___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for 06c19d23a9108411d618dc5e7aeeb46b.spyeyetracker MD5: 06c19d23a9108411d618dc5e7aeeb46b [#############################################################################] Summary: - Write to foreign memory areas: This executable tampers with the execution of another process. - AV Hit: This executable is detected by an antivirus software. - Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered. - Execution did not terminate correctly: The executable crashed. - Modify system files: This executable modifies files in the windows system directories. - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable creates and/or modifies registry entries. [=============================================================================] Table of Contents [=============================================================================] - General information - 06c19d23a9.exe a) Registry Activities b) File Activities c) Process Activities - Explorer.EXE a) Registry Activities b) File Activities c) Process Activities d) Other Activities - RestorPoint.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - winlogon.exe a) Registry Activities b) File Activities c) Other Activities - lsass.exe a) Registry Activities b) File Activities c) Other Activities - svchost.exe a) Registry Activities b) File Activities c) Other Activities - svchost.exe a) Registry Activities b) File Activities c) Other Activities - svchost.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - svchost.exe a) Registry Activities b) File Activities c) Other Activities - svchost.exe a) Registry Activities b) File Activities c) Other Activities - spoolsv.exe a) Registry Activities b) File Activities c) Other Activities - alg.exe a) Registry Activities b) File Activities c) Other Activities - wscntfy.exe a) Registry Activities b) File Activities c) Process Activities d) Other Activities - dwwin.exe a) Registry Activities b) File Activities c) Process Activities - ctfmon.exe [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 242 s Report created: 02/23/11, 05:13:27 UTC Termination reason: Timeout Program version: 1.74.3362 [#############################################################################] 2. 06c19d23a9.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: 06c19d23a9.exe MD5: 06c19d23a9108411d618dc5e7aeeb46b SHA-1: 9f9f258d53a88a05e765f2b8e3dd12c044128de9 File Size: 185344 Bytes Command Line: "C:\06c19d23a9.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\imagehlp.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\winspool.drv ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] [=============================================================================] SigBuster Output [=============================================================================] UPX All_Versions SN:1634 [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan.Win32.Spyeye (Sig-Id: 1517141) [=============================================================================] 2.a) 06c19d23a9.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time [=============================================================================] 2.b) 06c19d23a9.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\RestorPoint\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\winspool.drv ] [=============================================================================] 2.c) 06c19d23a9.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\explorer.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\explorer.exe ] [#############################################################################] 3. Explorer.EXE [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: 06c19d23a9.exe wrote to the virtual memory of this process Filename: Explorer.EXE MD5: 12896823fb95bfb3dc9b46bcaedc9923 SHA-1: 9d2bf84874abc5b6e9a2744b7865c193c08d362f File Size: 1033728 Bytes Command Line: C:\WINDOWS\Explorer.EXE Process-status at analysis end: dead Exit Code: -1073741794 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\BROWSEUI.dll ], Base Address: [0x75F80000 ], Size: [0x000FD000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\SHDOCVW.dll ], Base Address: [0x7E290000 ], Size: [0x00171000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\appHelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\cscui.dll ], Base Address: [0x77A20000 ], Size: [0x00054000 ] Module Name: [ C:\WINDOWS\System32\CSCDLL.dll ], Base Address: [0x76600000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\system32\themeui.dll ], Base Address: [0x5BA60000 ], Size: [0x00071000 ] Module Name: [ C:\WINDOWS\system32\MSIMG32.dll ], Base Address: [0x76380000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x00BC0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\actxprxy.dll ], Base Address: [0x71D40000 ], Size: [0x0001B000 ] Module Name: [ C:\WINDOWS\system32\msutb.dll ], Base Address: [0x5FC10000 ], Size: [0x00033000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\LINKINFO.dll ], Base Address: [0x76980000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\ntshrui.dll ], Base Address: [0x76990000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\webcheck.dll ], Base Address: [0x74B30000 ], Size: [0x00046000 ] Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\stobject.dll ], Base Address: [0x76280000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\BatMeter.dll ], Base Address: [0x74AF0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\POWRPROF.dll ], Base Address: [0x74AD0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\msi.dll ], Base Address: [0x7D1E0000 ], Size: [0x002BC000 ] Module Name: [ C:\WINDOWS\system32\NETSHELL.dll ], Base Address: [0x76400000 ], Size: [0x001A5000 ] Module Name: [ C:\WINDOWS\system32\credui.dll ], Base Address: [0x76C00000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\dot3api.dll ], Base Address: [0x478C0000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\dot3dlg.dll ], Base Address: [0x736D0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\OneX.DLL ], Base Address: [0x5DCA0000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\eappcfg.dll ], Base Address: [0x745B0000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\eappprxy.dll ], Base Address: [0x5DCD0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\drprov.dll ], Base Address: [0x75F60000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\ntlanman.dll ], Base Address: [0x71C10000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\System32\NETUI0.dll ], Base Address: [0x71CD0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\System32\NETUI1.dll ], Base Address: [0x71C90000 ], Size: [0x00040000 ] Module Name: [ C:\WINDOWS\System32\NETRAP.dll ], Base Address: [0x71C80000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\davclnt.dll ], Base Address: [0x75F70000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\browselc.dll ], Base Address: [0x71600000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\MLANG.dll ], Base Address: [0x75CF0000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\IMM32.dll ], Base Address: [0x76390000 ], Size: [0x0001D000 ] [=============================================================================] 3.a) Explorer.EXE - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f} ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN ], Value Name: [ RestorPoint.exe ], New Value: [ C:\RestorPoint\RestorPoint.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time [=============================================================================] 3.b) Explorer.EXE - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\06c19d23a9.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\RestorPoint.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\06c19d23a9.exe ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\RestorPoint.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ unnamed file ], Control Code: [ 0x0022415C ], 2 times File: [ unnamed file ], Control Code: [ 0x00228168 ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\RestorPoint.exe ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 3.c) Explorer.EXE - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\RestorPoint\RestorPoint.exe ], Command Line: [ ] Executable: [ C:\RestorPoint\RestorPoint.exe ], Command Line: [ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\RestorPoint\RestorPoint.exe ] Affected Process: [ C:\WINDOWS\system32\winlogon.exe ] Affected Process: [ C:\WINDOWS\system32\lsass.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\svchost.exe ] Affected Process: [ C:\WINDOWS\system32\spoolsv.exe ] Affected Process: [ C:\WINDOWS\system32\alg.exe ] Affected Process: [ C:\WINDOWS\system32\wscntfy.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\RestorPoint\RestorPoint.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\RestorPoint\RestorPoint.exe ] Process: [ C:\WINDOWS\explorer.exe ] Process: [ C:\WINDOWS\system32\alg.exe ] Process: [ C:\WINDOWS\system32\ctfmon.exe ] Process: [ C:\WINDOWS\system32\lsass.exe ] Process: [ C:\WINDOWS\system32\spoolsv.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] Process: [ C:\WINDOWS\system32\winlogon.exe ] Process: [ C:\WINDOWS\system32\wscntfy.exe ] [=============================================================================] 3.d) Explorer.EXE - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ restorpoint ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Keyboard Keys Monitored: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Virtual Key Code: [ VK_LBUTTON (1) ], 22 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbb7a81a ], 1 time [#############################################################################] 4. RestorPoint.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by Explorer.EXE Filename: RestorPoint.exe MD5: 06c19d23a9108411d618dc5e7aeeb46b SHA-1: 9f9f258d53a88a05e765f2b8e3dd12c044128de9 File Size: 185344 Bytes Command Line: "C:\RestorPoint\RestorPoint.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\imagehlp.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\winspool.drv ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] [=============================================================================] SigBuster Output [=============================================================================] UPX All_Versions SN:1634 [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan.Win32.Spyeye (Sig-Id: 1517141) [=============================================================================] 4.a) RestorPoint.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time [=============================================================================] 4.b) RestorPoint.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\config.bin ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\config.bin ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\RestorPoint\config.bin ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Documents and Settings\Administrator\ ], Control Code: [ 0x00090028 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\winspool.drv ] [=============================================================================] 4.c) RestorPoint.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\explorer.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\explorer.exe ] [=============================================================================] 4.d) RestorPoint.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ DBWinMutex ] Mutex: [ restorpoint ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0x40010006 at 0x7c812aeb ], 1 time [#############################################################################] 5. winlogon.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: winlogon.exe Command Line: winlogon.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\NDdeApi.dll ], Base Address: [0x75940000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\PROFMAP.dll ], Base Address: [0x75930000 ], Size: [0x0000A000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\REGAPI.dll ], Base Address: [0x76BC0000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\MSGINA.dll ], Base Address: [0x75970000 ], Size: [0x000F8000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\ODBC32.dll ], Base Address: [0x74320000 ], Size: [0x0003D000 ] Module Name: [ C:\WINDOWS\system32\comdlg32.dll ], Base Address: [0x763B0000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\odbcint.dll ], Base Address: [0x00930000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\SHSVCS.dll ], Base Address: [0x776E0000 ], Size: [0x00023000 ] Module Name: [ C:\WINDOWS\system32\sfc.dll ], Base Address: [0x76BB0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\WINSCARD.DLL ], Base Address: [0x723D0000 ], Size: [0x0001C000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\uxtheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\system32\cscdll.dll ], Base Address: [0x76600000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\System32\dimsntfy.dll ], Base Address: [0x47020000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WlNotify.dll ], Base Address: [0x75950000 ], Size: [0x0001A000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\sxs.dll ], Base Address: [0x7E720000 ], Size: [0x000B0000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\wldap32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\cscui.dll ], Base Address: [0x77A20000 ], Size: [0x00054000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x016E0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] [=============================================================================] 5.a) winlogon.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=============================================================================] 5.b) winlogon.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times File: [ pipe\PCHFaultRepExecPipe ], Control Code: [ 0x0011C017 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 5.c) winlogon.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 6. lsass.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: lsass.exe MD5: bf2466b3e18e970d8a976fb95fc1ca85 SHA-1: de5a73cbb5f51f64c53fb4277ef2c23e70db123f File Size: 13312 Bytes Command Line: C:\WINDOWS\system32\lsass.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\LSASRV.dll ], Base Address: [0x75730000 ], Size: [0x000B5000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\SAMSRV.dll ], Base Address: [0x74440000 ], Size: [0x0006A000 ] Module Name: [ C:\WINDOWS\system32\cryptdll.dll ], Base Address: [0x76790000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\msprivs.dll ], Base Address: [0x4D200000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\kerberos.dll ], Base Address: [0x71CF0000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\netlogon.dll ], Base Address: [0x744B0000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\w32time.dll ], Base Address: [0x767C0000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\schannel.dll ], Base Address: [0x767F0000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\wdigest.dll ], Base Address: [0x74380000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\setupapi.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\scecli.dll ], Base Address: [0x74410000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\ipsecsvc.dll ], Base Address: [0x743E0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\oakley.DLL ], Base Address: [0x75D90000 ], Size: [0x000D0000 ] Module Name: [ C:\WINDOWS\system32\WINIPSEC.DLL ], Base Address: [0x74370000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\dssenh.dll ], Base Address: [0x68100000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\pstorsvc.dll ], Base Address: [0x743A0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\psbase.dll ], Base Address: [0x743C0000 ], Size: [0x0001B000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] [=============================================================================] 6.a) lsass.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SAM\SAM\DOMAINS\Account\Users\000001F4 ], Value Name: [ V ], Value: [ 0x00000000bc00000002000100bc0000001a00000000000000d80000000000 ], 19 times Key: [ HKLM\SAM\SAM\DOMAINS\Account\Users\Names\Administrator ], Value Name: [ ], Value: [ ], 20 times Key: [ HKLM\SECURITY\Policy\SecDesc ], Value Name: [ ], Value: [ 0x0100048098000000a8000000000000001400000002008400060000000100 ], 40 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=============================================================================] 6.b) lsass.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\lsass, Flags: Named pipe ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\lsass, Flags: Named pipe ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\lsass ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x00110024 ], 27 times File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x0011001C ], 119 times File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x00110008 ], 2 times File: [ PIPE\lsass ], Control Code: [ 0x00110008 ], 9 times File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times File: [ PIPE\lsass ], Control Code: [ 0x00110024 ], 24 times File: [ PIPE\lsass ], Control Code: [ 0x0011001C ], 59 times File: [ PIPE\lsass ], Control Code: [ 0x00110004 ], 3 times File: [ C:\lsass, Flags: Named pipe ], Control Code: [ 0x00110004 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 6.c) lsass.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 7. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: svchost.exe MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18 SHA-1: 49083ae3725a0488e0a8fbbe1335c745f70c4667 File Size: 14336 Bytes Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ c:\windows\system32\rpcss.dll ], Base Address: [0x76A80000 ], Size: [0x00064000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005F0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\termsrv.dll ], Base Address: [0x760F0000 ], Size: [0x00053000 ] Module Name: [ c:\windows\system32\ICAAPI.dll ], Base Address: [0x74F70000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ c:\windows\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\mstlsapi.dll ], Base Address: [0x75110000 ], Size: [0x0001F000 ] Module Name: [ c:\windows\system32\ACTIVEDS.dll ], Base Address: [0x77CC0000 ], Size: [0x00032000 ] Module Name: [ c:\windows\system32\adsldpc.dll ], Base Address: [0x76E10000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ c:\windows\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\REGAPI.dll ], Base Address: [0x76BC0000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] [=============================================================================] 7.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=============================================================================] 7.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\lsarpc, Flags: Named pipe ], Control Code: [ 0x0011C017 ], 54 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 7.c) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 8. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost -k rpcss Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ c:\windows\system32\rpcss.dll ], Base Address: [0x76A80000 ], Size: [0x00064000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005F0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 8.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time [=============================================================================] 8.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 8.c) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 9. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\System32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\System32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\System32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\System32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\System32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\System32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\xpsp2res.dll ], Base Address: [0x005B0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\shsvcs.dll ], Base Address: [0x776E0000 ], Size: [0x00023000 ] Module Name: [ C:\WINDOWS\System32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\System32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ c:\windows\system32\dhcpcsvc.dll ], Base Address: [0x7D4B0000 ], Size: [0x00022000 ] Module Name: [ c:\windows\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\wzcsvc.dll ], Base Address: [0x7DB10000 ], Size: [0x0008C000 ] Module Name: [ c:\windows\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ c:\windows\system32\WMI.dll ], Base Address: [0x76D30000 ], Size: [0x00004000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\EapolQec.dll ], Base Address: [0x72810000 ], Size: [0x0000B000 ] Module Name: [ c:\windows\system32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ c:\windows\system32\QUtil.dll ], Base Address: [0x726C0000 ], Size: [0x00016000 ] Module Name: [ c:\windows\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ c:\windows\system32\dot3api.dll ], Base Address: [0x478C0000 ], Size: [0x0000A000 ] Module Name: [ c:\windows\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\ESENT.dll ], Base Address: [0x606B0000 ], Size: [0x0010D000 ] Module Name: [ C:\WINDOWS\System32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\System32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\rastls.dll ], Base Address: [0x76B70000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\CRYPTUI.dll ], Base Address: [0x754D0000 ], Size: [0x00080000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\System32\MPRAPI.dll ], Base Address: [0x76D40000 ], Size: [0x00018000 ] Module Name: [ C:\WINDOWS\System32\ACTIVEDS.dll ], Base Address: [0x77CC0000 ], Size: [0x00032000 ] Module Name: [ C:\WINDOWS\System32\adsldpc.dll ], Base Address: [0x76E10000 ], Size: [0x00025000 ] Module Name: [ C:\WINDOWS\System32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\System32\RASAPI32.dll ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] Module Name: [ C:\WINDOWS\System32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\System32\SCHANNEL.dll ], Base Address: [0x767F0000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\System32\WinSCard.dll ], Base Address: [0x723D0000 ], Size: [0x0001C000 ] Module Name: [ C:\WINDOWS\System32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\System32\raschap.dll ], Base Address: [0x76BD0000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\msv1_0.dll ], Base Address: [0x77C70000 ], Size: [0x00024000 ] Module Name: [ c:\windows\system32\schedsvc.dll ], Base Address: [0x77300000 ], Size: [0x00033000 ] Module Name: [ c:\windows\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\System32\MSIDLE.DLL ], Base Address: [0x74F50000 ], Size: [0x00005000 ] Module Name: [ c:\windows\system32\audiosrv.dll ], Base Address: [0x708B0000 ], Size: [0x0000D000 ] Module Name: [ c:\windows\system32\wkssvc.dll ], Base Address: [0x76E40000 ], Size: [0x00023000 ] Module Name: [ c:\windows\system32\qmgr.dll ], Base Address: [0x5B9F0000 ], Size: [0x0006B000 ] Module Name: [ C:\WINDOWS\system32\MPR.dll ], Base Address: [0x71B20000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\SHFOLDER.dll ], Base Address: [0x76780000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\WINHTTP.dll ], Base Address: [0x4D4F0000 ], Size: [0x00059000 ] Module Name: [ c:\windows\system32\wuauserv.dll ], Base Address: [0x50000000 ], Size: [0x00005000 ] Module Name: [ c:\windows\system32\wbem\wmisvc.dll ], Base Address: [0x59490000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\VSSAPI.DLL ], Base Address: [0x753E0000 ], Size: [0x0006D000 ] Module Name: [ c:\windows\system32\w32time.dll ], Base Address: [0x767C0000 ], Size: [0x0002C000 ] Module Name: [ c:\windows\system32\trkwks.dll ], Base Address: [0x75070000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\srsvc.dll ], Base Address: [0x751A0000 ], Size: [0x0002E000 ] Module Name: [ c:\windows\system32\POWRPROF.dll ], Base Address: [0x74AD0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\seclogon.dll ], Base Address: [0x73D20000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\netman.dll ], Base Address: [0x77D00000 ], Size: [0x00033000 ] Module Name: [ c:\windows\system32\netshell.dll ], Base Address: [0x76400000 ], Size: [0x001A5000 ] Module Name: [ c:\windows\system32\credui.dll ], Base Address: [0x76C00000 ], Size: [0x0002E000 ] Module Name: [ c:\windows\system32\dot3dlg.dll ], Base Address: [0x736D0000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\OneX.DLL ], Base Address: [0x5DCA0000 ], Size: [0x00028000 ] Module Name: [ c:\windows\system32\eappcfg.dll ], Base Address: [0x745B0000 ], Size: [0x00022000 ] Module Name: [ c:\windows\system32\eappprxy.dll ], Base Address: [0x5DCD0000 ], Size: [0x0000E000 ] Module Name: [ c:\windows\system32\WZCSAPI.DLL ], Base Address: [0x73030000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\wuaueng.dll ], Base Address: [0x50040000 ], Size: [0x001AB000 ] Module Name: [ C:\WINDOWS\System32\WINSPOOL.DRV ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\System32\Cabinet.dll ], Base Address: [0x75150000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\System32\mspatcha.dll ], Base Address: [0x600A0000 ], Size: [0x0000B000 ] Module Name: [ c:\windows\system32\srvsvc.dll ], Base Address: [0x75090000 ], Size: [0x0001A000 ] Module Name: [ c:\windows\pchealth\helpctr\binaries\pchsvc.dll ], Base Address: [0x74F40000 ], Size: [0x0000C000 ] Module Name: [ c:\windows\system32\es.dll ], Base Address: [0x77710000 ], Size: [0x00042000 ] Module Name: [ c:\windows\system32\ersvc.dll ], Base Address: [0x74F80000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\dmserver.dll ], Base Address: [0x74F90000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\cryptsvc.dll ], Base Address: [0x76CE0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\certcli.dll ], Base Address: [0x77B90000 ], Size: [0x00032000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\wscsvc.dll ], Base Address: [0x4C0A0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\msi.dll ], Base Address: [0x7D1E0000 ], Size: [0x002BC000 ] Module Name: [ c:\windows\system32\sens.dll ], Base Address: [0x722D0000 ], Size: [0x0000D000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\System32\sfc.dll ], Base Address: [0x76BB0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\System32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ c:\windows\system32\browser.dll ], Base Address: [0x76DA0000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemcomn.dll ], Base Address: [0x75290000 ], Size: [0x00037000 ] Module Name: [ C:\WINDOWS\System32\Wbem\wbemcore.dll ], Base Address: [0x762C0000 ], Size: [0x00085000 ] Module Name: [ C:\WINDOWS\System32\Wbem\esscli.dll ], Base Address: [0x75310000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\Wbem\FastProx.dll ], Base Address: [0x75690000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\System32\SXS.DLL ], Base Address: [0x7E720000 ], Size: [0x000B0000 ] Module Name: [ C:\WINDOWS\system32\wbem\wmiutils.dll ], Base Address: [0x75020000 ], Size: [0x0001B000 ] Module Name: [ C:\WINDOWS\system32\wbem\repdrvfs.dll ], Base Address: [0x75200000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\comsvcs.dll ], Base Address: [0x76620000 ], Size: [0x0013C000 ] Module Name: [ C:\WINDOWS\system32\colbact.DLL ], Base Address: [0x75130000 ], Size: [0x00014000 ] Module Name: [ C:\WINDOWS\system32\MTXCLU.DLL ], Base Address: [0x750F0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\System32\CLUSAPI.DLL ], Base Address: [0x76D10000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\System32\RESUTILS.DLL ], Base Address: [0x750B0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wbem\wmiprvsd.dll ], Base Address: [0x597F0000 ], Size: [0x0006D000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\wbem\wbemess.dll ], Base Address: [0x75390000 ], Size: [0x00046000 ] Module Name: [ c:\windows\system32\ipnathlp.dll ], Base Address: [0x66460000 ], Size: [0x00055000 ] Module Name: [ c:\windows\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wbem\ncprov.dll ], Base Address: [0x5F740000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\System32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\upnp.dll ], Base Address: [0x76DE0000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\SSDPAPI.dll ], Base Address: [0x74F00000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\System32\RASDLG.dll ], Base Address: [0x768D0000 ], Size: [0x000A4000 ] Module Name: [ C:\WINDOWS\system32\wups2.dll ], Base Address: [0x50E60000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\msxml3.dll ], Base Address: [0x74980000 ], Size: [0x00113000 ] Module Name: [ C:\WINDOWS\System32\dssenh.dll ], Base Address: [0x68100000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\dbghelp.dll ], Base Address: [0x59A60000 ], Size: [0x000A1000 ] [=============================================================================] 9.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\UserFaults ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Log File Max Size ], Value: [ 65536 ], 1 time Key: [ HKLM\Software\Microsoft\WBEM\CIMOM ], Value Name: [ Logging ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\system\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=============================================================================] 9.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\PCHealth\ErrorRep\UserDumps\winlogon.exe.20090702-212019-00.mdmp ] File Name: [ C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\dimsntfy.dll ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ] File Name: [ C:\WINDOWS\system32\AUTHZ.dll ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.dll ] File Name: [ C:\WINDOWS\system32\CRYPT32.dll ] File Name: [ C:\WINDOWS\system32\GDI32.dll ] File Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ] File Name: [ C:\WINDOWS\system32\MPR.dll ] File Name: [ C:\WINDOWS\system32\MSASN1.dll ] File Name: [ C:\WINDOWS\system32\MSGINA.dll ] File Name: [ C:\WINDOWS\system32\NDdeApi.dll ] File Name: [ C:\WINDOWS\system32\NETAPI32.dll ] File Name: [ C:\WINDOWS\system32\ODBC32.dll ] File Name: [ C:\WINDOWS\system32\PROFMAP.dll ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\REGAPI.dll ] File Name: [ C:\WINDOWS\system32\RPCRT4.dll ] File Name: [ C:\WINDOWS\system32\SAMLIB.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ] File Name: [ C:\WINDOWS\system32\SHSVCS.dll ] File Name: [ C:\WINDOWS\system32\Secur32.dll ] File Name: [ C:\WINDOWS\system32\USER32.dll ] File Name: [ C:\WINDOWS\system32\USERENV.dll ] File Name: [ C:\WINDOWS\system32\VERSION.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\WINSCARD.DLL ] File Name: [ C:\WINDOWS\system32\WINSPOOL.DRV ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WINTRUST.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\WlNotify.dll ] File Name: [ C:\WINDOWS\system32\comdlg32.dll ] File Name: [ C:\WINDOWS\system32\cscdll.dll ] File Name: [ C:\WINDOWS\system32\cscui.dll ] File Name: [ C:\WINDOWS\system32\dbghelp.dll ] File Name: [ C:\WINDOWS\system32\iphlpapi.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\msv1_0.dll ] File Name: [ C:\WINDOWS\system32\msvcrt.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\odbcint.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\rsaenh.dll ] File Name: [ C:\WINDOWS\system32\sfc.dll ] File Name: [ C:\WINDOWS\system32\sfc_os.dll ] File Name: [ C:\WINDOWS\system32\sxs.dll ] File Name: [ C:\WINDOWS\system32\uxtheme.dll ] File Name: [ C:\WINDOWS\system32\winlogon.exe ] File Name: [ C:\WINDOWS\system32\wldap32.dll ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] [=============================================================================] 9.c) svchost.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\winlogon.exe ] [=============================================================================] 9.d) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 10. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ c:\windows\system32\dnsrslvr.dll ], Base Address: [0x76770000 ], Size: [0x0000D000 ] Module Name: [ c:\windows\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ C:\WINDOWS\system32\rsaenh.dll ], Base Address: [0x68000000 ], Size: [0x00036000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 10.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time [=============================================================================] 10.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 10.c) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 11. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: svchost.exe Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\NTMARTA.DLL ], Base Address: [0x77690000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\SAMLIB.dll ], Base Address: [0x71BF0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x005B0000 ], Size: [0x002C5000 ] Module Name: [ c:\windows\system32\lmhsvc.dll ], Base Address: [0x74C40000 ], Size: [0x00006000 ] Module Name: [ c:\windows\system32\iphlpapi.dll ], Base Address: [0x76D60000 ], Size: [0x00019000 ] Module Name: [ c:\windows\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ c:\windows\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\webclnt.dll ], Base Address: [0x5A6E0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\wsock32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ c:\windows\system32\regsvc.dll ], Base Address: [0x76AF0000 ], Size: [0x00012000 ] Module Name: [ c:\windows\system32\ssdpsrv.dll ], Base Address: [0x765E0000 ], Size: [0x00014000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ c:\windows\system32\alrsvc.dll ], Base Address: [0x70F80000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] [=============================================================================] 11.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time [=============================================================================] 11.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 11.c) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 12. spoolsv.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: spoolsv.exe MD5: d8e14a61acc1d4a6cd0d38aebac7fa3b SHA-1: 0e5d1a09a103eae3bd693c7a1c7531fde2e2402b File Size: 57856 Bytes Command Line: C:\WINDOWS\system32\spoolsv.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\SPOOLSS.DLL ], Base Address: [0x742E0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\localspl.dll ], Base Address: [0x75BB0000 ], Size: [0x00056000 ] Module Name: [ C:\WINDOWS\system32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\winspool.drv ], Base Address: [0x73000000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\system32\netapi32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\cnbjmon.dll ], Base Address: [0x742A0000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\pjlmon.dll ], Base Address: [0x74280000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\system32\tcpmon.dll ], Base Address: [0x72400000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\usbmon.dll ], Base Address: [0x723F0000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\system32\win32spl.dll ], Base Address: [0x75C10000 ], Size: [0x00024000 ] Module Name: [ C:\WINDOWS\system32\NETRAP.dll ], Base Address: [0x71C80000 ], Size: [0x00007000 ] Module Name: [ C:\WINDOWS\system32\NTDSAPI.dll ], Base Address: [0x767A0000 ], Size: [0x00013000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x01010000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\inetpp.dll ], Base Address: [0x74300000 ], Size: [0x00015000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] [=============================================================================] 12.a) spoolsv.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Print Processors\winprint ], Value Name: [ Driver ], Value: [ localspl.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\BJ Language Monitor ], Value Name: [ Driver ], Value: [ cnbjmon.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\Local Port ], Value Name: [ Driver ], Value: [ localspl.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor ], Value Name: [ Driver ], Value: [ pjlmon.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\PJL Language Monitor ], Value Name: [ EOJTimeout ], Value: [ 60000 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port ], Value Name: [ Driver ], Value: [ tcpmon.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports ], Value Name: [ StatusUpdateEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\Standard TCP/IP Port\Ports ], Value Name: [ StatusUpdateInterval ], Value: [ 10 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Monitors\USB Monitor ], Value Name: [ Driver ], Value: [ usbmon.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Providers\Internet Print Provider ], Value Name: [ DisplayName ], Value: [ HTTP Print Services ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Providers\Internet Print Provider ], Value Name: [ Name ], Value: [ inetpp.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services ], Value Name: [ DisplayName ], Value: [ LanMan Print Services ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services ], Value Name: [ Name ], Value: [ win32spl.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers ], Value Name: [ addprinterdrivers ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time [=============================================================================] 12.b) spoolsv.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\spoolerlogs\ ] File Name: [ C:\spoolerlogs\spooler.xml ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\spoolerlogs\spooler.xml ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directories Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Directory: [ C:\spoolerlogs\ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 12.c) spoolsv.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 13. alg.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: alg.exe MD5: 8c515081584a38aa007909cd02020b3d SHA-1: ef5728c819f466bfe56c36bc9db3fac004ef3d50 File Size: 44544 Bytes Command Line: C:\WINDOWS\System32\alg.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\ATL.DLL ], Base Address: [0x76B20000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\System32\WSOCK32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\System32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\System32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\System32\MSWSOCK.DLL ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\System32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\System32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\System32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\System32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\System32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\System32\xpsp2res.dll ], Base Address: [0x00600000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\System32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\System32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\System32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] [=============================================================================] 13.a) alg.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time [=============================================================================] 13.b) alg.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\System32\WINSTA.dll ] File Name: [ C:\WINDOWS\System32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] [=============================================================================] 13.c) alg.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 14. wscntfy.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: wscntfy.exe MD5: f92e1076c42fcd6db3d72d8cfe9816d5 SHA-1: 549f0a01848375d03159fc74171ed97790fa9650 File Size: 13824 Bytes Command Line: C:\WINDOWS\system32\wscntfy.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\xpsp2res.dll ], Base Address: [0x007C0000 ], Size: [0x002C5000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\faultrep.dll ], Base Address: [0x69450000 ], Size: [0x00016000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\WTSAPI32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] [=============================================================================] 14.a) wscntfy.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ AllOrNone ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ DoReport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeKernelFaults ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeMicrosoftApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ IncludeWindowsApps ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\PCHealth\ErrorReporting ], Value Name: [ ShowUI ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Auto ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=============================================================================] 14.b) wscntfy.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ec9_appcompat.txt ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\winsock.dll ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ec9_appcompat.txt ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\advapi32.dll ] File Name: [ C:\WINDOWS\system32\apphelp.dll ] File Name: [ C:\WINDOWS\system32\dwwin.exe ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\gdi32.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\oleaut32.dll ] File Name: [ C:\WINDOWS\system32\shell32.dll ] File Name: [ C:\WINDOWS\system32\user32.dll ] File Name: [ C:\WINDOWS\system32\wininet.dll ] File Name: [ C:\WINDOWS\system32\winsock.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 14.c) wscntfy.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\WINDOWS\system32\dwwin.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\WINDOWS\system32\dwwin.exe -x -s 232 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\WINDOWS\system32\dwwin.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\dwwin.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\dwwin.exe ] [=============================================================================] 14.d) wscntfy.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xc000001e at 0xbaea81a ], 1 time [#############################################################################] 15. ctfmon.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Explorer.EXE wrote to the virtual memory of this process Filename: ctfmon.exe MD5: 5f1d5f88303d4a4dbc8e5f97ba967cc3 SHA-1: 99cb7370f16773c8e2d0c86fe805ec638ab126e9 File Size: 15360 Bytes Command Line: "C:\WINDOWS\system32\ctfmon.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\MSUTB.dll ], Base Address: [0x5FC10000 ], Size: [0x00033000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [#############################################################################] 16. dwwin.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by wscntfy.exe Filename: dwwin.exe MD5: 86042f6f6a5287eaf9379c91d0bf72b6 SHA-1: 532bf74e6aead7438aa7264d01759a065410ee68 File Size: 180224 Bytes Command Line: C:\WINDOWS\system32\dwwin.exe -x -s 232 Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.DLL ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\COMCTL32.DLL ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.DLL ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.DLL ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\URLMON.DLL ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WININET.DLL ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\1033\dwintl.dll ], Base Address: [0x314C0000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\sensapi.dll ], Base Address: [0x722B0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\riched20.dll ], Base Address: [0x74E30000 ], Size: [0x0006D000 ] Module Name: [ C:\WINDOWS\system32\imm32.dll ], Base Address: [0x76390000 ], Size: [0x0001D000 ] Module Name: [ C:\WINDOWS\system32\shfolder.dll ], Base Address: [0x76780000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] [=============================================================================] 16.a) dwwin.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Paths ], New Value: [ 4 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion ], Value Name: [ DigitalProductId ], Value: [ 0xa40000000300000037363438372d3634302d313435373233362d32333833 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug ], Value Name: [ Debugger ], Value: [ drwtsn32 -p %ld -e %ld -g ], 4 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ C:\WINDOWS\system32\iac25_32.ax ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ C:\WINDOWS\system32\l3codeca.acm ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ sl_anet.acm ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 3 times Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Settings ], Value Name: [ Anchor Color ], Value: [ 0,0,255 ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times [=============================================================================] 16.b) dwwin.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\847C0.dmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\system32\wscntfy.exe ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\847C0.dmp ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\WINDOWS\system32 ], Control Code: [ 0x00090028 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\847C0.dmp ] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\1033\dwintl.dll ] File Name: [ C:\WINDOWS\system32\ADVAPI32.dll ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\COMCTL32.DLL ] File Name: [ C:\WINDOWS\system32\CRYPT32.dll ] File Name: [ C:\WINDOWS\system32\GDI32.dll ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\MSASN1.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\NETAPI32.dll ] File Name: [ C:\WINDOWS\system32\OLEAUT32.dll ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ] File Name: [ C:\WINDOWS\system32\RPCRT4.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.DLL ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\SHLWAPI.dll ] File Name: [ C:\WINDOWS\system32\Secur32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\TAPI32.dll ] File Name: [ C:\WINDOWS\system32\URLMON.DLL ] File Name: [ C:\WINDOWS\system32\USER32.dll ] File Name: [ C:\WINDOWS\system32\USERENV.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\VERSION.dll ] File Name: [ C:\WINDOWS\system32\WININET.DLL ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\WINSTA.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\WTSAPI32.dll ] File Name: [ C:\WINDOWS\system32\faultrep.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\kernel32.dll ] File Name: [ C:\WINDOWS\system32\msvcrt.dll ] File Name: [ C:\WINDOWS\system32\ntdll.dll ] File Name: [ C:\WINDOWS\system32\ole32.dll ] File Name: [ C:\WINDOWS\system32\rasman.dll ] File Name: [ C:\WINDOWS\system32\riched20.dll ] File Name: [ C:\WINDOWS\system32\rtutils.dll ] File Name: [ C:\WINDOWS\system32\sensapi.dll ] File Name: [ C:\WINDOWS\system32\shfolder.dll ] File Name: [ C:\WINDOWS\system32\wscntfy.exe ] File Name: [ C:\WINDOWS\system32\xpsp2res.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 16.c) dwwin.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\WINDOWS\system32\wscntfy.exe ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org