Analysis Report for 38cbb71db9dde0c20c5b2ff57b1dc130

Comment on this report

Summary:

Description	Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Windows Service Activities d) Process Activities services.exe C:\WINDOWS\system32\services.exe NtConnectPort(\RPC Control\ntsvcs was called. General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities svchost.exe C:\WINDOWS\System32\svchost.exe Started by services.exe General Information svchost.exe C:\WINDOWS\System32\svchost.exe Started by services.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by sample.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	241 s
Report created:	06/22/09, 06:54:01 UTC
Termination reason:	Timeout
Program version:	1.68.0

1.a) - Network Activity

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 33 - Transferred inbound Bytes: 125

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	38cbb71db9dde0c20c5b2ff57b1dc130
SHA-1:	9550a6bdf7ef24e7c6406e9ab43a0fa7b679e516
File Size:	55808 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\user32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\advapi32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\shlwapi.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntoskrnl.exe	0x00870000	0x00216680
C:\WINDOWS\system32\RimttiC.dll	0x10000000	0x0001C000
C:\WINDOWS\system32\COMCTL32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\AVICAP32.dll	0x73B80000	0x00012000
C:\WINDOWS\system32\MSVFW32.dll	0x75A70000	0x00021000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

	- SigBuster Output

ASPack vna SN:1633

2.a) sample.exe - Registry Activities

	- Registry Keys Created:

HKLM\SYSTEM\CurrentControlSet\Services\MakeCenter\Parameters

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost	krnlsrvc	0x4d0061006b006500430065006e007400650072000000
HKLM\SYSTEM\CurrentControlSet\Services\MakeCenter	Description	Make office Windows lorerwin free
HKLM\SYSTEM\CurrentControlSet\Services\MakeCenter\Parameters	ServiceDll	C:\WINDOWS\system32\RimttiC.dll

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	wheel	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

2.b) sample.exe - File Activities

	- Files Created:

C:\DOCUME~1\user\LOCALS~1\Temp\1957781_res.tmp

	- Files Read:

C:\WINDOWS\system32\drivers\beep.sys

	- Files Modified:

C:\DOCUME~1\user\LOCALS~1\Temp\1957781_res.tmp

C:\WINDOWS\system32\drivers\beep.sys

RiSing2008

	- Files Renamed:

Old Filename	New Filename
C:\DOCUME~1\user\LOCALS~1\Temp\1957781_res.tmp	\??\C:\WINDOWS\system32\RimttiC.dll

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8
RiSing2008	0x0022E14B	284

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\AVICAP32.dll

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\COMCTL32.dll

C:\WINDOWS\system32\MSVFW32.dll

C:\WINDOWS\system32\RimttiC.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WINMM.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\ntoskrnl.exe

C:\Windows\AppPatch\sysmain.sdb

C:\sample.exe

2.c) sample.exe - Windows Service Activities

	- Services Started:

beep

MakeCenter

	- Services Created:

Name	Type	Path
MakeCenter	SERVICE_AUTO_START	%SystemRoot%\System32\svchost.exe -k krnlsrvc

	- Services Changed:

MakeCenter

	- Control Codes Sent to Other Services:

Service	Control Code
beep	SERVICE_CONTROL_STOP
beep	SERVICE_CONTROL_STOP

2.d) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\cmd.exe
	C:\WINDOWS\system32\cmd.exe /c del C:\sample.exe > nul

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\cmd.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\cmd.exe

3. services.exe

	- General information about this executable

Analysis Reason:	NtConnectPort(\RPC Control\ntsvcs was called.
Filename:	services.exe
MD5:	0e776ed5f7cc9f94299e70461b7b8185
SHA-1:	cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf
File Size:	108544 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

3.a) services.exe - Registry Activities

	- Registry Keys Created:

HKLM\System\CurrentControlSet\Services\MakeCenter

HKLM\System\CurrentControlSet\Services\MakeCenter\Security

	- Registry Values Modified:

Key	Name	New Value
HKLM\SYSTEM\CONTROLSET001\CONTROL\SERVICECURRENT		10
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_MAKECENTER\0000\Control	ActiveService	MakeCenter
HKLM\System\CurrentControlSet\Services\MakeCenter	DisplayName	Make windows xp
HKLM\System\CurrentControlSet\Services\MakeCenter	ErrorControl	0
HKLM\System\CurrentControlSet\Services\MakeCenter	ImagePath	%SystemRoot%\System32\svchost.exe -k krnlsrvc
HKLM\System\CurrentControlSet\Services\MakeCenter	ObjectName	LocalSystem
HKLM\System\CurrentControlSet\Services\MakeCenter	Start	2
HKLM\System\CurrentControlSet\Services\MakeCenter	Type	16
HKLM\System\CurrentControlSet\Services\MakeCenter\Security	Security	0x01001480900000009c000000140000003000000002001c00010000000280

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_BEEP\0000	ClassGUID	{8ECC055D-047F-11D1-A537-0000F8753ED1}	2
HKLM\SYSTEM\CONTROLSET001\SERVICES\Beep\Enum	0	Root\LEGACY_BEEP\0000	4
HKLM\SYSTEM\CONTROLSET001\SERVICES\Beep\Enum	Count	1	8
HKLM\SYSTEM\CONTROLSET001\SERVICES\MakeCenter\Enum	0	Root\LEGACY_MAKECENTER\0000	4
HKLM\SYSTEM\CONTROLSET001\SERVICES\MakeCenter\Enum	Count	1	8
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\System\CurrentControlSet\Services\CryptSvc	DependOnService	0x5200700063005300730000000000	1
HKLM\System\CurrentControlSet\Services\CryptSvc	DisplayName	Cryptographic Services	1
HKLM\System\CurrentControlSet\Services\CryptSvc	ErrorControl	1	1
HKLM\System\CurrentControlSet\Services\CryptSvc	ImagePath	%SystemRoot%\system32\svchost.exe -k netsvcs	1
HKLM\System\CurrentControlSet\Services\CryptSvc	ObjectName	LocalSystem	1
HKLM\System\CurrentControlSet\Services\CryptSvc	Start	2	1
HKLM\System\CurrentControlSet\Services\CryptSvc	Type	32	1
HKLM\System\CurrentControlSet\Services\MakeCenter	ImagePath	%SystemRoot%\System32\svchost.exe -k krnlsrvc	2
HKLM\System\CurrentControlSet\Services\MakeCenter	ObjectName	LocalSystem	4
HKLM\System\CurrentControlSet\Services\MakeCenter	Start	2	1

3.b) services.exe - File Activities

	- Files Created:

pipe\net\NtControlPipe10

pipe\net\NtControlPipe9

	- Files Read:

pipe\net\NtControlPipe10

	- Files Modified:

C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe

C:\WINDOWS\Debug\UserMode\userenv.log

C:\WINDOWS\system32\config\SysEvent.Evt

	- File System Control Communication:

File	Control Code	Times
pipe\net\NtControlPipe9	0x00110008	1
pipe\net\NtControlPipe10	0x00110008	1
pipe\net\NtControlPipe10	0x0011C017	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\svchost.exe

C:\Windows\AppPatch\sysmain.sdb

3.c) services.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\System32\svchost.exe
	C:\WINDOWS\System32\svchost.exe -k krnlsrvc
C:\WINDOWS\System32\svchost.exe
	C:\WINDOWS\System32\svchost.exe -k krnlsrvc

	- Remote Threads Created:

Affected Process

C:\WINDOWS\System32\svchost.exe

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\System32\svchost.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\System32\svchost.exe

3.d) services.exe - Other Activities

	- Drivers Loaded:

HKLM\System\CurrentControlSet\Services\Beep

	- Drivers Unloaded:

HKLM\System\CurrentControlSet\Services\Beep

4. svchost.exe

	- General information about this executable

Analysis Reason:	Started by services.exe
Filename:	svchost.exe
MD5:	27c6d03bcdb8cfeb96b716f3d8be3e18
SHA-1:	49083ae3725a0488e0a8fbbe1335c745f70c4667
File Size:	14336 Bytes
Command Line:	C:\WINDOWS\System32\svchost.exe -k krnlsrvc
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\System32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\System32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\System32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\System32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

5. svchost.exe

	- General information about this executable

Analysis Reason:	Started by services.exe
Filename:	svchost.exe
MD5:	27c6d03bcdb8cfeb96b716f3d8be3e18
SHA-1:	49083ae3725a0488e0a8fbbe1335c745f70c4667
File Size:	14336 Bytes
Command Line:	C:\WINDOWS\System32\svchost.exe -k krnlsrvc
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\System32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\System32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\System32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\System32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
c:\windows\system32\rimttic.dll	0x10000000	0x0001C000
C:\WINDOWS\System32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\AVICAP32.dll	0x73B80000	0x00012000
c:\windows\system32\MSVFW32.dll	0x75A70000	0x00021000
C:\WINDOWS\System32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\System32\rasadhlp.dll	0x76FC0000	0x00006000

5.a) svchost.exe - Registry Activities

	- Registry Keys Created:

HKLM\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost	krnlsrvc	0x4d0061006b006500430065006e007400650072000000	2
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKLM\System\CurrentControlSet\Control\ServiceCurrent		10	1
HKLM\System\CurrentControlSet\Services\LDAP	LdapClientIntegrity	1	1
HKLM\System\CurrentControlSet\Services\MakeCenter\Parameters	ServiceDll	C:\WINDOWS\system32\RimttiC.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	user	2
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	1	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1012	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	11	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

5.b) svchost.exe - File Activities

	- Files Read:

pipe\net\NtControlPipe10

	- Files Modified:

\Device\Afd\Endpoint

\Device\RasAcd

pipe\net\NtControlPipe10

	- File System Control Communication:

File	Control Code	Times
\DosDevices\pipe\	0x00110018	1

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7
\Device\RasAcd	0x00F14014	1
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	4
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	1
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	2
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	1
unnamed file	0x00120028	2
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	2
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\System32\DNSAPI.dll

C:\WINDOWS\System32\hnetcfg.dll

C:\WINDOWS\System32\mswsock.dll

C:\WINDOWS\System32\rasadhlp.dll

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

c:\windows\system32\AVICAP32.dll

c:\windows\system32\MSVFW32.dll

c:\windows\system32\WS2HELP.dll

c:\windows\system32\WS2_32.dll

c:\windows\system32\rimttic.dll

5.c) svchost.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 78 seconds	1

5.d) svchost.exe - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
zljtl8.3322.org	DNS_TYPE_A	61.164.126.48	1

	- Unknown TCP Traffic:

from ANUBIS:1032 to 61.164.126.48:91

State: Connection established, not terminated - Transferred outbound Bytes: 216 - Transferred inbound Bytes: 0

6. cmd.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	cmd.exe
MD5:	6d778e0f95447e6546553eeea709d03c
SHA-1:	811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size:	389120 Bytes
Command Line:	C:\WINDOWS\system32\cmd.exe /c del C:\sample.exe > nul
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

6.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000409	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	EnableExtensions	1	1

6.b) cmd.exe - File Activities

	- Files Deleted:

C:\sample.exe

	- Files Modified:

nul

Analysis Report for 38cbb71db9dde0c20c5b2ff57b1dc130

Summary:

Table of Contents