', '1232', '1137', '1134', '1243', '1128', '1224', '1340', '1341', '1167', '56586', '1038', '1034', '1213', '1183', '1180', '1100', '1166', '54667', '1203', '1198', '62808', '1193', '1195', '59717', '1170', '1040', '1047', '1176', '1149', '50364', '55495', '1079', '1077', '60283', '1075', '1316', '61192', '49980', '1065', '1066', '1082', '53152', '1125', '1392', '1135', '59273', '61636', '53333', '57273', '54889', '1036', '1353', '1188', '52323', '1181', '52020', '1104', '1390', '64808', '1111', '53111', '1275', '1179', '53677', '1365', '1190', '1368', '60020']): 1]), ('socket', []), ('ioctlsocket', [])], '0x97e360c')
3: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 16)', ['21525', '18856', '13806', '13494', '15143']): 1]), ('NtDeviceIoControlFile', []), ('socket', [])], '0xae3712c')
3: ([('RegCreateKey', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\windows\currentversion\explorer\taskband: 1]), ('MapMemRegion', [DllName: advapi32.dll: 1, ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_http_username_password_di: 1, Filename: c:\windows\system32\wininet.dll: 0.4]), ('NtClose', [])], '0x98ac24c')
3: ([('RegisterEventSource', []), ('DeregisterEventSource,ReportEvent', [ObjectAttributes: hklm\system\currentcontrolset\control\computername\activecomputername: 1]), ('InternetGetConnectedState,MemWrite', [])], '0x987808c')
3: ([('RegOpenKey', [SubKey: software\microsoft\yjas: 1, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\yjas: 1]), ('SHGetFolderPath', []), ('LoadLibrary', [DllName: wininet.dll: 1])], '0xb14abec')
3: ([('ResetEvent,SignalObjectAndWait,WaitForSingleObject', []), ('CreateMutex', [ObjectAttributes: basenamedobjects\local\m000004f0: 1]), ('CreateEvent', [])], '0x9a20e0c')
3: ([('SetEvent', []), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb4490cc')
3: ([('SHGetFolderPath', []), ('MapMemRegion', [ObjectAttributes: hklm\software\microsoft\ctf\compatibility\dwm.exe: 1, DllName: c:\windows\system32\msctf.dll: 1, Filename: c:\windows\system32\msctf.dll: 1]), ('LoadLibrary,stricmp', [DllName: shlwapi.dll: 1, ObjectAttributes: c:\windows\system32\shell32.dll: 1, ObjectName: c:\documents and settings\administrator\application data\dwm.exe: 0.125, Filename: c:\windows\system32\comctl32.dll: 1])], '0x9ee1d4c')
3: ([('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock\parameters: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1]), ('recv', [LocalAddress: (['tcp'], '(0, 0, 840)', ['1030', '1028', '1029', '1031', '1038', '1040', '1041', '1032', '1039', '1036', '1034', '1035', '1043', '1042']): 1]), ('CreateEvent', [])], '0xa86bf0c')
3: ([('socket', []), ('ioctl', []), ('NtClose', [])], '0xaf9e8ac')
3: ([('socket', []), ('NtDeviceIoControlFile', []), ('closesocket', [])], '0xa7a760c')
3: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 11)', ['24892', '28233', '28516', '13122', '14929']): 1]), ('CreateEvent', [])], '0xb14ab2c')
3: ([('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 9)', ['22108', '29336', '28463', '11525', '14241']): 1]), ('CreateEvent', [])], '0xb02904c')
3: ([('socket', []), ('send', [LocalAddress: (['tcp'], '(4, 0, 125)', ['1028', '1087', '1086', '1205', '1123', '1225', '1202', '1211', '1177', '1199', '1055', '1172', '1072', '1196', '1038', '1255', '1115', '1032', '1164', '1244', '1210', '1191', '1090', '1231', '1232', '1133', '1132', '1218', '1098', '1239', '1153', '1152', '1165', '1249', '1264', '1043', '1140', '1044', '1063', '1185', '1222', '1103', '1101', '1248', '1112', '1108', '1348', '1166', '1062', '1160', '1161', '1221', '1204', '62283', '1265', '1048', '1097', '1173', '1208', '58889', '1052', '51273', '1054', '1057', '1058', '1059', '1257', '1184', '1278', '1176', '1215', '59758', '1179', '1178', '1042', '1061', '1174', '1367', '1364', '1051', '1384']): 1]), ('accept', [ObjectAttributes: \device\afd\endpoint: 1])], '0x9ce97cc')
3: ([('socket', []), ('startup', []), ('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 1, ObjectAttributes: hklm\software\policies\microsoft\system\dnsclient: 1, ValueName: parseautoexec: 1, SubKey: treatas: 1, pszName: asl48pulyjylrm19b18p22p62b28bzbycynzer.com: 1, FileName: administrator: 0.5, DllName: rasadhlp.dll: 1, ObjectAttributes: {}: 1])], '0xb4bb9ec')
3: ([('socket', []), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xae37c4c')
3: ([('WaitForMultipleObjects', []), ('createevent', []), ('CreateEvent', [])], '0xaad83ac')
4: ([('addresstostring', [SubKey: system\currentcontrolset\services\tcpip\parameters\winsock: 0.571428571429, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: hklm\software\microsoft\rpc\securityservice: 1, ValueName: defaultauthlevel: 1, ModuleName: nspr4.dll: 1, DllName: hnetcfg.dll: 1]), ('socket', []), ('InitializeCriticalSection,startup', []), ('ioctl', [])], '0xb4b988c')
4: ([('CloseServiceHandle', []), ('OpenService', []), ('MapMemRegion,MemWrite', [DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\dnsapi.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, pszName: ics.fivemillionfriends.com: 1, Filename: c:: 0.00411522633745, DllName: rpcrt4.dll: 1]), ('OpenSCManager', [ObjectAttributes: basenamedobjects\global\svcctrlstartevent_a3752dx: 1])], '0xaa1a4ec')
4: ([('CreateEvent', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('WaitForMultipleObjects', [])], '0xaf9e40c')
4: ([('CreateEvent,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: basenamedobjects\__32767_1070__: 1]), ('LoadLibrary,stricmp', [DllName: advapi32.dll: 1, ObjectAttributes: \registry\machine\system\currentcontrolset\control\session manager: 1]), ('GetProcAddress', []), ('CreateEvent,NtCreateEvent,RtlAnsiStringToUnicodeString,RtlInitAnsiString,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\__32767_1072__: 1])], '0xa84df8c')
4: ([('CreateEvent', []), ('socket', [ObjectAttributes: \device\afd\endpoint: 1]), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 110)', ['14241', '22108', '29336', '28463', '11525']): 1])], '0xaed532c')
4: ([('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\ogykyr\yqoga.exe: 1]), ('GetFileSize', []), ('ReadFile', []), ('VirtualAlloc', [])], '0xb51206c')
4: ([('CreateRemoteThread', []), ('GetAdaptersInfo', [ObjectAttributes: \device\tcp6: 1]), ('recv', [LocalAddress: (['tcp'], '(0, 0, 14)', ['1029', '1028', '1036', '1037', '1034', '1040', '1038', '1030', '1035']): 1]), ('LoadLibrary', [DllName: iphlpapi.dll: 1])], '0xaa72cec')
4: ([('CreateRemoteThread', []), ('GetSystemTimeAsFileTime', []), ('LoadLibrary,stricmp', [DllName: advapi32.dll: 1, ObjectAttributes: \registry\machine\system\currentcontrolset\control\session manager: 1]), ('GetProcAddress', [])], '0xa8722ec')
4: ([('CreateRemoteThread', []), ('GetSystemTimeAsFileTime', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 72)', ['1031', '1028', '1166', '1167', '1192', '1030', '1135', '1043', '1047', '1087', '1086', '1083', '1082', '1120', '1121', '1123', '1124', '1169', '1126', '1127', '1053', '1057', '1056', '1107', '1191', '1077', '1072', '1111', '1038', '1112', '1115', '1116', '1032', '1033', '1036', '1037', '1094', '1139', '1097', '1090', '1093', '1133', '1098', '1125', '1119', '1134', '1041', '1040', '1044', '1039', '1063', '1062', '1067', '1066', '1076', '1104', '1103', '1100', '1108']): 1]), ('GetVersion', [])], '0x9a1388c')
4: ([('CreateRemoteThread', []), ('ioctl', []), ('NtQueryPerformanceCounter', []), ('GetProcAddress', [])], '0xadda3ac')
4: ([('CreateRemoteThread', []), ('listen', []), ('GetProcAddress,InterlockedIncrement,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrcpy', []), ('LoadLibrary', [DllName: ws2_32.dll: 1])], '0x96474cc')
4: ([('CreateRemoteThread', []), ('NtQuerySystemInformation', []), ('RtlAllocateHeap', []), ('OpenProcess', [ObjectName: c:\windows\explorer.exe: 1])], '0x9ce7d8c')
4: ([('CreateRemoteThread', []), ('NtResumeThread', []), ('WaitForSingleObject', []), ('socket', [])], '0xafb49ec')
4: ([('CreateRemoteThread', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 130)', ['1028', '1031', '1030', '1174', '1172', '1032', '1188', '1185', '1180', '1164', '1166', '1167', '1160', '1208', '1168', '1176', '1175', '1047', '1048', '1140', '1147', '1148', '1076', '1072', '1071', '1097', '1159', '1093', '1155', '1154', '1156', '1151', '1153', '1050', '1063', '1062', '1065', '1067', '1128', '1177', '1083', '1121', '1125', '1127', '1133', '1136', '1333', '1247', '1348', '1087', '1225', '1222', '1221', '1229', '1161', '1033', '1036', '1037', '1212', '1351', '1219', '1189', '1186', '1184', '1029', '1183', '1107', '1103', '1163', '1205', '1204', '1207', '1206', '1202', '1199', '1052', '1053', '1055', '1056', '1057', '1191', '1190', '1193', '1197', '1196', '1112', '1116', '1278', '1178', '1043', '1041', '1040', '1046', '1044', '1367']): 1]), ('socket', []), ('MapMemRegion', [DllName: oleacc.dll: 0.857142857143, ObjectAttributes: c:\windows\system32\oleaccrc.dll: 1, DllName: c:\windows\system32\msctf.dll: 0.142857142857, Filename: c:\windows\system32\oleacc.dll: 1])], '0x965af4c')
4: ([('CreateRemoteThread', []), ('RtlAllocateHeap', []), ('NtClose', []), ('WaitForSingleObject', [])], '0x9ee6bcc')
4: ([('CreateSemaphore,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: \basenamedobjects: 1]), ('SHGetFolderPath', []), ('CreateMutex', [ObjectAttributes: basenamedobjects\global\{c84914f5-c31e-d5cc-e811-5333c5ed7021}: 1]), ('OpenEvent', [ObjectAttributes: basenamedobjects\hookswitchhookenabledevent: 1])], '0xb02996c')
4: ([('CreateToolhelp32Snapshot', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('CloseHandle', []), ('VirtualAlloc', [])], '0xae34b8c')
4: ([('CreateToolhelp32Snapshot', []), ('Thread32Next', []), ('Thread32First', []), ('CloseHandle', [])], '0xad99f8c')
4: ([('DialogBoxParam,MapMemRegion', []), ('RegCreateKey', [SubKey: software\microsoft\windows\currentversion\run: 1, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\windows\currentversion\run: 1]), ('GetVolumeInformation', [ObjectAttributes: c:\: 1]), ('SHGetSpecialFolderPath', [])], '0x9ce616c')
4: ([('eventselect', []), ('socket', []), ('LoadLibrary', [DllName: ws2_32.dll: 1]), ('GetProcAddress', [])], '0xa87162c')
4: ([('eventselect', []), ('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 42)', ['23917']): 1]), ('createevent', [])], '0xb3ea36c')
4: ([('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\cookies\: 1, FileName: *: 1]), ('NtClose,RtlDeleteCriticalSection,RtlEnterCriticalSection,RtlFreeHeap,RtlLeaveCriticalSection', []), ('NtQueryDirectoryFile', []), ('NtQueryDirectoryFile,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,memmove', [])], '0xad9334c')
4: ([('GetCommandLine', []), ('NtOpenSymbolicLinkObject', [ObjectAttributes: c:: 1]), ('FindFirstFile', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\: 1, FileName: pos5b.tmp.bat: 1]), ('NtQueryInformationFile', [])], '0x9a20a2c')
4: ([('GetComputerName', []), ('MapMemRegion', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.630434782609, DllName: c:\windows\system32\cryptnet.dll: 0.0579710144928, Filename: c:\windows\system32\winhttp.dll: 0.847826086957, ObjectAttributes: hklm\software\microsoft\cryptography\oid\encodingtype 0\cryptdlldecodeobjectex: 1, ObjectName: c:\docume~1\admini~1\locals~1\temp\upg8c.tmp: 0.0144927536232, DllName: netapi32.dll: 1, ObjectAttributes: physicaldrive11: 0.00724637681159]), ('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1, ObjectAttributes: scsi6:: 0.027972027972]), ('CoCreateInstance', [])], '0xaa0c78c')
4: ([('GetProcAddress', []), ('MapMemRegion,MemWrite', [ObjectAttributes: hklm\software\microsoft\internet explorer\main\featurecontrol\feature_zone_elevation: 1, AtomName: themepropscrollbarctl: 0.186813186813]), ('MapMemRegion', [DllName: shell32.dll: 0.186813186813, ObjectAttributes: \registry\machine\software\microsoft\windows nt\currentversion\image file execution options\imagehlp.dll: 1, Filename: c:\windows\system32\riched20.dll: 1]), ('LoadLibrary', [DllName: sxs.dll: 1])], '0xa4da4ec')
4: ([('GetSystemTimeAsFileTime', []), ('MapMemRegion,MemWrite', [PathName: c:\docume~1\admini~1\locals~1\temp\: 0.00201612903226, Filename: c:\windows\system32\winhttp.dll: 0.00201612903226, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catal: 1, FileName: upg8a.tmp: 0.00201612903226, DllName: netapi32.dll: 0.00604838709677, ObjectAttributes: hklm: 0.0403225806452]), ('GetCommandLine', []), ('GetVersion', [])], '0xa87a54c')
4: ([('GetSystemTimeAsFileTime', []), ('NtQueryAttributesFile', [ObjectAttributes: c:\documents and settings\administrator\application data\ipswitch\ws_ftp\sites: 1]), ('recv', [LocalAddress: (['tcp'], '(101, 0, 17)', ['1028', '1031', '1037', '1034', '1039', '1040', '1043', '1052', '1046', '1055', '1049', '1030', '1058', '1064', '1061', '1066', '1488', '1057', '1063']): 1]), ('socket', [])], '0xa7409ac')
4: ([('GetSystemTime', []), ('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\63c6.9c2: 1]), ('RtlTimeFieldsToTime', []), ('SetProcessPriorityBoost', [])], '0x9287b2c')
4: ([('GetTokenInformation', []), ('CloseHandle', []), ('OpenProcessToken', []), ('CreateEvent', [])], '0xab551ec')
4: ([('GetTokenInformation', []), ('CreateThread', []), ('CloseHandle', []), ('OpenProcessToken', [])], '0xaa7140c')
4: ([('GetTokenInformation', []), ('OpenProcessToken', []), ('NtCreateEvent', [ObjectAttributes: {}: 1]), ('CloseHandle', [])], '0xaf95ecc')
4: ([('GetTokenInformation', []), ('OpenProcessToken', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('CloseHandle', [])], '0xaba52ac')
4: ([('GetUserDefaultUILanguage', []), ('addresstostring', [SubKey: system\currentcontrolset\services\winsock\parameters: 0.615384615385, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: hklm\software\microsoft\rpc\securityservice: 1, ValueName: defaultauthlevel: 1, ModuleName: nspr4.dll: 1, DllName: hnetcfg.dll: 1]), ('socket', []), ('InitializeCriticalSection,startup', [])], '0xaada14c')
4: ([('InitializeCriticalSection,startup', []), ('CreateThread', []), ('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 24)', ['28233', '24892']): 1])], '0xb4b91cc')
4: ([('InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', []), ('MapMemRegion,MemWrite', [DllName: c:\windows\system32\mswsock.dll: 0.648760330579, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters: 1, pszName: ics.fivemillionfriends.com: 1, DllName: rasadhlp.dll: 0.826446280992, ObjectAttributes: hklm: 0.0330578512397]), ('GetProcAddress', []), ('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1])], '0xa86f08c')
4: ([('ioctl', []), ('MapMemRegion,MemWrite', []), ('NtQueryPerformanceCounter', []), ('GetProcAddress', [])], '0xafb488c')
4: ([('MapMemRegion,MemWrite', [DllName: dnsapi.dll: 0.271604938272, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catal: 1, pszName: [array_nt_mb16]: 0.16049382716, DllName: c:\windows\system32\mswsock.dll: 0.0987654320988, Filename: c:\windows\system32\mswsock.dll: 0.271604938272]), ('recv', [LocalAddress: (['tcp', 'udp'], '(30, 0, 170)', ['1037', '1036', '1035', '1038', '1043', '1042', '1041', '1040', '1047', '1044', '1039', '1046', '1045', '1049', '1050', '1031', '1028']): 1]), ('socket', []), ('bind', [DllName: ws2_32.dll: 1])], '0xa86b0cc')
4: ([('MapMemRegion,MemWrite', [ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\00000006: 1]), ('setsockopt', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1])], '0xaa8530c')
4: ([('MapMemRegion', [ObjectAttributes: hklm\software\microsoft\ctf\compatibility\dwm.exe: 1, DllName: c:\windows\system32\msctf.dll: 1, Filename: c:\windows\system32\msctf.dll: 1]), ('GetProcAddress', []), ('CoCreateInstance', []), ('socket', [])], '0x99c886c')
4: ([('NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', []), ('CreateRemoteThread', []), ('GetProcAddress', []), ('GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1])], '0x964c14c')
4: ([('NtClearEvent,ResetEvent', []), ('CreateEvent', []), ('NtSetEvent,SetEvent', []), ('CloseHandle,NtClose', [])], '0x91fc12c')
4: ([('NtClose', []), ('GetFileSize', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 49)', ['1031', '1032', '1030', '1036', '1153', '1040', '1188', '1216', '1185', '1029', '1304', '1267', '1190', '1038', '1037', '1316', '1211', '1217', '1171', '1215', '1336', '1136', '1330', '1354', '1043', '1183']): 1]), ('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\a7ad.c35: 1])], '0x964750c')
4: ([('NtCreateEvent', [ObjectAttributes: {}: 1]), ('NtClose', []), ('NtOpenProcessToken', []), ('NtQueryInformationToken,RtlNtStatusToDosError,RtlSetLastWin32Error', [])], '0xb5c7eec')
4: ([('NtCreateEvent', [ObjectAttributes: {}: 1]), ('NtCreateFile', [ObjectAttributes: \device\rasacd: 1]), ('NtDeviceIoControlFile', []), ('GetProcAddress', [])], '0xa4d878c')
4: ([('NtCreateEvent', []), ('socket', []), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xae3770c')
4: ([('NtCreateMutant,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\global\{5d329b3c-4cd7-40b7-e811-5333c5ed7021}: 1]), ('MapMemRegion', [DllName: version.dll: 1, ObjectAttributes: hklm\software\microsoft\windows nt\currentversion\winlogon: 1, FileName: *: 0.6, ObjectAttributes: {}: 0.8, Filename: c:\windows\system32\userenv.dll: 0.4]), ('LoadLibrary', [DllName: ws2_32.dll: 1]), ('LoadLibrary,stricmp', [DllName: secur32.dll: 1, ObjectAttributes: c:\windows\system32\shell32.dll: 1, ObjectName: c:\program files\common files\stimulator.exe: 0.8, AtomName: themepropscrollbarctl: 0.8, Filename: c:\windows\system32\wininet.dll: 1])], '0xad93cec')
4: ([('NtCreateSection', []), ('NtMapViewOfSection,NtUnmapViewOfSection', []), ('NtClose', []), ('NtMapViewOfSection', [])], '0xa16cb2c')
4: ([('NtDuplicateObject', []), ('GetSystemInfo', []), ('CreateFileMapping,RtlAnsiStringToUnicodeString,RtlInitAnsiString', []), ('NtMapViewOfSection', [])], '0xa81f82c')
4: ([('NtDuplicateObject', []), ('MapMemRegion', [DllName: secur32.dll: 1, ObjectAttributes: c:\windows\system32\shell32.dll: 1, AtomName: themepropscrollbarctl: 0.733333333333, Filename: c:\windows\system32\wininet.dll: 0.733333333333]), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('NtClose', [])], '0xb148b2c')
4: ([('NtDuplicateObject', []), ('NtOpenProcessToken', []), ('NtCreateEvent', [ObjectAttributes: {}: 1]), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1])], '0xaed5c0c')
4: ([('NtEnumerateValueKey,RtlNtStatusToDosError,memmove', []), ('NtQueryKey', []), ('NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError', []), ('NtClose', [])], '0x964e46c')
4: ([('NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', []), ('NtQueryInformationToken', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('GetProcAddress', [])], '0xaada72c')
4: ([('NtOpenThread', [ObjectAttributes: {}: 1]), ('NtQueryInformationThread', []), ('NtGetContextThread', []), ('NtSuspendThread', [])], '0x9a135cc')
4: ([('NtQueryInformationFile,NtSetInformationFile', []), ('NtClose', []), ('NtFlushBuffersFile', []), ('NtQueryInformationFile', [])], '0xac3096c')
4: ([('NtQueryInformationToken', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\svchost.exe: 1]), ('NtClose', []), ('NtOpenProcessToken', [])], '0xad9324c')
4: ([('NtQueryInformationToken,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlSetLastWin32Error', []), ('NtOpenProcessToken', []), ('NtClose', []), ('NtQueryInformationToken', [])], '0xad933cc')
4: ([('NtReadVirtualMemory', []), ('GetProcAddress', []), ('NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', []), ('NtQueryVirtualMemory', [])], '0xaada34c')
4: ([('NtSetEvent', []), ('NtCreateEvent', []), ('NtClose', []), ('NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', [])], '0xad9616c')
4: ([('NtSetEvent', []), ('WaitForMultipleObjects', []), ('NtCreateEvent', []), ('NtClose', [])], '0xabf6a0c')
4: ([('NtSetEvent', []), ('WaitForSingleObject', []), ('NtCreateEvent', []), ('NtClose', [])], '0xabf60ec')
4: ([('NtSetValueKey,RtlCreateUnicodeStringFromAsciiz,RtlFreeUnicodeString,RtlNtStatusToDosError', [ValueName: enablefirewall: 1]), ('CreateRemoteThread', []), ('GetCommandLine', []), ('GetProcAddress', [])], '0x9cf33ac')
4: ([('OpenProcessToken', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('DuplicateHandle', []), ('CreateEvent', [])], '0xb02b36c')
4: ([('RtlNtStatusToDosError,RtlTimeFieldsToTime', []), ('OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: basenamedobjects\{a5b35993-9674-43cd-8ac7-5bc5013e617b}: 1]), ('RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', []), ('GetSystemTimeAsFileTime', [])], '0x9649b2c')
4: ([('SetEvent', []), ('CloseHandle', []), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb02b42c')
4: ([('SetEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['22108']): 1]), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb02916c')
4: ([('SetEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['23917']): 1]), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb5d880c')
4: ([('SetEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['24892']): 1]), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb14a84c')
4: ([('SHDeleteValue', [SubKey: software\microsoft\kyci: 0.9375, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\kyci: 1, ValueName: 51i56ad: 0.9375]), ('RegOpenKey', [SubKey: software\microsoft\kyci: 0.944444444444, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\microsoft\kyci: 1]), ('SHGetFolderPath', []), ('LoadLibrary', [DllName: shlwapi.dll: 1])], '0xb3ea76c')
4: ([('SHGetSpecialFolderPath', []), ('SHGetFolderPath,SetEnvironmentVariable', [ValueName: personal: 1]), ('InternetGetConnectedState,MemWrite', []), ('SHGetFolderPath', [])], '0xa4dd3ac')
4: ([('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('InitializeCriticalSection,startup', []), ('RegCloseKey,RegOpenKey,RegQueryValue', [SubKey: system\currentcontrolset\services\sharedaccess\parameters\fi...: 1, ObjectAttributes: hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile: 1, ValueName: disablenotifications: 1])], '0xaddcb0c')
4: ([('socket', []), ('MemWrite,gethostname', [SubKey: software\policies\microsoft\system\dnsclient: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, DllName: rpcrt4.dll: 1, ValueName: ldapclientintegrity: 1, Filename: c:\windows\system32\winrnr.dll: 1]), ('bind,ntohs', []), ('closesocket', [])], '0x965282c')
4: ([('socket', []), ('NtDeviceIoControlFile', []), ('LoadLibrary', [DllName: msvcrt.dll: 1]), ('GetProcAddress', [])], '0xae37d2c')
4: ([('socket', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 512)', ['1031', '1032', '1033', '1034', '1029', '1035', '1037', '1028', '1030', '1036', '1038', '1039', '1040', '1041', '1042', '1043', '1048', '1044']): 1]), ('LoadLibrary', [DllName: iphlpapi.dll: 1]), ('CreateEvent', [])], '0xaa1012c')
4: ([('socket', []), ('WaitForMultipleObjects', []), ('CreateEvent', []), ('createevent', [])], '0xb14818c')
4: ([('WaitForSingleObject', []), ('NtReleaseMutant', []), ('NtClose', []), ('CreateMutex,NtCreateMutant,RtlAnsiStringToUnicodeString,RtlInitAnsiString,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\{b37c48af-b05c-4520-8b38-2fe181d5dc78}: 1])], '0x9cef62c')
4: ([('WaitForSingleObject', []), ('NtReleaseMutant', []), ('socket', []), ('GetVersion', [])], '0xab55acc')
4: ([('WriteProcessMemory', []), ('VirtualQuery', []), ('LoadLibrary', [DllName: user32.dll: 1]), ('GetProcAddress', [])], '0xabf62ac')
5: ([('bind', [DllName: ws2_32.dll: 1]), ('CreateThread', []), ('InitializeCriticalSection,startup', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 32)', ['22108', '14241']): 1]), ('socket', [])], '0xaad838c')
5: ([('bind', [DllName: ws2_32.dll: 1]), ('InitializeCriticalSection,startup', []), ('listen', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 6)', ['23917']): 1]), ('socket', [ObjectAttributes: \device\afd\endpoint: 1])], '0xb5c622c')
5: ([('CreateFileMapping,NtCreateSection', [Filename: c:\documents and settings\administrator\application data\7cf8.a1f: 1]), ('MapViewOfFile', []), ('GetFileSize', []), ('SetProcessPriorityBoost', []), ('NtClose', [])], '0x97e4b0c')
5: ([('CreateRemoteThread', []), ('CoCreateInstance', []), ('NtDelayExecution', []), ('MapMemRegion', [DllName: oleacc.dll: 0.75, ObjectAttributes: c:\windows\system32\oleaccrc.dll: 1, DllName: c:\windows\system32\msctf.dll: 0.25, Filename: c:\windows\system32\oleacc.dll: 1]), ('recv', [LocalAddress: (['tcp'], '(0, 0, 9)', ['1029', '1032', '1036', '1038', '1030', '1031']): 1])], '0x99d3a0c')
5: ([('CreateRemoteThread', []), ('GetCommandLine', []), ('RtlAllocateHeap', []), ('NtClose', []), ('GetProcAddress', [])], '0xa62e9ac')
5: ([('CreateRemoteThread', []), ('GetDiskFreeSpace,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1]), ('NtClose', []), ('GetProcAddress', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 31)', ['1030', '1031', '1043', '1316', '1216', '1330', '1354', '1039', '1036', '1040', '1188', '1153', '1032']): 1])], '0x9647e2c')
5: ([('CreateRemoteThread', []), ('MapMemRegion', [DllName: oleacc.dll: 1, ObjectAttributes: c:\windows\system32\oleacc.dll: 1, Filename: c:\windows\system32\msvcp60.dll: 1]), ('NtAllocateVirtualMemory', []), ('LoadLibrary,stricmp', [DllName: shlwapi.dll: 1, ObjectAttributes: c:\windows\system32\shell32.dll: 1, ObjectAttributes: known: 0.166666666667, Filename: c:\windows\system32\comctl32.dll: 1]), ('NtClose', [])], '0x9a2c2cc')
5: ([('CreateRemoteThread', []), ('NtResumeThread', []), ('NtClose', []), ('GetSystemTimeAsFileTime', []), ('GetProcAddress', [])], '0xa87a26c')
5: ([('CreateRemoteThread', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('GetProcAddress', []), ('GetTokenInformation', []), ('RtlFreeHeap', [])], '0xaba5d4c')
5: ([('CreateThread', []), ('InterlockedExchange,MapMemRegion,MemWrite,startup', [ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\000000000013: 1, ValueName: serial_access_num: 1]), ('LoadLibrary', [DllName: kernel32.dll: 1, DllName: c:\windows\system32\packet.dll: 0.285714285714]), ('GetProcAddress', []), ('MapMemRegion,MemWrite,socket', [])], '0xa62fe6c')
5: ([('CreateWindow,MapMemRegion,MemWrite,RegisterClass', []), ('CreateFile', [ObjectAttributes: c:\windows\system32\imagehl: 1]), ('CreateFileMapping', [Filename: c:\windows\system32\version.dll: 1]), ('GetModuleFileName', []), ('GetFileSize', [])], '0xa4dd18c')
5: ([('eventselect', []), ('closeevent', []), ('socket', []), ('WaitForMultipleObjects', []), ('createevent', [])], '0xae3708c')
5: ([('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1]), ('CoCreateInstance', []), ('GetComputerName', []), ('LsaICLookupNames', []), ('MapMemRegion', [])], '0xaa8558c')
5: ([('GetFileSize', []), ('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\osjehe\iwguq.exe: 1]), ('CreateMutex', [ObjectAttributes: basenamedobjects\local\{774aab35-7cde-6acf-e811-5333c5ed7021}: 1]), ('ReadFile', []), ('CloseHandle', [])], '0xad9710c')
5: ([('GetFileSize', []), ('SetFilePointer', []), ('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\local settings\application data\ofyjw.ecp: 1]), ('SetFileTime', []), ('ReadFile', [])], '0xae3422c')
5: ([('GetSystemTime', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 1141)', ['1028', '1030', '1029', '1031', '1038', '1040', '1041', '1032', '1039', '1043', '1042', '1036', '1034', '1035']): 1]), ('GetAdaptersInfo,MemWrite', [ObjectAttributes: \device\netbt_tcpip_{1ad45b38-4060-4f73-bb1e-a0439a2d97eb}: 1, ObjectAttributes: physicaldrive6: 0.019656019656]), ('NtDeviceIoControlFile', []), ('GetVolumeInformation,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\: 1])], '0xaa0ca6c')
5: ([('GetTokenInformation', []), ('GetNativeSystemInfo', []), ('OpenProcessToken', []), ('CreateThread', []), ('GetVersion', [])], '0xb14836c')
5: ([('InitializeCriticalSection,startup', []), ('CreateThread', []), ('socket', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 38)', ['27789', '20871']): 1]), ('bind', [DllName: ws2_32.dll: 1])], '0xb14848c')
5: ([('ioctlsocket', []), ('select', []), ('send', [LocalAddress: (['tcp'], '(179, 0, 1840)', ['1028', '1031', '1030', '1032', '1052', '1054', '1057', '1063', '1055', '1050', '1051', '1056', '1029', '1047', '1172', '1174', '1053', '1179', '1043', '1049', '1037', '1036', '1181', '1177', '1222', '1033', '1188', '1166', '1041', '1070', '1061', '1062', '1038', '1183', '1048', '1059', '1067', '1218', '1185', '1175', '1173', '1040', '1045', '1076', '1170', '1225', '1224', '1208', '1039', '1186', '1180', '1167', '1058', '1212', '1169', '1182', '1135', '1149', '1107', '1178', '1042', '1044', '1090', '1064', '1087', '1320', '1336', '1190', '1209', '1355', '1163', '1192', '1176', '1171', '1082', '1221', '1187', '1108', '1204', '1197', '1372', '61111', '1069', '1065', '1220', '1211', '1215', '58061', '1367', '1304', '1145', '1075', '1094', '1316', '1153', '60020', '1060', '1066', '1080', '58889', '55980', '1392', '1168', '1191', '1133', '1210', '1213', '53192', '59758', '1184', '1104', '1111', '54061', '1365', '1360', '1143', '1147', '1262', '1260', '1265', '1371', '57939', '1328', '1255', '1134', '1330', '1240', '1347', '1034', '56020', '1354', '53980', '1189', '54667', '1203', '63677', '49152', '63414', '1361', '1268', '1263', '59414', '1144', '1142', '1077', '1074', '1072', '1097', '1093', '1154', '1098', '1099', '61192', '1150', '49980', '58545', '52323', '1046', '1086', '1083', '1081', '1120', '1121', '1123', '1124', '1125', '1127', '59677', '64202', '64364', '52364', '1335', '1233', '1131', '1239', '59273', '1332', '1141', '1243', '60808', '64808', '60283', '1348', '1128', '59455', '1340', '57273', '57333', '51636', '1216', '1219', '1227', '59333', '1103', '1100', '58242', '1317', '1201', '1193', '1196', '59717', '1112', '1115', '1116', '1119', '1151', '53677', '1368', '1269', '1300', '53152', '1309', '50364', '1079', '1071', '51677', '1156', '52020', '1122', '1384', '51273', '1126', '55455', '1251', '1235', '1231', '1232', '1331', '61636', '53333', '1247', '1129', '1223', '63192', '1229', '63111', '1165', '60727', '52505', '1214', '62283', '1105', '1160', '1161', '51798', '58202', '64283', '1195', '53111', '1278', '1206', '54586', '1288', '55495', '1364', '1267', '1217', '1307', '1315', '1158', '1155', '55333', '1337', '1198', '60505', '1250', '1230', '1333', '54970', '1341', '54889', '55939', '1357', '1356', '1085', '1164', '1162', '1207', '1159', '62808', '1291', '1351', '1272', '56970', '1366', '1363', '63273']): 1]), ('recv', [LocalAddress: (['tcp'], '(156, 0, 854)', ['1052', '1054', '1055', '1063', '1057', '1050', '1056', '1053', '1051', '1087', '1070', '1090', '1059', '1069', '1049', '1072', '1123', '1044', '1103', '1108', '1112', '1058', '1140', '1062', '1067', '1086', '1239', '1038', '1164', '1097', '1098', '1153', '1064', '1133', '1184', '1202', '63677', '1196', '1115', '1172', '1265', '1076', '1073', '1152', '1231', '1132', '1210', '1211', '1165', '1185', '1199', '1191', '1082', '1249', '1225', '1036', '1037', '1043', '1205', '1042', '1075', '1376', '1061', '58889', '1392', '1232', '1244', '1248', '58061', '1101', '54061', '1365', '1360', '1260', '1264', '1074', '1371', '60020', '1367', '1094', '57939', '1255', '61111', '1224', '1047', '1257', '53152', '61192', '49980', '1060', '58545', '1066', '1384', '1081', '1124', '58242', '64202', '64364', '55980', '59677', '1336', '60808', '57273', '63111', '51636', '1080', '1033', '53192', '1218', '59758', '59717', '49152', '57333', '52364', '53677', '63414', '1040', '54667', '1364', '1368', '1300', '1302', '1309', '50364', '59414', '1372', '51677', '63192', '1093', '62283', '55455', '1083', '1279', '1125', '1127', '51273', '59273', '61636', '1079', '53333', '60283', '59455', '1031', '56020', '52323', '52020', '1107', '1104', '1100', '1048', '51798', '58202', '1111', '1116', '1171', '1271', '1272', '54586', '1285', '55495', '59333', '1282', '64808', '1307', '1301', '1148', '53980', '1222', '1144', '1077', '1071', '1373', '1379', '1317', '1155', '55333', '1156', '1136', '1046', '1085', '1321', '1120', '55939', '60505', '1335', '1147', '1135', '1330', '1065', '54970', '1126', '1340', '1341', '1342', '54889', '60727', '1121', '1352', '1357', '1354', '64283', '1149', '1160', '1168', '52505', '1313', '62808', '56970', '63273', '1119', '53111', '1041', '1366', '1363']): 1]), ('socket', [])], '0x97e30ec')
5: ([('MemWrite,socket', []), ('socket', []), ('bind', []), ('MemWrite', [DllName: dnsapi.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, pszName: [array_nt_mb16]: 1, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\winrnr.dll: 1]), ('closesocket', [])], '0x961612c')
5: ([('NtCreateMutant,RtlInitUnicodeString', [ObjectAttributes: basenamedobjects\global\{7a7e01e9-d602-67fb-b5ee-b06d9812937f}: 1]), ('MapMemRegion', [DllName: oleaut32.dll: 1, ObjectAttributes: hklm\software\microsoft\windows nt\currentversion\msasn1: 1, AtomName: themepropscrollbarctl: 0.677419354839, Filename: c:\windows\system32\wininet.dll: 0.838709677419]), ('LoadLibrary', [DllName: user32.dll: 1]), ('NtOpenEvent,RtlInitUnicodeString,RtlNtStatusToDosError', [ObjectAttributes: basenamedobjects\local\{6599e93a-3ed1-781c-e811-5333c5ed7021}: 1]), ('NtCreateMutant', [ObjectAttributes: basenamedobjects\global\{7a7e01e9-d602-67fb-15e9-b06d3815937f}: 1])], '0xaef9b0c')
5: ([('NtQueueApcThread,RtlQueryInformationActivationContext', []), ('WaitForSingleObject', []), ('CreateEvent,NtCreateEvent', []), ('NtClose', []), ('WaitForMultipleObjects', [])], '0xa6d3d6c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('CreateEvent', []), ('NtCreateEvent', []), ('WaitForMultipleObjects', []), ('socket', [])], '0xabf662c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 15)', ['14007', '16803', '29129']): 1]), ('CreateEvent', [])], '0xac3032c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 7)', ['20871', '20661', '17304']): 1]), ('CreateEvent', [])], '0xafb4a4c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 7)', ['28233', '28516', '13122', '14929']): 1]), ('CreateEvent', [])], '0xb14ae0c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 8)', ['13494', '15143', '18856', '13806', '21525']): 1]), ('CreateEvent', [])], '0xaadb90c')
5: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xad968ac')
5: ([('NtWaitForSingleObject,RtlpWaitForCriticalSection', []), ('NtCreateEvent,NtWaitForSingleObject', []), ('NtSetEventBoostPriority,RtlpUnWaitCriticalSection', []), ('NtWaitForSingleObject', []), ('NtSetEventBoostPriority', [])], '0xa68f62c')
5: ([('ReadProcessMemory,memset', []), ('VirtualQuery', []), ('LoadLibrary', [DllName: msvcrt.dll: 1]), ('GetProcAddress', []), ('WriteProcessMemory', [])], '0xab52bcc')
5: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 43)', ['20661', '20871', '26302', '17304', '10841', '27789']): 1]), ('CreateEvent', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 54)', ['20661', '20871', '17304', '26302', '10841', '15866', '29588', '27789']): 1])], '0xb3d00ec')
5: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 46)', ['21741', '21845']): 1]), ('CreateEvent', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 55)', ['21741', '21845']): 1])], '0xb512eac')
5: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 55)', ['29129', '14007', '16803']): 1]), ('CreateEvent', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 66)', ['29129', '14007', '16803']): 1])], '0xaa7108c')
5: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 74)', ['21525', '13806', '13494', '15143', '18856', '24759']): 1]), ('CreateEvent', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 83)', ['21525', '13806', '13494', '15143', '18856', '24759']): 1])], '0xafb63ec')
5: ([('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 86)', ['28233', '10171', '28516', '24892', '13122', '22501', '14929']): 1]), ('CreateEvent', []), ('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 97)', ['28233', '10171', '28516', '24892', '13122', '22501', '14929']): 1])], '0xb14a0ec')
5: ([('send', [LocalAddress: (['tcp'], '(0, 0, 840)', ['1033', '1031', '1032', '1034', '1029', '1037', '1028', '1035', '1030', '1036', '1038', '1039', '1040', '1041', '1045', '1042', '1043', '1048', '1044']): 1]), ('GetProcAddress', []), ('CreateEvent', []), ('LoadLibrary,stricmp', [DllName: advapi32.dll: 1, ObjectAttributes: \registry\machine\system\currentcontrolset\control\session manager: 1]), ('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1])], '0xa84da6c')
5: ([('SetEvent', []), ('WaitForMultipleObjects', []), ('CloseHandle', []), ('WaitForSingleObject', []), ('CreateEvent', [])], '0xae3680c')
5: ([('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('NtDeviceIoControlFile', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 4)', ['20871', '20661']): 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 4)', ['20871', '20661']): 1])], '0xb52f88c')
5: ([('socket', []), ('NtCreateEvent', []), ('WaitForMultipleObjects', []), ('CreateEvent', []), ('NtQueryObject', [])], '0xabf65ac')
5: ([('socket', []), ('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 7)', ['20871', '20661', '17304']): 1]), ('CreateEvent', [])], '0xb4bb8ac')
5: ([('WaitForSingleObject', []), ('CreateEvent', []), ('MapMemRegion,MemWrite', [DllName: c:\windows\system32\mswsock.dll: 0.798387096774, Filename: c:\windows\system32\mswsock.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters: 1, pszName: ics.fivemillionfriends.com: 1, DllName: rasadhlp.dll: 1, ObjectAttributes: c: 0.0295698924731]), ('CloseHandle', []), ('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1])], '0xa84dbec')
6: ([('bind', [DllName: ws2_32.dll: 1]), ('InitializeCriticalSection,startup', []), ('socket', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 4)', ['28233']): 1]), ('listen', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 5)', ['28233']): 1])], '0xb4b976c')
6: ([('CreateRemoteThread', []), ('RtlNtStatusToDosError,RtlTimeFieldsToTime', []), ('RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', []), ('OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: basenamedobjects\{a5b35993-9674-43cd-8ac7-5bc5013e617b}: 1]), ('GetSystemTimeAsFileTime', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 248)', ['1028', '1031', '1032', '1030', '1172', '1174', '1178', '1062', '1212', '1177', '1149', '1029', '1183', '1222', '1221', '1211', '1185', '1181', '1166', '1208', '1052', '1176', '1171', '1170', '1041', '1047', '1045', '1048', '1143', '1061', '1063', '1225', '1210', '1168', '1188', '1186', '1180', '1107', '1167', '1204', '1169', '1203', '1050', '1051', '1054', '1055', '1173', '1179', '1043', '1269', '1147', '1145', '1262', '1071', '1155', '1154', '1156', '1150', '1153', '1060', '1065', '1278', '1320', '1080', '1122', '1255', '1251', '1235', '1233', '1240', '1243', '1247', '1348', '1224', '1223', '1220', '1229', '1160', '1161', '1057', '1038', '1033', '1037', '1213', '1215', '1218', '1219', '1189', '1187', '1184', '1182', '1108', '1164', '1209', '1163', '1206', '1201', '1053', '1367', '1058', '1190', '1193', '1192', '1197', '1196', '1111', '1175', '1042', '1040', '1044', '1288', '1191']): 1])], '0x965a7cc')
6: ([('eventselect', []), ('KiUserApcDispatcher', [SubKey: clsid\{8d4b04e1-1331-11d0-81b8-00c04fd85ab4}: 1, ForeignPort: ['80']: 0.428571428571, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}: 1, ValueName: filedirectory: 1, SubKey: treatas: 1, pszName: www.google.com: 0.428571428571, FileName: administrator: 0.571428571429, DllName: userenv.dll: 1, ObjectAttributes: {}: 0.142857142857, ForeignIP: (0, 0, 1): 0.142857142857]), ('connect', [ForeignPort: ['19042', '15218']: 1, ForeignIP: (0, 0, 9): 1]), ('GetProcAddress', []), ('CreateEvent', []), ('socket', [])], '0xafb438c')
6: ([('FindNextFile,RtlInitUnicodeString,RtlUnicodeStringToAnsiString,memmove', []), ('RemoveDirectory,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsj8.tmp\: 1]), ('NtSetInformationFile', []), ('NtQueryDirectoryFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,RtlNtStatusToDosError,memmove', []), ('NtClose', []), ('NtOpenFile', [ObjectAttributes: c:\docume~1\admini~1\locals~1\temp\nsk3.tmp\system.dll: 1])], '0x9edf48c')
6: ([('GetFileSize', []), ('ReadFile', []), ('CreateMutex', [ObjectAttributes: basenamedobjects\local\{774aab35-7cde-6acf-e811-5333c5ed7021}: 1]), ('LoadLibrary', [DllName: user32.dll: 1]), ('CreateFile', [ObjectAttributes: c:\documents and settings\administrator\application data\uwygg\faaf.exe: 1]), ('CloseHandle', [])], '0xb02bb2c')
6: ([('GetTokenInformation', []), ('CreateRemoteThread', []), ('OpenProcessToken', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('RtlFreeHeap', []), ('GetProcAddress', [])], '0xb029c8c')
6: ([('GetTokenInformation', []), ('RtlAllocateHeap', []), ('OpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('CreateRemoteThread', []), ('RtlFreeHeap', []), ('GetProcAddress', [])], '0xaf955ac')
6: ([('I_RpcSendReceive', []), ('NtFsControlFile,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb', []), ('MapMemRegion', [DllName: shell32.dll: 1, ObjectAttributes: \registry\user\s-1-5-21-842925246-1425521274-308236825-500_classes: 1, FileName: windows: 0.0833333333333]), ('GetUserName', []), ('NtWaitForSingleObject', []), ('I_RpcGetBuffer', [ObjectAttributes: pipe\samr: 1])], '0x993ebcc')
6: ([('MapMemRegion', [ObjectAttributes: hklm\software\microsoft\ctf\compatibility\_ex-68.exe: 1, ObjectAttributes: basenam: 1, DllName: c:\windows\system32\msctf.dll: 1, Filename: c:\windows\system32\msctf.dll: 1]), ('NtOpenKey,RtlEnterCriticalSection,RtlInitUnicodeString,RtlLeaveCriticalSection,RtlNtStatusToDosError', []), ('GetSystemTimeAsFileTime', []), ('LoadLibrary,stricmp', [DllName: dnsapi.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\tcpip\linkage: 1, Filename: c:\windows\system32\ws2_32.dll: 1]), ('RegOpenKey', [ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500\software\cryer\websitepublisher: 1]), ('NtOpenKey', [ObjectAttributes: hklm\software\microsoft\windows\currentversion\uninstall\kazaalite202_is1: 1, ObjectAttributes: h: 0.0769230769231])], '0xa7406ac')
6: ([('NtCreateIoCompletion', []), ('NtRemoveIoCompletion', []), ('socket', []), ('NtSetInformationFile', []), ('NtClose', []), ('NtSetIoCompletion', [])], '0xa82160c')
6: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtCreateEvent', []), ('InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', []), ('WaitForMultipleObjects', []), ('CreateEvent', []), ('socket', [])], '0xb5307ec')
6: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 8)', ['21845', '21741']): 1]), ('WaitForMultipleObjects', []), ('CreateEvent', [])], '0xb51240c')
6: ([('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast,WaitForMultipleObjects', []), ('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtSetEvent', []), ('NtCreateEvent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['28463', '29336', '11525', '14241']): 1]), ('CreateEvent', [])], '0xad9326c')
6: ([('socket', []), ('CreateThread', []), ('bind', [DllName: ws2_32.dll: 1]), ('InitializeCriticalSection,startup', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 10)', ['28233']): 1]), ('listen', [])], '0xb53020c')
6: ([('socket', []), ('eventselect', []), ('WaitForSingleObject', []), ('setevent', []), ('CreateEvent', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 56)', ['1029', '1032', '1033', '1030', '1031', '1036', '1034', '1035', '1028', '1038', '1039', '1037']): 1])], '0xa86e96c')
6: ([('socket', []), ('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtCreateEvent', []), ('InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 12)', ['14007', '29129']): 1]), ('CreateEvent', [])], '0xac30a0c')
6: ([('socket', []), ('NtWaitForMultipleObjects,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('NtCreateEvent', []), ('InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 8)', ['13494', '15143', '18856', '13806', '21525']): 1]), ('CreateEvent', [])], '0xaddabec')
7: ([('CreateRemoteThread', []), ('RtlNtStatusToDosError,RtlTimeFieldsToTime', []), ('OpenMutex,RtlAnsiStringToUnicodeString,RtlInitAnsiString', [ObjectAttributes: basenamedobjects\{a5b35993-9674-43cd-8ac7-5bc5013e617b}: 1]), ('RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlTimeFieldsToTime', []), ('GetSystemTimeAsFileTime', []), ('GetVersion', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 95)', ['1028', '1031', '1032', '1030', '1224', '1057', '1191', '1039', '1174', '1133', '1179', '1040', '1047', '1046', '1188', '1061', '1049', '1181', '1186', '1135', '1128', '1129', '1222', '1221', '1220', '1204', '1169', '1126', '1372', '1167', '1045', '1147', '1198', '1182', '1107', '1033', '1157', '1176', '1175', '1172', '1316', '1218', '1151', '1178', '1355', '1043', '1068', '1041', '1189', '1044', '1029', '1180', '1104', '1105', '1063']): 1])], '0x96472cc')
7: ([('eventselect', []), ('startup', []), ('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 0.846153846154, ObjectAttributes: \registry\user\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{304ce942-6e39-40d8-943a-b913c40c9cd4}: 1, ValueName: regdbversion: 1, SubKey: treatas: 1, pszName: [array_nt_mb16]: 0.846153846154, FileName: administrator: 0.692307692308, DllName: rasadhlp.dll: 1, ObjectAttributes: {}: 0.923076923077, ForeignIP: (0, 0, 1): 0.0769230769231]), ('socket', []), ('connect', [ForeignPort: ['10063', '29594', '11215', '20628', '19042', '15293']: 1, ForeignIP: (0, 0, 25): 1]), ('GetProcAddress', []), ('CreateEvent', [])], '0xae345ec')
7: ([('GetFileAttributes,RtlDetermineDosPathNameType_U,SetErrorMode,memmove,wcslen', [ObjectAttributes: c:\documents and settings\administrator\application data\microsoft\gb_994781.bat: 1]), ('FindFirstFile', [ObjectAttributes: c:\documents and settings\administrator\application data\microsoft\: 1, FileName: dwmu.exe: 1]), ('NtQueryAttributesFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap', [ObjectAttributes: c:\documents and settings\administrator\application data\dwmu.exe: 1]), ('NtOpenSymbolicLinkObject', [ObjectAttributes: c:: 1]), ('GetCommandLine', []), ('NtQueryInformationFile', []), ('NtQueryAttributesFile,RtlDosPathNameToNtPathName_U,RtlFreeHeap,RtlIsDosDeviceName_U,RtlNtStatusToDosError', [ObjectAttributes: c:\documents and settings\administrator\application data\"c:\documents and settings\administrator\application data\microsoft\gb_994781.bat\": 1])], '0x98565ac')
7: ([('GetTokenInformation', []), ('CreateRemoteThread', []), ('RtlAllocateHeap', []), ('OpenProcessToken', []), ('OpenProcess', [ObjectName: c:\program files\common files\stimulator.exe: 1]), ('RtlFreeHeap', []), ('GetProcAddress', [])], '0xb5d808c')
7: ([('NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', []), ('NtClose', []), ('NtOpenProcess', [ObjectName: c:\windows\explorer.exe: 1]), ('NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', []), ('NtQuerySystemInformation', []), ('NtAllocateVirtualMemory', []), ('NtProtectVirtualMemory', [])], '0x97ddc2c')
7: ([('NtQueryInformationToken,RtlNtStatusToDosError,RtlNtStatusToDosErrorNoTeb,RtlSetLastWin32Error', []), ('NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('NtAllocateVirtualMemory,RtlEnterCriticalSection,RtlLeaveCriticalSection', []), ('MapMemRegion', [DllName: oleaut32.dll: 1, ObjectAttributes: c:\windows\winsxs\x86_microsoft.windows.common-cont: 1, Filename: c:\windows\system32\wininet.dll: 0.283018867925, AtomName: themepropscrollbarctl: 0.641509433962, ObjectAttributes: hklm: 0.301886792453]), ('NtQueryInformationToken', []), ('GetProcAddress', [])], '0xaada26c')
7: ([('NtSetEvent,SetEvent', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 16)', ['1031', '1032', '1033', '1030', '1029']): 1]), ('NtClearEvent,ResetEvent', []), ('socket', []), ('WaitForSingleObject', []), ('MapMemRegion,MemWrite', [DllName: dnsapi.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, pszName: [array_nt_mb16]: 1, DllName: c:\windows\system32\mswsock.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1]), ('CreateEvent', [])], '0xaa0cf8c')
7: ([('NtSetInformationFile', []), ('ioctlsocket', []), ('closesocket', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 143)', ['1032', '1035', '1029', '1038', '1039', '1050', '1053', '1056', '1030', '1036', '1041', '1047', '1044', '1065', '1059', '1033', '1062', '1066', '1063', '1057', '1357', '1356', '1040']): 1]), ('NtCreateIoCompletion', []), ('recv', [LocalAddress: (['tcp'], '(106, 0, 20)', ['1028', '1031', '1034', '1037', '1039', '1043', '1052', '1040', '1055', '1049', '1030', '1046', '1058', '1066', '1064', '1061', '1063', '1057', '1355', '1038', '1033']): 1]), ('socket', [])], '0xa81af2c')
7: ([('socket', []), ('bind', [DllName: ws2_32.dll: 1]), ('InitializeCriticalSection,startup', []), ('connect', [ForeignPort: ['25888', '24452', '22625', '23748', '26613', '29821', '23143', '25227', '13367']: 1, ForeignIP: (0, 0, 13): 1]), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['21684', '24759']): 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 5)', ['21684', '24759']): 1]), ('listen', [])], '0xae3724c')
8: ([('GetQueuedCompletionStatus', []), ('CreateIoCompletionPort', []), ('GetQueuedCompletionStatus,RtlGetLastWin32Error,RtlSetLastWin32Error', []), ('PostQueuedCompletionStatus', []), ('CloseHandle', []), ('setlasterror,socket', [ObjectAttributes: \device\afd\endpoint: 1]), ('GetQueuedCompletionStatus,RtlGetLastWin32Error,RtlLeaveCriticalSection,RtlSetLastWin32Error', []), ('InterlockedExchange,InterlockedExchangeAdd,PostQueuedCompletionStatus', [])], '0xa68c0ec')
8: ([('socket', []), ('NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlAllocateHeap,RtlDeactivateActivationContextUnsafeFast', []), ('MapMemRegion,MemWrite,startup', [ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\000000000013: 1, ValueName: serial_access_num: 1]), ('MemWrite', [ObjectAttributes: hklm\system\currentcontrolset\services\winsock\parameters: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\mswsock.dll: 1]), ('GetProcAddress', []), ('InterlockedCompareExchange', []), ('NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('MapMemRegion,MemWrite,socket', [])], '0xa81bdcc')
9: ([('CreateEvent', []), ('send', [LocalAddress: (['tcp'], '(0, 0, 455)', ['1028', '1030', '1029', '1031', '1038', '1040', '1041', '1039', '1032', '1043', '1042', '1036', '1034', '1035']): 1]), ('WaitForSingleObject', []), ('MapMemRegion,MemWrite', [DllName: dnsapi.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock2\parameters: 1, pszName: cfgi.fivemillionfriends.com: 1, DllName: c:\windows\system32\mswsock.dll: 0.939393939394, Filename: c:\windows\system32\mswsock.dll: 1]), ('NtClearEvent,ResetEvent', []), ('CloseHandle', []), ('NtSetEvent,SetEvent', []), ('NtWaitForSingleObject,RtlActivateActivationContextUnsafeFast,RtlDeactivateActivationContextUnsafeFast', []), ('socket', [DllName: hnetcfg.dll: 1, ObjectAttributes: hklm\system\currentcontrolset\services\winsock\parameters: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1])], '0xaa1ae4c')
9: ([('CreateThread', []), ('bind', [DllName: ws2_32.dll: 1]), ('eventselect', []), ('InitializeCriticalSection,startup', []), ('addresstostring', [SubKey: system\currentcontrolset\services\tcpip\parameters\winsock: 1, DllName: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1, ObjectAttributes: hklm\software\microsoft\rpc\securityservice: 1, ValueName: helperdllname: 1, ModuleName: nspr4.dll: 1, DllName: hnetcfg.dll: 0.714285714286]), ('createevent', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 7)', ['28233']): 1]), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 8)', ['28233']): 1]), ('socket', [])], '0xb3cf7ec')
9: ([('enumnetworkevents', []), ('CreateEvent', []), ('bind', [DllName: ws2_32.dll: 1]), ('eventselect', []), ('startup', []), ('recv,recvfrom', [LocalAddress: (['udp'], '(0, 0, 5)', ['23917']): 1]), ('listen', []), ('send,sendto', [LocalAddress: (['udp'], '(0, 0, 6)', ['23917']): 1]), ('socket', [])], '0xadde62c')
9: ([('listen', []), ('socket', []), ('LdrGetDllHandle', [ObjectAttributes: c:\windows\system32\wshtcpip.dll: 1, Filename: c:\windows\system32\wshtcpip.dll: 1]), ('bind', [DllName: ws2_32.dll: 1]), ('startup', []), ('KiUserApcDispatcher', [SubKey: software\policies\microsoft\system\dnsclient: 1, ForeignPort: ['80']: 0.4, ObjectAttributes: hku\s-1-5-21-842925246-1425521274-308236825-500_classes\clsid\{0ca545c6-37ad-4a6c-bf92-9f7610067ef5}: 1, ValueName: defaultuserprofile: 0.8, SubKey: treatas: 1, pszName: [array_nt_mb16]: 0.4, DllName: rasadhlp.dll: 1, ObjectAttributes: {}: 0.4, ForeignIP: (0, 0, 1): 0.2]), ('connect', [ForeignPort: ['15293', '19042', '15218', '13066', '26213', '16370']: 1, ForeignIP: (0, 0, 12): 1]), ('RtlAcquirePebLock,RtlAllocateHeap,RtlDetermineDosPathNameType_U,RtlReleasePebLock,memmove', [ObjectAttributes: c:\windows\system32\mswsock.dll: 1]), ('RegCloseKey,RegOpenKey,RegQueryValue', [SubKey: system\currentcontrolset\services\sharedaccess\parameters\fi...: 1, ObjectAttributes: hklm\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile: 1, ValueName: disablenotifications: 1])], '0xafb4aec')
9: ([('WaitForSingleObject', []), ('InterlockedDecrement,NtDeviceIoControlFile,RtlEnterCriticalSection,RtlLeaveCriticalSection,WahReferenceContextByHandle', []), ('CreateEvent', []), ('MapMemRegion,MemWrite', [DllName: c:\windows\system32\mswsock.dll: 0.989547038328, Filename: c:\windows\system32\dnsapi.dll: 1, ObjectAttributes: c:\windows\system32\mswsock.dll: 1, pszName: ics.fivemillionfriends.com: 1, Filename: c:: 0.00348432055749, DllName: dnsapi.dll: 1]), ('NtClearEvent,ResetEvent', []), ('CloseHandle', []), ('recv', [LocalAddress: (['tcp'], '(0, 0, 693)', ['1033', '1031', '1032', '1034', '1037', '1035', '1029', '1030', '1028', '1038', '1036', '1039', '1040', '1041', '1042', '1043', '1048', '1045', '1044']): 1]), ('socket', []), ('NtSetEvent,SetEvent', [])], '0xaa108ec')
10: ([('enumnetworkevents', []), ('eventselect', []), ('InitializeCriticalSection,startup', []), ('ioctl', []), ('socket', [ObjectAttributes: \device\afd\endpoint: 1]), ('connect', [ForeignPort: ['12399', '12179', '11305', '29821']: 1, ForeignIP: (0, 0, 9): 1]), ('shutdown', []), ('GetProcAddress', []), ('InterlockedDecrement,NtDeviceIoControlFile,TlsGetValue,WahReferenceContextByHandle,send', [LocalAddress: (['tcp'], '(0, 0, 7)', ['1028', '1040', '1046', '1029', '1032', '1035']): 1]), ('createevent', [])], '0xb532b8c')
11: ([('NtDuplicateObject', []), ('NtFreeVirtualMemory,RtlEnterCriticalSection,RtlGetNtGlobalFlags,RtlLeaveCriticalSection', []), ('NtOpenProcess', [ObjectName: c:\windows\system32\wscntfy.exe: 1]), ('NtCreateEvent', [ObjectAttributes: {}: 1]), ('NtClose', []), ('NtFlushInstructionCache,NtProtectVirtualMemory,NtWriteVirtualMemory', []), ('NtAllocateVirtualMemory', []), ('GetProcAddress', []), ('NtWriteVirtualMemory', []), ('NtProtectVirtualMemory', []), ('NtFlushInstructionCache', [])], '0xaba570c')