___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for ZeuS_binary_patched MD5: db688e2ca09742632442404a6d99f6ed [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Creates files in the Windows system directory: Malware often keepscopies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - ZeuS_binary_patched a) Registry Activities b) File Activities c) Process Activities - winlogon.exe a) Registry Activities b) File Activities c) Process Activities - svchost.exe a) Registry Activities b) File Activities c) Process Activities - System - services.exe a) Registry Activities b) File Activities - lsass.exe a) Registry Activities b) File Activities - svchost.exe a) Registry Activities b) File Activities - svchost.exe a) Registry Activities b) File Activities - svchost.exe a) Registry Activities b) File Activities - svchost.exe a) Registry Activities b) File Activities - spoolsv.exe [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 241 s Report created: 03/30/10, 15:38:03 UTC Termination reason: Timeout Program version: 1.74.2681 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ rapesleed.in ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ] [#############################################################################] 2. ZeuS_binary_patched [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: ZeuS_binary_patched MD5: db688e2ca09742632442404a6d99f6ed SHA-1: 75770e2fa554781b2b4d8032340e1361bc74e02d File Size: 133120 Bytes Command Line: "C:\ZeuS_binary_patched" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] [=============================================================================] 2.a) ZeuS_binary_patched - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\software\microsoft\windows nt\currentversion\winlogon ], Value Name: [ userinit ], New Value: [ C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\microsoft ], Value Name: [ ], New Value: [ 1 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\software\microsoft\windows nt\currentversion\winlogon ], Value Name: [ userinit ], Value: [ C:\WINDOWS\system32\userinit.exe, ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time [=============================================================================] 2.b) ZeuS_binary_patched - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\sdra64.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\sdra64.exe ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 10 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\ZeuS_binary_patched ] [=============================================================================] 2.c) ZeuS_binary_patched - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\winlogon.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\winlogon.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\winlogon.exe ] [#############################################################################] 3. winlogon.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: ZeuS_binary_patched wrote to the virtual memory of this process Filename: winlogon.exe Command Line: winlogon.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\NDdeApi.dll ], Base Address: [0x75940000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\PROFMAP.dll ], Base Address: [0x75930000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\REGAPI.dll ], Base Address: [0x76BC0000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\MSGINA.dll ], Base Address: [0x75970000 ], Size: [0x000F8000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\ODBC32.dll ], Base Address: [0x74320000 ], Size: [0x0003D000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\odbcint.dll ], Base Address: [0x00930000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\SHSVCS.dll ], Base Address: [0x776E0000 ], Size: [0x00023000 ] Module Name: [ C:\WINDOWS\system32\sfc.dll ], Base Address: [0x76BB0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\WINSCARD.DLL ], Base Address: [0x723D0000 ], Size: [0x0001C000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\uxtheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\system32\cscdll.dll ], Base Address: [0x76600000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\System32\dimsntfy.dll ], Base Address: [0x47020000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WlNotify.dll ], Base Address: [0x75950000 ], Size: [0x0001A000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\sxs.dll ], Base Address: [0x7E720000 ], Size: [0x000B0000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\wldap32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\cscui.dll ], Base Address: [0x77A20000 ], Size: [0x00054000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x016E0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] [=============================================================================] 3.a) winlogon.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\software\microsoft\windows nt\currentversion\winlogon ], Value Name: [ userinit ], Value: [ C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe, ], 440 times [=============================================================================] 3.b) winlogon.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\lowsec ] File Name: [ C:\WINDOWS\system32\lowsec\local.ds ] File Name: [ C:\WINDOWS\system32\lowsec\user.ds ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\WINDOWS\system32\lowsec ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 38 times File: [ pipe\_AVIRA_2109 ], Control Code: [ 0x00110004 ], 4 times File: [ pipe\_AVIRA_2109 ], Control Code: [ 0x00110008 ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\WININET.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\WINDOWS\system32 ], Watch subtree: [ 0 ], Notify FilterFile Name Change,Directory Name Change,Name Change,Size Change,Last Write Change,Creation Change,Stream Size Change,Stream Write Change ], 1 time Directory: [ C:\WINDOWS ], Watch subtree: [ 0 ], Notify FilterFile Name Change,Directory Name Change,Name Change,Size Change,Last Write Change,Creation Change,Stream Size Change,Stream Write Change ], 1 time [=============================================================================] 3.c) winlogon.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\svchost.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\svchost.exe ] [#############################################################################] 4. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: winlogon.exe wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ c:\windows\system32\rpcss.dll ], Base Address: [0x76A80000 ], Size: [0x00064000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005F0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\termsrv.dll ], Base Address: [0x760F0000 ], Size: [0x00053000 ] Module Name: [ c:\windows\system32\ICAAPI.dll ], Base Address: [0x74F70000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ c:\windows\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\mstlsapi.dll ], Base Address: [0x75110000 ], Size: [0x0001F000 ] Module Name: [ c:\windows\system32\ACTIVEDS.dll ], Base Address: [0x77CC0000 ], Size: [0x00032000 ] Module Name: [ c:\windows\system32\adsldpc.dll ], Base Address: [0x76E10000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ c:\windows\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\REGAPI.dll ], Base Address: [0x76BC0000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\wsock32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\sensapi.dll ], Base Address: [0x722B0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] [=============================================================================] 4.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Directory ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Paths ], New Value: [ 4 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CachePath ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CachePath ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CachePath ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CachePath ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ] Key: [ HKLM\software\microsoft\windows nt\currentversion\network ], Value Name: [ UID ], New Value: [ pc1_7875768F3D3DB1CC ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Cookies ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\History ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ IntranetName ], New Value: [ 1 ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ ProxyBypass ], New Value: [ 1 ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ UNCAsIntranet ], New Value: [ 1 ] Key: [ HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] Key: [ HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ SavedLegacySettings ], New Value: [ 0x3c0000000500000001000000000000000000000000000000040000000000 ] Key: [ HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} ], Value Name: [ {3039636B-5F3D-6C64-6675-696870667265} ], New Value: [ 0xf709f20d ] Key: [ HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} ], Value Name: [ {33373039-3132-3864-6B30-303233343434} ], New Value: [ 0xf709f20d ] Key: [ HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} ], Value Name: [ {6E633338-267E-2A79-6830-386668666866} ], New Value: [ 0xf709f20d ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON ], Value Name: [ AllowMultipleTSSessions ], Value: [ 1 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001 ], Value Name: [ Name ], Value: [ Microsoft Strong Cryptographic Provider ], 36 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Image Path ], Value: [ rsaenh.dll ], 36 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Type ], Value: [ 1 ], 9 times Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ InstallDate ], Value: [ 1212451221 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ], Value Name: [ SV1 ], Value: [ ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens ], Value Name: [ ], Value: [ ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens ], Value Name: [ MSN 2.0 ], Value: [ ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\UA Tokens ], Value Name: [ MSN 2.5 ], Value: [ ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile ], Value Name: [ EnableFirewall ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\hnetcfg.dll ], 1 time Key: [ HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 2 times Key: [ HKLM\Software\Microsoft\Cryptography ], Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 36 times Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 3 times Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ User Agent ], Value: [ Mozilla/4.0 (compatible; MSIE 6.0; Win32) ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012008060220080603\ ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CachePrefix ], Value: [ :2008060220080603: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ IntranetName ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ ProxyBypass ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\ ], Value Name: [ http ], Value: [ 3 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], Value Name: [ Flags ], Value: [ 33 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 ], Value Name: [ Flags ], Value: [ 219 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 ], Value Name: [ Flags ], Value: [ 71 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], Value Name: [ 1A10 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], Value Name: [ Flags ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 ], Value Name: [ Flags ], Value: [ 3 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000200000001000000000000000000000000000000040000000000 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000000400000009000000000000000000000000000000000000000000 ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON ], Watch subtree: [ 1 ], Notify Filter: [ Value Change ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\NAMESPACE_CATALOG5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\Software\Classes ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times Key: [ HKLM\Software\Classes\CLSID ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 4.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ pipe\_AVIRA_2108 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2108 ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2108 ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 10 times File: [ pipe\_AVIRA_2108 ], Control Code: [ 0x00110004 ], 10 times File: [ pipe\_AVIRA_2108 ], Control Code: [ 0x00110008 ], 9 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ] File Name: [ C:\WINDOWS\system32\TAPI32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\hnetcfg.dll ] File Name: [ C:\WINDOWS\system32\rasman.dll ] File Name: [ C:\WINDOWS\system32\rtutils.dll ] File Name: [ C:\WINDOWS\system32\sensapi.dll ] File Name: [ C:\WINDOWS\system32\urlmon.dll ] File Name: [ C:\WINDOWS\system32\wsock32.dll ] File Name: [ C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat ] File Name: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat ] File Name: [ C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat ] [=============================================================================] 4.c) svchost.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\services.exe ] Affected Process: [ C:\WINDOWS\system32\lsass.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\spoolsv.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ ] Process: [ C:\WINDOWS\system32\lsass.exe ] Process: [ C:\WINDOWS\system32\services.exe ] Process: [ C:\WINDOWS\system32\spoolsv.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] [#############################################################################] 5. System [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: System Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] [#############################################################################] 6. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\pstorec.dll ], Base Address: [0x5E0C0000 ], Size: [0x0000D000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] [=============================================================================] 6.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Directory ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Paths ], New Value: [ 4 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], Value Name: [ ParseAutoexec ], New Value: [ 1 ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\LocalService\Application Data ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\LocalService\Cookies ] Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\Documents and Settings\LocalService\Local Settings\History ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001 ], Value Name: [ Name ], Value: [ Microsoft Strong Cryptographic Provider ], 4 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Image Path ], Value: [ rsaenh.dll ], 4 times Key: [ HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider ], Value Name: [ Type ], Value: [ 1 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Cryptography ], Value Name: [ MachineGuid ], Value: [ 4604e8cc-5b9c-4ffb-a374-a62e6d0494fc ], 4 times Key: [ HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16 ], Value Name: [ Dll ], Value: [ cryptnet.dll ], 1 time Key: [ HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16 ], Value Name: [ FuncName ], Value: [ LdapProvOpenStore ], 1 time Key: [ HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap ], Value Name: [ Dll ], Value: [ cryptnet.dll ], 1 time Key: [ HKLM\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap ], Value Name: [ FuncName ], Value: [ LdapProvOpenStore ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ AllUsersProfile ], Value: [ All Users ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ DefaultUserProfile ], Value: [ Default User ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18 ], Value Name: [ ProfileImagePath ], Value: [ %systemroot%\system32\config\systemprofile ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ OS ], Value: [ Windows_NT ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ windir ], Value: [ %SystemRoot% ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ DependOnService ], Value: [ 0x5200700063005300730000000000 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ DisplayName ], Value: [ Protected Storage ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ ErrorControl ], Value: [ 1 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ ImagePath ], Value: [ %SystemRoot%\system32\lsass.exe ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ ObjectName ], Value: [ LocalSystem ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ Start ], Value: [ 2 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\ProtectedStorage ], Value Name: [ Type ], Value: [ 288 ], 2 times Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\software\microsoft\windows nt\currentversion\network ], Value Name: [ UID ], Value: [ pc1_7875768F3D3DB1CC ], 1 time Key: [ HKU\S-1-5-18\Environment ], Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 2 times Key: [ HKU\S-1-5-18\Environment ], Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], Value Name: [ ParseAutoexec ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012008060220080603\ ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CachePrefix ], Value: [ :2008060220080603: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012008060220080603 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 1 time Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time [=============================================================================] 6.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\rsaenh.dll ] File Name: [ PIPE\lsarpc ] File Name: [ c:\autoexec.bat ] File Name: [ pipe\_AVIRA_2108 ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\lowsec\user.ds ] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2108 ] File Name: [ pipe\_AVIRA_2109 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 14 times File: [ \DosDevices\pipe\ ], Control Code: [ 0x00110018 ], 5 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ATL.DLL ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\pstorec.dll ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\WINDOWS\system32\rsaenh.dll ] [#############################################################################] 7. lsass.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: lsass.exe MD5: bf2466b3e18e970d8a976fb95fc1ca85 SHA-1: de5a73cbb5f51f64c53fb4277ef2c23e70db123f File Size: 13312 Bytes Command Line: C:\WINDOWS\system32\lsass.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\LSASRV.dll ], Base Address: [0x75730000 ], Size: [0x000B5000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\SAMSRV.dll ], Base Address: [0x74440000 ], Size: [0x0006A000 ] Module Name: [ C:\WINDOWS\system32\cryptdll.dll ], Base Address: [0x76790000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\msprivs.dll ], Base Address: [0x4D200000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\kerberos.dll ], Base Address: [0x71CF0000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\netlogon.dll ], Base Address: [0x744B0000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\w32time.dll ], Base Address: [0x767C0000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\schannel.dll ], Base Address: [0x767F0000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\wdigest.dll ], Base Address: [0x74380000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\setupapi.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\scecli.dll ], Base Address: [0x74410000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\ipsecsvc.dll ], Base Address: [0x743E0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\oakley.DLL ], Base Address: [0x75D90000 ], Size: [0x000D0000 ] Module Name: [ C:\WINDOWS\system32\WINIPSEC.DLL ], Base Address: [0x74370000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\dssenh.dll ], Base Address: [0x68100000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\pstorsvc.dll ], Base Address: [0x743A0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\psbase.dll ], Base Address: [0x743C0000 ], Size: [0x0001B000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] [=============================================================================] 7.a) lsass.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider ] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-18 ] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-18\Data 2 ] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-18\Data 2\Windows ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-20 ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-20\Data 2 ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-20\Data 2\Windows ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-18 ], Value Name: [ Migrate ], New Value: [ 2 ] Key: [ HKU\S-1-5-18\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-18\Data 2\Windows ], Value Name: [ Value ], New Value: [ 0x010000001c00000003000000ec10f305ef5fa8ea05a9dbaaf6eeaa6a1a53 ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-20 ], Value Name: [ Migrate ], New Value: [ 2 ] Key: [ HKU\S-1-5-20\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-20\Data 2\Windows ], Value Name: [ Value ], New Value: [ 0x010000001c0000000300000089c3b14539cc8b6d9f4db04059d8920d515b ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SAM\SAM\DOMAINS\Account\Users\Names\Administrator ], Value Name: [ ], Value: [ ], 1 time Key: [ HKLM\SECURITY\Policy\SecDesc ], Value Name: [ ], Value: [ 0x0100048098000000a8000000000000001400000002008400060000000100 ], 15 times Key: [ HKLM\software\microsoft\windows nt\currentversion\network ], Value Name: [ UID ], Value: [ pc1_7875768F3D3DB1CC ], 1 time [=============================================================================] 7.b) lsass.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\lsass, Flags: Named pipe ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\lsass, Flags: Named pipe ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsass ], Control Code: [ 0x00110008 ], 6 times File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x00110024 ], 7 times File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x0011001C ], 27 times File: [ PIPE\lsass ], Control Code: [ 0x00110024 ], 15 times File: [ PIPE\lsass ], Control Code: [ 0x0011001C ], 41 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\WININET.dll ] [#############################################################################] 8. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost -k rpcss Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ c:\windows\system32\rpcss.dll ], Base Address: [0x76A80000 ], Size: [0x00064000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005F0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\pstorec.dll ], Base Address: [0x5E0C0000 ], Size: [0x0000D000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 8.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\NetworkService\Application Data ] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\NetworkService\Cookies ] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\Documents and Settings\NetworkService\Local Settings\History ] Key: [ HKU\S-1-5-20\software\microsoft\windows nt\currentversion\network ], Value Name: [ UID ], New Value: [ pc1_7875768F3D3DB1CC ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\AppID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ LaunchPermission ], Value: [ 0x010004807000000080000000000000001400000002005c00040000000000 ], 5 times Key: [ HKLM\SOFTWARE\CLASSES\AppID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ LocalService ], Value: [ EventSystem ], 5 times Key: [ HKLM\SOFTWARE\CLASSES\\AppID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ LocalService ], Value: [ EventSystem ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ AppID ], Value: [ {1BE1F766-5536-11D1-B726-00C04FB926AF} ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion ], Value Name: [ InstallDate ], Value: [ 1212451221 ], 1 time Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time [=============================================================================] 8.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2108 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] File Name: [ pipe\_AVIRA_2108 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ATL.DLL ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\pstorec.dll ] File Name: [ C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat ] [#############################################################################] 9. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\System32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\System32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\System32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\System32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\System32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\System32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\xpsp2res.dll ], Base Address: [0x005B0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\shsvcs.dll ], Base Address: [0x776E0000 ], Size: [0x00023000 ] Module Name: [ C:\WINDOWS\System32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\System32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ c:\windows\system32\dhcpcsvc.dll ], Base Address: [0x7D4B0000 ], Size: [0x00022000 ] Module Name: [ c:\windows\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\wzcsvc.dll ], Base Address: [0x7DB10000 ], Size: [0x0008C000 ] Module Name: [ c:\windows\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ c:\windows\system32\WMI.dll ], Base Address: [0x76D30000 ], Size: [0x00004000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\EapolQec.dll ], Base Address: [0x72810000 ], Size: [0x0000B000 ] Module Name: [ c:\windows\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ c:\windows\system32\QUtil.dll ], Base Address: [0x726C0000 ], Size: [0x00016000 ] Module Name: [ c:\windows\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ c:\windows\system32\dot3api.dll ], Base Address: [0x478C0000 ], Size: [0x0000A000 ] Module Name: [ c:\windows\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\ESENT.dll ], Base Address: [0x606B0000 ], Size: [0x0010D000 ] Module Name: [ C:\WINDOWS\System32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\System32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\rastls.dll ], Base Address: [0x76B70000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\System32\MPRAPI.dll ], Base Address: [0x76D40000 ], Size: [0x00018000 ] Module Name: [ C:\WINDOWS\System32\ACTIVEDS.dll ], Base Address: [0x77CC0000 ], Size: [0x00032000 ] Module Name: [ C:\WINDOWS\System32\adsldpc.dll ], Base Address: [0x76E10000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\System32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\System32\RASAPI32.dll ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] Module Name: [ C:\WINDOWS\System32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\System32\SCHANNEL.dll ], Base Address: [0x767F0000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\System32\WinSCard.dll ], Base Address: [0x723D0000 ], Size: [0x0001C000 ] Module Name: [ C:\WINDOWS\System32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\System32\raschap.dll ], Base Address: [0x76BD0000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ c:\windows\system32\schedsvc.dll ], Base Address: [0x77300000 ], Size: [0x00033000 ] Module Name: [ c:\windows\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\System32\MSIDLE.DLL ], Base Address: [0x74F50000 ], Size: [0x00005000 ] Module Name: [ c:\windows\system32\audiosrv.dll ], Base Address: [0x708B0000 ], Size: [0x0000D000 ] Module Name: [ c:\windows\system32\wkssvc.dll ], Base Address: [0x76E40000 ], Size: [0x00023000 ] Module Name: [ c:\windows\system32\qmgr.dll ], Base Address: [0x5B9F0000 ], Size: [0x0006B000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\SHFOLDER.dll ], Base Address: [0x76780000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\WINHTTP.dll ], Base Address: [0x4D4F0000 ], Size: [0x00059000 ] Module Name: [ c:\windows\system32\wuauserv.dll ], Base Address: [0x50000000 ], Size: [0x00005000 ] Module Name: [ c:\windows\system32\wbem\wmisvc.dll ], Base Address: [0x59490000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\VSSAPI.DLL ], Base Address: [0x753E0000 ], Size: [0x0006D000 ] Module Name: [ c:\windows\system32\w32time.dll ], Base Address: [0x767C0000 ], Size: [0x0002C000 ] Module Name: [ c:\windows\system32\trkwks.dll ], Base Address: [0x75070000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\srsvc.dll ], Base Address: [0x751A0000 ], Size: [0x0002E000 ] Module Name: [ c:\windows\system32\POWRPROF.dll ], Base Address: [0x74AD0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\seclogon.dll ], Base Address: [0x73D20000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\netman.dll ], Base Address: [0x77D00000 ], Size: [0x00033000 ] Module Name: [ c:\windows\system32\netshell.dll ], Base Address: [0x76400000 ], Size: [0x001A5000 ] Module Name: [ c:\windows\system32\credui.dll ], Base Address: [0x76C00000 ], Size: [0x0002E000 ] Module Name: [ c:\windows\system32\dot3dlg.dll ], Base Address: [0x736D0000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\OneX.DLL ], Base Address: [0x5DCA0000 ], Size: [0x00028000 ] Module Name: [ c:\windows\system32\eappcfg.dll ], Base Address: [0x745B0000 ], Size: [0x00022000 ] Module Name: [ c:\windows\system32\eappprxy.dll ], Base Address: [0x5DCD0000 ], Size: [0x0000E000 ] Module Name: [ c:\windows\system32\WZCSAPI.DLL ], Base Address: [0x73030000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\wuaueng.dll ], Base Address: [0x50040000 ], Size: [0x001AB000 ] Module Name: [ C:\WINDOWS\System32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\System32\Cabinet.dll ], Base Address: [0x75150000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\System32\mspatcha.dll ], Base Address: [0x600A0000 ], Size: [0x0000B000 ] Module Name: [ c:\windows\system32\srvsvc.dll ], Base Address: [0x75090000 ], Size: [0x0001A000 ] Module Name: [ c:\windows\pchealth\helpctr\binaries\pchsvc.dll ], Base Address: [0x74F40000 ], Size: [0x0000C000 ] Module Name: [ c:\windows\system32\es.dll ], Base Address: [0x77710000 ], Size: [0x00042000 ] Module Name: [ c:\windows\system32\ersvc.dll ], Base Address: [0x74F80000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\dmserver.dll ], Base Address: [0x74F90000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\cryptsvc.dll ], Base Address: [0x76CE0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\certcli.dll ], Base Address: [0x77B90000 ], Size: [0x00032000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\wscsvc.dll ], Base Address: [0x4C0A0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\msi.dll ], Base Address: [0x7D1E0000 ], Size: [0x002BC000 ] Module Name: [ c:\windows\system32\sens.dll ], Base Address: [0x722D0000 ], Size: [0x0000D000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\System32\sfc.dll ], Base Address: [0x76BB0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\System32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ c:\windows\system32\browser.dll ], Base Address: [0x76DA0000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemcomn.dll ], Base Address: [0x75290000 ], Size: [0x00037000 ] Module Name: [ C:\WINDOWS\System32\Wbem\wbemcore.dll ], Base Address: [0x762C0000 ], Size: [0x00085000 ] Module Name: [ C:\WINDOWS\System32\Wbem\esscli.dll ], Base Address: [0x75310000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\Wbem\FastProx.dll ], Base Address: [0x75690000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\System32\SXS.DLL ], Base Address: [0x7E720000 ], Size: [0x000B0000 ] Module Name: [ C:\WINDOWS\system32\wbem\wmiutils.dll ], Base Address: [0x75020000 ], Size: [0x0001B000 ] Module Name: [ C:\WINDOWS\system32\wbem\repdrvfs.dll ], Base Address: [0x75200000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\comsvcs.dll ], Base Address: [0x76620000 ], Size: [0x0013C000 ] Module Name: [ C:\WINDOWS\system32\colbact.DLL ], Base Address: [0x75130000 ], Size: [0x00014000 ] Module Name: [ C:\WINDOWS\system32\MTXCLU.DLL ], Base Address: [0x750F0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\System32\CLUSAPI.DLL ], Base Address: [0x76D10000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\RESUTILS.DLL ], Base Address: [0x750B0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wbem\wmiprvsd.dll ], Base Address: [0x597F0000 ], Size: [0x0006D000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemess.dll ], Base Address: [0x75390000 ], Size: [0x00046000 ] Module Name: [ c:\windows\system32\ipnathlp.dll ], Base Address: [0x66460000 ], Size: [0x00055000 ] Module Name: [ c:\windows\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wbem\ncprov.dll ], Base Address: [0x5F740000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\System32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\upnp.dll ], Base Address: [0x76DE0000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\SSDPAPI.dll ], Base Address: [0x74F00000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\System32\RASDLG.dll ], Base Address: [0x768D0000 ], Size: [0x000A4000 ] Module Name: [ C:\WINDOWS\system32\wups2.dll ], Base Address: [0x50E60000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\msxml3.dll ], Base Address: [0x74980000 ], Size: [0x00113000 ] Module Name: [ C:\WINDOWS\System32\dssenh.dll ], Base Address: [0x68100000 ], Size: [0x00026000 ] [=============================================================================] 9.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\Interface\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\ProxyStubClsid32 ], Value Name: [ ], Value: [ {00020424-0000-0000-C000-000000000046} ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\Interface\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TypeLib ], Value Name: [ ], Value: [ {D597DEED-5B9F-11D1-8DD2-00AA004ABD5E} ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\Interface\{D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E}\TypeLib ], Value Name: [ Version ], Value: [ 2.0 ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\stdole2.tlb ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\TypeLib\{D597DEED-5B9F-11D1-8DD2-00AA004ABD5E}\2.0\0\win32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\SENS.DLL ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\\AppID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ LocalService ], Value: [ EventSystem ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\\AppID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E} ], Value Name: [ DllSurrogate ], Value: [ ], 6 times Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 ], Value Name: [ ], Value: [ oleaut32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 ], Value Name: [ ], Value: [ oleaut32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{1BE1F766-5536-11D1-B726-00C04FB926AF} ], Value Name: [ AppID ], Value: [ {1BE1F766-5536-11D1-B726-00C04FB926AF} ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{64B8F404-A4AE-11D1-B7B6-00C04FB926AF}\InprocServer32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\es.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E} ], Value Name: [ AppID ], Value: [ {D5978620-5B9F-11D1-8DD2-00AA004ABD5E} ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}\InprocServer32 ], Value Name: [ ], Value: [ C:\WINDOWS\System32\ES.DLL ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\\CLSID\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}\InprocServer32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ AllowInprocActivation ], Value: [ 4294967295 ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassApplicationID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {D5978620-5B9F-11D1-8DD2-00AA004ABD5E} ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassName ], Value: [ SENS Network Events ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassPartitionID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ FireInParallel ], Value: [ 0 ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ FiringInterfaceIID ], Value: [ {D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E} ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\EVENTCLASSES\{D5978620-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ OwnerSID ], Value: [ S-1-5-18 ], 1 time Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Enabled ], Value: [ 4294967295 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassApplicationID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {D5978620-5B9F-11D1-8DD2-00AA004ABD5E} ], 8 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassPartitionID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 4 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ InterfaceID ], Value: [ {D597BAB1-5B9F-11D1-8DD2-00AA004ABD5E} ], 4 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ OwnerSID ], Value: [ S-1-5-21-842925246-1425521274-308236825-500 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ PerUser ], Value: [ 4294967295 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ SubscriberApplicationID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ SubscriberPartitionID ], Value: [ {00000000-0000-0000-0000-000000000000} ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ SubscriptionID ], Value: [ {0971EAC5-2E46-44BB-83DA-3450FB37DD1D} ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ SubscriptionName ], Value: [ Messenger ISensNetwork Subscription ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{0971EAC5-2E46-44BB-83DA-3450FB37DD1D}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}\SubscriberProperties ], Value Name: [ ulConnectionMadeTypeNoQOC ], Value: [ 0x1300000007000000 ], 4 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{1D0F2203-E6A9-4C21-B011-703EA64EA176}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{1D0F2203-E6A9-4C21-B011-703EA64EA176}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{37BB25C3-D617-4538-A034-08B5B02A3A55}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{37BB25C3-D617-4538-A034-08B5B02A3A55}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{569E7DC3-147B-4F2B-99C7-6730A24F7C67}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{569E7DC3-147B-4F2B-99C7-6730A24F7C67}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{7092EABE-3BD2-4008-8046-85F42A551BB4}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{7092EABE-3BD2-4008-8046-85F42A551BB4}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{9B02C5A1-6D4E-4130-ABDB-2339EF935FF2}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{9B02C5A1-6D4E-4130-ABDB-2339EF935FF2}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{CB7E88EB-7805-4397-AA70-34DB2FF133FB}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{CB7E88EB-7805-4397-AA70-34DB2FF133FB}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {D5978630-5B9F-11D1-8DD2-00AA004ABD5E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{CBFF1B9A-8EA7-4D94-B3A0-D853C5911CF5}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{CBFF1B9A-8EA7-4D94-B3A0-D853C5911CF5}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {D0565000-9DF4-11D1-A281-00C04FCA0AA7} ], 16 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ PublisherID ], Value: [ {5FEE1BD6-5B9B-11D1-8DD2-00AA004ABD5E} ], 8 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{D789AB02-5B9F-11D1-8DD2-00AA004ABD5E}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ SubscriberCLSID ], Value: [ {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E} ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{E6BC5A56-2F8E-4DF2-A7FF-8805FB0D89DE}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{E6BC5A56-2F8E-4DF2-A7FF-8805FB0D89DE}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{FF42155F-40BF-48AD-8DC8-863D7039A5C9}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ Active ], Value: [ 1 ], 2 times Key: [ HKLM\SOFTWARE\MICROSOFT\EVENTSYSTEM\{26C409CC-AE86-11D1-B616-00805FC79216}\SUBSCRIPTIONS\{FF42155F-40BF-48AD-8DC8-863D7039A5C9}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000} ], Value Name: [ EventClassID ], Value: [ {FAF53CC4-BD73-4E36-83F1-2B23F46E513E} ], 24 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE ], Value Name: [ Bind ], Value: [ 0x5c004400650076006900630065005c007b00310041004400340035004200 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 16 times Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Log File Max Size ], Value: [ 65536 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Logging ], Value: [ 1 ], 1 time Key: [ HKLM\software\microsoft\windows nt\currentversion\network ], Value Name: [ UID ], Value: [ pc1_7875768F3D3DB1CC ], 1 time Key: [ HKLM\system\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 9.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SENS.DLL ] File Name: [ C:\WINDOWS\system32\stdole2.tlb ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x00120003 ], 7 times File: [ unnamed file ], Control Code: [ 0x00120040 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SENS.DLL ] File Name: [ C:\WINDOWS\system32\stdole2.tlb ] [#############################################################################] 10. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ c:\windows\system32\dnsrslvr.dll ], Base Address: [0x76770000 ], Size: [0x0000D000 ] Module Name: [ c:\windows\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 10.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\NetworkService\Application Data ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time [=============================================================================] 10.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Endpoint ], Control Code: [ AFD_SEND_DATAGRAM (0x00012023) ], 4 times File: [ C:\Endpoint ], Control Code: [ AFD_SELECT (0x00012024) ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\WININET.dll ] [#############################################################################] 11. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: svchost.exe MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18 SHA-1: 49083ae3725a0488e0a8fbbe1335c745f70c4667 File Size: 14336 Bytes Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005B0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\lmhsvc.dll ], Base Address: [0x74C40000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\webclnt.dll ], Base Address: [0x5A6E0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wsock32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\regsvc.dll ], Base Address: [0x76AF0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\ssdpsrv.dll ], Base Address: [0x765E0000 ], Size: [0x00014000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\alrsvc.dll ], Base Address: [0x70F80000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] [=============================================================================] 11.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\LocalService\Application Data ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder ], Watch subtree: [ 0 ], Notify Filter: [ Value Change ], 1 time [=============================================================================] 11.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 7 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] [#############################################################################] 12. spoolsv.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: svchost.exe wrote to the virtual memory of this process Filename: spoolsv.exe MD5: d8e14a61acc1d4a6cd0d38aebac7fa3b SHA-1: 0e5d1a09a103eae3bd693c7a1c7531fde2e2402b File Size: 57856 Bytes Command Line: C:\WINDOWS\system32\spoolsv.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SPOOLSS.DLL ], Base Address: [0x742E0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\localspl.dll ], Base Address: [0x75BB0000 ], Size: [0x00056000 ] Module Name: [ C:\WINDOWS\system32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\winspool.drv ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\netapi32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\cnbjmon.dll ], Base Address: [0x742A0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\pjlmon.dll ], Base Address: [0x74280000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\system32\tcpmon.dll ], Base Address: [0x72400000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\usbmon.dll ], Base Address: [0x723F0000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\win32spl.dll ], Base Address: [0x75C10000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\NETRAP.dll ], Base Address: [0x71C80000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x01010000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\inetpp.dll ], Base Address: [0x74300000 ], Size: [0x00015000 ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org