Analysis Report for 45653644

Comment on this report

Summary:

Description	Risk
Write to foreign memory areas: This executable tampers with the execution of another process.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
AV Hit: This executable is detected by an antivirus software.
Packed Binary: This executable is protected with a packer in order to prevent it from being reverse engineered.
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically.
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
Execution did not terminate correctly: The executable crashed.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable creates and/or modifies registry entries.

Table of Contents
expand all	collapse all
General information 45653644.exe C:\45653644.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities 45653644.exe C:\45653644.exe Started by 45653644.exe General Information a) Registry Activities b) File Activities c) Process Activities Explorer.EXE C:\WINDOWS\Explorer.EXE 45653644.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Process Activities d) Network Activities e) Other Activities 8660749.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe Started by Explorer.EXE General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities 8660749.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe Started by 8660749.exe General Information a) Registry Activities b) File Activities c) Process Activities Nbawaj.exe C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe Started by 8660749.exe General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities Nbawaj.exe C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe Started by Nbawaj.exe General Information a) Registry Activities b) File Activities c) Process Activities System System Nbawaj.exe wrote to the virtual memory of this process General Information smss.exe smss.exe Nbawaj.exe wrote to the virtual memory of this process General Information csrss.exe \??\C:\WINDOWS\system32\csrss.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities c) Process Activities d) Other Activities winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) File Activities services.exe C:\WINDOWS\system32\services.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) Registry Activities b) File Activities svchost.exe C:\WINDOWS\system32\svchost.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) File Activities svchost.exe C:\WINDOWS\system32\svchost.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) File Activities svchost.exe C:\WINDOWS\System32\svchost.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) File Activities svchost.exe C:\WINDOWS\system32\svchost.exe Nbawaj.exe wrote to the virtual memory of this process General Information svchost.exe C:\WINDOWS\system32\svchost.exe Nbawaj.exe wrote to the virtual memory of this process General Information spoolsv.exe C:\WINDOWS\system32\spoolsv.exe Nbawaj.exe wrote to the virtual memory of this process General Information a) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	264 s
Report created:	04/21/11, 18:23:03 UTC
Termination reason:	Timeout
Program version:	1.75.3394

2. 45653644.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	45653644.exe
Command Line:	"C:\45653644.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVBVM60.DLL	0x73420000	0x00153000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000

2.a) 45653644.exe - Registry Activities

	- Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\\\

HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	932	c_932.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	936	c_936.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	949	c_949.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	950	c_950.nls	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

2.b) 45653644.exe - File Activities

	- Files Read:

C:\45653644.exe

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\45653644.exe

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVBVM60.DLL

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\rpcss.dll

2.c) 45653644.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\45653644.exe
	C:\45653644.exe

	- Remote Threads Created:

Affected Process

C:\45653644.exe

	- Foreign Memory Regions Read:

Process: C:\45653644.exe

	- Foreign Memory Regions Written:

Process: C:\45653644.exe

2.d) 45653644.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x406137	1
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x0	1
Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb	2

3. 45653644.exe

	- General information about this executable

Analysis Reason:	Started by 45653644.exe
Filename:	45653644.exe
MD5:	80ab9b04e9814bac526e126da1ea224a
SHA-1:	17a96f494708cbc521deb56a8fe39b97e892dec3
File Size:	114688 Bytes
Command Line:	C:\45653644.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000

	- SigBuster Output

PEtite v2.x SN:1017

	- Ikarus Virus Scanner

Win32.Worm.Rimecud (Sig-Id:1425581)

3.a) 45653644.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\System\CurrentControlSet\Control\Terminal Server	TSAppCompat	0	1

3.b) 45653644.exe - File Activities

	- Files Read:

C:\45653644.exe

	- File System Control Communication:

File	Control Code	Times
C:\Program Files\Common Files\	0x00090028	1

3.c) 45653644.exe - Process Activities

	- Remote Threads Created:

Affected Process

C:\WINDOWS\explorer.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\explorer.exe

4. Explorer.EXE

	- General information about this executable

Analysis Reason:	45653644.exe wrote to the virtual memory of this process
Filename:	Explorer.EXE
Command Line:	C:\WINDOWS\Explorer.EXE
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\BROWSEUI.dll	0x75F80000	0x000FD000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\SHDOCVW.dll	0x7E290000	0x00171000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\appHelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\System32\CSCDLL.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\themeui.dll	0x5BA60000	0x00071000
C:\WINDOWS\system32\MSIMG32.dll	0x76380000	0x00005000
C:\WINDOWS\system32\xpsp2res.dll	0x00AC0000	0x002C5000
C:\WINDOWS\system32\actxprxy.dll	0x71D40000	0x0001B000
C:\WINDOWS\system32\msutb.dll	0x5FC10000	0x00033000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\urlmon.dll	0x7E1E0000	0x000A2000
C:\WINDOWS\system32\LINKINFO.dll	0x76980000	0x00008000
C:\WINDOWS\system32\ntshrui.dll	0x76990000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\webcheck.dll	0x74B30000	0x00046000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\stobject.dll	0x76280000	0x00021000
C:\WINDOWS\system32\BatMeter.dll	0x74AF0000	0x0000A000
C:\WINDOWS\system32\POWRPROF.dll	0x74AD0000	0x00008000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\NETSHELL.dll	0x76400000	0x001A5000
C:\WINDOWS\system32\credui.dll	0x76C00000	0x0002E000
C:\WINDOWS\system32\dot3api.dll	0x478C0000	0x0000A000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\dot3dlg.dll	0x736D0000	0x00006000
C:\WINDOWS\system32\OneX.DLL	0x5DCA0000	0x00028000
C:\WINDOWS\system32\eappcfg.dll	0x745B0000	0x00022000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\eappprxy.dll	0x5DCD0000	0x0000E000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\System32\drprov.dll	0x75F60000	0x00007000
C:\WINDOWS\System32\ntlanman.dll	0x71C10000	0x0000E000
C:\WINDOWS\System32\NETUI0.dll	0x71CD0000	0x00017000
C:\WINDOWS\System32\NETUI1.dll	0x71C90000	0x00040000
C:\WINDOWS\System32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\System32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\System32\davclnt.dll	0x75F70000	0x0000A000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\odbcint.dll	0x01350000	0x00017000
C:\WINDOWS\system32\browselc.dll	0x71600000	0x00012000
C:\WINDOWS\system32\shdoclc.dll	0x71800000	0x00088000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\sensapi.dll	0x722B0000	0x00005000
C:\WINDOWS\system32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\system32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL	0x76EE0000	0x0003C000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000

4.a) Explorer.EXE - Registry Activities

	- Registry Values Deleted:

Key	Name
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Taskman

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Taskman	C:\Documents and Settings\Administrator\Application Data\bdepdf.exe
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Common AppData	C:\Documents and Settings\All Users\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001600000001000000000000000000000000000000040000000000

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	ConsoleTracingMask	4294901760	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	EnableConsoleTracing	0	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	EnableFileTracing	0	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	FileDirectory	%windir%\tracing	2
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	FileTracingMask	4294901760	1
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	MaxFileSize	1048576	1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	Taskman	C:\Documents and Settings\Administrator\Application Data\bdepdf.exe	34
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UrlEncoding	0x00000000	2
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters	Transports	0x5400630070006900700000004e0065007400420049004f00530000000000	2
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING	Explorer.EXE	1	1
HKLM\Software\Microsoft\Tracing\RASAPI32	ConsoleTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableConsoleTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	EnableFileTracing	0	2
HKLM\Software\Microsoft\Tracing\RASAPI32	FileDirectory	%windir%\tracing	4
HKLM\Software\Microsoft\Tracing\RASAPI32	FileTracingMask	4294901760	2
HKLM\Software\Microsoft\Tracing\RASAPI32	MaxFileSize	1048576	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	AllUsersProfile	All Users	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	DefaultUserProfile	Default User	2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList	ProfilesDirectory	%SystemDrive%\Documents and Settings	4
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500	ProfileImagePath	%SystemDrive%\Documents and Settings\Administrator	2
HKLM\Software\Microsoft\Windows\CurrentVersion	CommonFilesDir	C:\Program Files\Common Files	2
HKLM\Software\Microsoft\Windows\CurrentVersion	ProgramFilesDir	C:\Program Files	2
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Common AppData	%ALLUSERSPROFILE%\Application Data	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	2
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	ComSpec	%SystemRoot%\system32\cmd.exe	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	FP_NO_HOST_CHECK	NO	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	NUMBER_OF_PROCESSORS	1	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	OS	Windows_NT	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PATHEXT	.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_ARCHITECTURE	x86	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_IDENTIFIER	x86 Family 6 Model 3 Stepping 3, GenuineIntel	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_LEVEL	6	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	PROCESSOR_REVISION	0303	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	Path	%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TEMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	TMP	%SystemRoot%\TEMP	4
HKLM\System\CurrentControlSet\Control\Session Manager\Environment	windir	%SystemRoot%	4
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Domain		6
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	Hostname	pc	6
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters	UseDomainNameDevolution	0	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	HelperDllName	%SystemRoot%\System32\wshtcpip.dll	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	Mapping	0x0b0000000300000002000000010000000600000002000000010000000000	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MaxSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	MinSockaddrLength	16	1
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock	UseDelayedAcceptance	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters	WinSock_Registry_Version	2.0	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Num_Catalog_Entries	3	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	Serial_Access_Num	4	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	DisplayString	Tcpip	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	ProviderId	0x409d05229e7ecf11ae5a00aa00a7112b	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	SupportedNameSpace	12	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	DisplayString	NTDS	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	LibraryPath	%SystemRoot%\System32\winrnr.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	ProviderId	0xee37263b80e5cf11a55500c04fd8d4ac	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	SupportedNameSpace	32	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	DisplayString	Network Location Awareness (NLA) Namespace	4
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Enabled	1	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	LibraryPath	%SystemRoot%\System32\mswsock.dll	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	ProviderId	0x3a244266a83ba64abaa52e0bd71fdd83	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	StoresServiceClassInfo	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	SupportedNameSpace	15	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003	Version	0	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Next_Catalog_Entry_ID	1020	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Num_Catalog_Entries	13	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	Serial_Access_Num	6	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005	PackedCatalogItem	%SystemRoot%\system32\rsvpsp.d	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013	PackedCatalogItem	%SystemRoot%\system32\mswsock.	1
HKLM\System\Setup	SystemSetupInProgress	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TEMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment	TMP	%USERPROFILE%\Local Settings\Temp	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	EnableNegotiate	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	MimeExclusionListForCache	multipart/mixed multipart/x-mixed-replace multipart/x-byteranges	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS	WarnOnPost	0x01000000	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EnableHttp1_1	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	ParseAutoexec	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IntranetName	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ProxyBypass	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\ProtocolDefaults\	http	3	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3	1A10	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	MigrateProxy	1	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings	ProxyEnable	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	DefaultConnectionSettings	0x3c0000000300000001000000000000000000000000000000040000000000	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	SavedLegacySettings	0x3c0000001500000001000000000000000000000000000000040000000000	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	APPDATA	C:\Documents and Settings\Administrator\Application Data	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	CLIENTNAME	Console	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEDRIVE	C:	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMEPATH	\Documents and Settings\Administrator	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	HOMESHARE		4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	LOGONSERVER	\\PC	4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment	SESSIONNAME	Console	4

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\SOFTWARE\MICROSOFT\TRACING\NETSHELL	0	Attributes Change,Value Change,Security Descriptor Change	1
HKLM\Software\Microsoft\Tracing\RASAPI32	0	Attributes Change,Value Change,Security Descriptor Change	2
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5	0	Key Change	1
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9	0	Key Change	1

4.b) Explorer.EXE - File Activities

	- Files Deleted:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\Documents and Settings\Administrator\Application Data\bdepdf.exe

	- Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\Documents and Settings\Administrator\Application Data\bdepdf.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\103ff[1].exe

\Device\NamedPipe\Win32Pipes.0000055c.00000001

pipe\gtsvondykifhnj

pipe\ysnjslwwmqakdm

	- Files Read:

PIPE\lsarpc

\Device\NamedPipe\Win32Pipes.0000055c.00000001

c:\autoexec.bat

	- Files Modified:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\Documents and Settings\Administrator\Application Data\bdepdf.exe

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\103ff[1].exe

PIPE\lsarpc

\Device\Afd\Endpoint

\Device\NamedPipe\Win32Pipes.0000055c.00000001

\Device\RasAcd

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	16

	- Device Control Communication:

File	Control Code	Times
\Device\Afd\Endpoint	AFD_GET_INFO (0x0001207B)	2
\Device\Afd\Endpoint	AFD_SET_CONTEXT (0x00012047)	10
\Device\Afd\Endpoint	AFD_SET_INFO (0x0001203B)	2
\Device\RasAcd	0x00F14014	2
\Device\Afd\Endpoint	AFD_GET_TDI_HANDLES (0x00012037)	5
\Device\Afd\Endpoint	AFD_BIND (0x00012003)	2
\Device\Afd\Endpoint	AFD_GET_SOCK_NAME (0x0001202F)	2
\Device\Afd\Endpoint	AFD_SEND_DATAGRAM (0x00012023)	8
\Device\Afd\Endpoint	AFD_RECV_DATAGRAM (0x0001201B)	5
\Device\Afd\Endpoint	AFD_CONNECT (0x00012007)	1
unnamed file	0x00120028	1
\Device\Afd\Endpoint	AFD_SEND (0x0001201F)	1
\Device\Afd\Endpoint	AFD_RECV (0x00012017)	113

	- Memory Mapped Files:

File Name

C:\45653644.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\WINDOWS\System32\winrnr.dll

C:\WINDOWS\System32\wshtcpip.dll

C:\WINDOWS\system32\DNSAPI.dll

C:\WINDOWS\system32\RASAPI32.DLL

C:\WINDOWS\system32\TAPI32.dll

C:\WINDOWS\system32\hnetcfg.dll

C:\WINDOWS\system32\mswsock.dll

C:\WINDOWS\system32\rasadhlp.dll

C:\WINDOWS\system32\rasman.dll

C:\WINDOWS\system32\sensapi.dll

C:\Windows\AppPatch\sysmain.sdb

4.c) Explorer.EXE - Process Activities

	- Processes Created:

Executable	Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe
	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Remote Threads Created:

Affected Process

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Foreign Memory Regions Written:

Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

4.d) Explorer.EXE - Network Activity

	- DNS Queries:

Name	Query Type	Query Result	Successful	Protocol
servicio-fisico.info	DNS_TYPE_A	46.166.129.253	YES	udp
www.euronautik.hr	DNS_TYPE_A	67.18.185.178	YES	udp

	- HTTP Conversations:

From ANUBIS:1029 to 67.18.185.178:80 - [www.euronautik.hr]
Request: GET /files/news_it/downloads/103ff.exe
Response: 200 "OK"

	- Unknown UDP Traffic:

from ANUBIS:1028 to 46.166.129.253:23556

State: Normal establishment and termination - Transferred outbound Bytes: 94 - Transferred inbound Bytes: 1873

4.e) Explorer.EXE - Other Activities

	- Mutexes Created:

aaaa+47

	- Keyboard Keys Monitored:

Virtual Key Code	Times
VK_LBUTTON (1)	130

5. 8660749.exe

	- General information about this executable

Analysis Reason:	Started by Explorer.EXE
Filename:	8660749.exe
Command Line:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVBVM60.DLL	0x73420000	0x00153000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000

5.a) 8660749.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	932	c_932.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	936	c_936.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	949	c_949.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	950	c_950.nls	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

5.b) 8660749.exe - File Activities

	- Files Read:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVBVM60.DLL

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\rpcss.dll

C:\Windows\AppPatch\sysmain.sdb

5.c) 8660749.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe
	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Remote Threads Created:

Affected Process

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Foreign Memory Regions Read:

Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Foreign Memory Regions Written:

Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

5.d) 8660749.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

	- Windows SEH exceptions:

Description	Times
Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb	2

6. 8660749.exe

	- General information about this executable

Analysis Reason:	Started by 8660749.exe
Filename:	8660749.exe
Command Line:	C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

6.a) 8660749.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run	Nbawaj	C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1

6.b) 8660749.exe - File Activities

	- Files Created:

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Files Read:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

	- Files Modified:

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
C:	0x002D1400	1

	- Memory Mapped Files:

File Name

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\8660749.exe

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

C:\Windows\AppPatch\sysmain.sdb

6.c) 8660749.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe
C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

C:\WINDOWS\explorer.exe

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

Process: C:\WINDOWS\explorer.exe

7. Nbawaj.exe

	- General information about this executable

Analysis Reason:	Started by 8660749.exe
Filename:	Nbawaj.exe
Command Line:	"C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVBVM60.DLL	0x73420000	0x00153000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\SXS.DLL	0x7E720000	0x000B0000

7.a) Nbawaj.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	932	c_932.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	936	c_936.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	949	c_949.nls	1
HKLM\System\CurrentControlSet\Control\Nls\Codepage	950	c_950.nls	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Language Hotkey	1	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle	Layout Hotkey	2	2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files	1

7.b) Nbawaj.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\	0x00090028	1

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	8

	- Memory Mapped Files:

File Name

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVBVM60.DLL

C:\WINDOWS\system32\SXS.DLL

C:\WINDOWS\system32\imm32.dll

C:\WINDOWS\system32\rpcss.dll

7.c) Nbawaj.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe
	C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Remote Threads Created:

Affected Process

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Foreign Memory Regions Read:

Process: C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

	- Foreign Memory Regions Written:

Process: C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

7.d) Nbawaj.exe - Other Activities

	- Mutexes Created:

CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500

CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500

	- Windows SEH exceptions:

Description	Times
Exception 0xc000008f (STATUS_FLOAT_INEXACT_RESULT) at 0x7c812aeb	2

8. Nbawaj.exe

	- General information about this executable

Analysis Reason:	Started by Nbawaj.exe
Filename:	Nbawaj.exe
Command Line:	"C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe"
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

8.a) Nbawaj.exe - Registry Activities

	- Registry Values Modified:

Key	Name	New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	AppData	C:\Documents and Settings\Administrator\Application Data

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1
HKLM\System\CurrentControlSet\Control\Terminal Server	TSUserEnabled	0	1
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	AppData	%USERPROFILE%\Application Data	1

8.b) Nbawaj.exe - File Activities

	- Files Read:

C:\Documents and Settings\Administrator\Application Data\Nbawaj.exe

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
C:\Documents and Settings\Administrator\	0x00090028	1
PIPE\lsarpc	0x0011C017	3

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
C:	0x002D1400	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

8.c) Nbawaj.exe - Process Activities

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

	- Foreign Memory Regions Written:

Process:

Process: C:\WINDOWS\explorer.exe

Process: C:\WINDOWS\system32\csrss.exe

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\smss.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

9. System

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	System
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000

10. smss.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	smss.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000

11. csrss.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	csrss.exe
Command Line:	C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\CSRSRV.dll	0x75B40000	0x0000B000
C:\WINDOWS\system32\basesrv.dll	0x75B50000	0x00010000
C:\WINDOWS\system32\winsrv.dll	0x75B60000	0x0004B000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\KERNEL32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\sxs.dll	0x7E720000	0x000B0000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

11.a) csrss.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\SETUP	SystemSetupInProgress	0	35
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	PC	1

11.b) csrss.exe - File Activities

	- Files Read:

C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest

C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\WS2HELP.dll

C:\WINDOWS\system32\WS2_32.dll

C:\WINDOWS\system32\comctl32.dll

11.c) csrss.exe - Process Activities

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

11.d) csrss.exe - Other Activities

	- Mutexes Created:

EvaNz-Mutex

	- Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x75b5a71a	3

12. winlogon.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	winlogon.exe
Command Line:	winlogon.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\NDdeApi.dll	0x75940000	0x00008000
C:\WINDOWS\system32\PROFMAP.dll	0x75930000	0x0000A000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\REGAPI.dll	0x76BC0000	0x0000F000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F8000
C:\WINDOWS\system32\COMCTL32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\odbcint.dll	0x00930000	0x00017000
C:\WINDOWS\system32\SHSVCS.dll	0x776E0000	0x00023000
C:\WINDOWS\system32\sfc.dll	0x76BB0000	0x00005000
C:\WINDOWS\system32\sfc_os.dll	0x76C60000	0x0002A000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\WINSCARD.DLL	0x723D0000	0x0001C000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\cscdll.dll	0x76600000	0x0001D000
C:\WINDOWS\System32\dimsntfy.dll	0x47020000	0x00008000
C:\WINDOWS\system32\WlNotify.dll	0x75950000	0x0001A000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\WINSPOOL.DRV	0x73000000	0x00026000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\sxs.dll	0x7E720000	0x000B0000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00024000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\wldap32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\system32\xpsp2res.dll	0x01760000	0x002C5000
C:\WINDOWS\system32\NTMARTA.DLL	0x77690000	0x00021000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000

12.a) winlogon.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\WININET.dll

13. services.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	services.exe
Command Line:	C:\WINDOWS\system32\services.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\SCESRV.dll	0x7DBD0000	0x00051000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcAdProc.dll	0x47260000	0x0000F000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000

13.a) services.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\Setup	SystemSetupInProgress	0	1

13.b) services.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\system32\SHELL32.dll

C:\WINDOWS\system32\WININET.dll

C:\WINDOWS\system32\comctl32.dll

14. svchost.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	svchost.exe
Command Line:	C:\WINDOWS\system32\svchost -k DcomLaunch
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\NTMARTA.DLL	0x77690000	0x00021000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
c:\windows\system32\rpcss.dll	0x76A80000	0x00064000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\xpsp2res.dll	0x005F0000	0x002C5000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
c:\windows\system32\termsrv.dll	0x760F0000	0x00053000
c:\windows\system32\ICAAPI.dll	0x74F70000	0x00006000
c:\windows\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
c:\windows\system32\AUTHZ.dll	0x776C0000	0x00012000
c:\windows\system32\mstlsapi.dll	0x75110000	0x0001F000
c:\windows\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
c:\windows\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
c:\windows\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\REGAPI.dll	0x76BC0000	0x0000F000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000

14.a) svchost.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\WININET.dll

15. svchost.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	svchost.exe
Command Line:	C:\WINDOWS\system32\svchost -k rpcss
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
c:\windows\system32\rpcss.dll	0x76A80000	0x00064000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\xpsp2res.dll	0x005F0000	0x002C5000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000

15.a) svchost.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	1

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\WININET.dll

16. svchost.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	svchost.exe
Command Line:	C:\WINDOWS\System32\svchost.exe -k netsvcs
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\System32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\System32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\System32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\System32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\System32\NTMARTA.DLL	0x77690000	0x00021000
C:\WINDOWS\System32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\System32\xpsp2res.dll	0x005B0000	0x002C5000
c:\windows\system32\shsvcs.dll	0x776E0000	0x00023000
C:\WINDOWS\System32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00055000
C:\WINDOWS\System32\rsaenh.dll	0x68000000	0x00036000
c:\windows\system32\dhcpcsvc.dll	0x7D4B0000	0x00022000
c:\windows\system32\DNSAPI.dll	0x76F20000	0x00027000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
c:\windows\system32\iphlpapi.dll	0x76D60000	0x00019000
c:\windows\system32\wzcsvc.dll	0x7DB10000	0x0008C000
c:\windows\system32\rtutils.dll	0x76E80000	0x0000E000
c:\windows\system32\WMI.dll	0x76D30000	0x00004000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
c:\windows\system32\EapolQec.dll	0x72810000	0x0000B000
c:\windows\system32\ATL.DLL	0x76B20000	0x00011000
c:\windows\system32\QUtil.dll	0x726C0000	0x00016000
c:\windows\system32\MSVCP60.dll	0x76080000	0x00065000
c:\windows\system32\dot3api.dll	0x478C0000	0x0000A000
c:\windows\system32\WTSAPI32.dll	0x76F50000	0x00008000
c:\windows\system32\ESENT.dll	0x606B0000	0x0010D000
C:\WINDOWS\System32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\System32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\System32\rastls.dll	0x76B70000	0x00027000
C:\WINDOWS\system32\CRYPTUI.dll	0x754D0000	0x00080000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\System32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\System32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\System32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\System32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\System32\RASAPI32.dll	0x76EE0000	0x0003C000
C:\WINDOWS\System32\rasman.dll	0x76E90000	0x00012000
C:\WINDOWS\System32\TAPI32.dll	0x76EB0000	0x0002F000
C:\WINDOWS\System32\SCHANNEL.dll	0x767F0000	0x00027000
C:\WINDOWS\System32\WinSCard.dll	0x723D0000	0x0001C000
C:\WINDOWS\System32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\System32\raschap.dll	0x76BD0000	0x00016000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00024000
c:\windows\system32\schedsvc.dll	0x77300000	0x00033000
c:\windows\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\System32\MSIDLE.DLL	0x74F50000	0x00005000
c:\windows\system32\audiosrv.dll	0x708B0000	0x0000D000
c:\windows\system32\wkssvc.dll	0x76E40000	0x00023000
c:\windows\system32\qmgr.dll	0x5B9F0000	0x0006B000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
c:\windows\system32\SHFOLDER.dll	0x76780000	0x00009000
c:\windows\system32\WINHTTP.dll	0x4D4F0000	0x00059000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
c:\windows\system32\cryptsvc.dll	0x76CE0000	0x00012000
c:\windows\system32\certcli.dll	0x77B90000	0x00032000
c:\windows\system32\dmserver.dll	0x74F90000	0x00009000
c:\windows\system32\ersvc.dll	0x74F80000	0x00009000
c:\windows\system32\es.dll	0x77710000	0x00042000
c:\windows\pchealth\helpctr\binaries\pchsvc.dll	0x74F40000	0x0000C000
c:\windows\system32\srvsvc.dll	0x75090000	0x0001A000
c:\windows\system32\netman.dll	0x77D00000	0x00033000
c:\windows\system32\netshell.dll	0x76400000	0x001A5000
c:\windows\system32\credui.dll	0x76C00000	0x0002E000
c:\windows\system32\dot3dlg.dll	0x736D0000	0x00006000
c:\windows\system32\OneX.DLL	0x5DCA0000	0x00028000
c:\windows\system32\eappcfg.dll	0x745B0000	0x00022000
c:\windows\system32\eappprxy.dll	0x5DCD0000	0x0000E000
c:\windows\system32\WZCSAPI.DLL	0x73030000	0x00010000
c:\windows\system32\srsvc.dll	0x751A0000	0x0002E000
c:\windows\system32\POWRPROF.dll	0x74AD0000	0x00008000
c:\windows\system32\sens.dll	0x722D0000	0x0000D000
c:\windows\system32\seclogon.dll	0x73D20000	0x00008000
c:\windows\system32\trkwks.dll	0x75070000	0x00019000
c:\windows\system32\w32time.dll	0x767C0000	0x0002C000
c:\windows\system32\wbem\wmisvc.dll	0x59490000	0x00028000
C:\WINDOWS\system32\VSSAPI.DLL	0x753E0000	0x0006D000
c:\windows\system32\wuauserv.dll	0x50000000	0x00005000
C:\WINDOWS\system32\wuaueng.dll	0x50040000	0x001D9000
C:\WINDOWS\System32\WINSPOOL.DRV	0x73000000	0x00026000
C:\WINDOWS\System32\Cabinet.dll	0x75150000	0x00013000
C:\WINDOWS\System32\mspatcha.dll	0x600A0000	0x0000B000
c:\windows\system32\wscsvc.dll	0x4C0A0000	0x00017000
c:\windows\system32\msi.dll	0x7D1E0000	0x002BC000
C:\WINDOWS\system32\wbem\wbemcomn.dll	0x75290000	0x00037000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\System32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\System32\sfc.dll	0x76BB0000	0x00005000
C:\WINDOWS\System32\sfc_os.dll	0x76C60000	0x0002A000
c:\windows\system32\browser.dll	0x76DA0000	0x00016000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\System32\SXS.DLL	0x7E720000	0x000B0000
C:\WINDOWS\system32\comsvcs.dll	0x76620000	0x0013C000
C:\WINDOWS\system32\colbact.DLL	0x75130000	0x00014000
C:\WINDOWS\system32\MTXCLU.DLL	0x750F0000	0x00013000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\System32\CLUSAPI.DLL	0x76D10000	0x00012000
C:\WINDOWS\System32\RESUTILS.DLL	0x750B0000	0x00012000
c:\windows\system32\ipnathlp.dll	0x66460000	0x00055000
c:\windows\system32\AUTHZ.dll	0x776C0000	0x00012000
C:\WINDOWS\system32\upnp.dll	0x76DE0000	0x00024000
C:\WINDOWS\system32\SSDPAPI.dll	0x74F00000	0x0000C000
C:\WINDOWS\System32\Wbem\wbemcore.dll	0x762C0000	0x00085000
C:\WINDOWS\System32\Wbem\esscli.dll	0x75310000	0x0003F000
C:\WINDOWS\System32\Wbem\FastProx.dll	0x75690000	0x00076000
C:\WINDOWS\system32\wbem\wbemsvc.dll	0x74ED0000	0x0000E000
C:\WINDOWS\system32\wbem\wmiutils.dll	0x75020000	0x0001B000
C:\WINDOWS\system32\wbem\repdrvfs.dll	0x75200000	0x0002F000
C:\WINDOWS\system32\wbem\wmiprvsd.dll	0x597F0000	0x0006D000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\wbem\wbemess.dll	0x75390000	0x00046000
C:\WINDOWS\system32\wups2.dll	0x50F00000	0x0000D000
C:\WINDOWS\system32\wbem\ncprov.dll	0x5F740000	0x0000E000
C:\WINDOWS\System32\RASDLG.dll	0x768D0000	0x000A4000
C:\WINDOWS\System32\dssenh.dll	0x68100000	0x00026000
C:\WINDOWS\system32\wuapi.dll	0x506A0000	0x0008E000

16.a) svchost.exe - File Activities

	- Files Read:

PIPE\lsarpc

	- Files Modified:

PIPE\lsarpc

	- File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	3

17. svchost.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	svchost.exe
Command Line:	C:\WINDOWS\system32\svchost.exe -k NetworkService
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
c:\windows\system32\dnsrslvr.dll	0x76770000	0x0000D000
c:\windows\system32\DNSAPI.dll	0x76F20000	0x00027000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
c:\windows\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\rsaenh.dll	0x68000000	0x00036000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000

18. svchost.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	svchost.exe
Command Line:	C:\WINDOWS\system32\svchost.exe -k LocalService
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\NTMARTA.DLL	0x77690000	0x00021000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\xpsp2res.dll	0x005B0000	0x002C5000
c:\windows\system32\lmhsvc.dll	0x74C40000	0x00006000
c:\windows\system32\iphlpapi.dll	0x76D60000	0x00019000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
c:\windows\system32\webclnt.dll	0x5A6E0000	0x00015000
C:\WINDOWS\system32\WININET.dll	0x771B0000	0x000AA000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\wsock32.dll	0x71AD0000	0x00009000
c:\windows\system32\regsvc.dll	0x76AF0000	0x00012000
c:\windows\system32\ssdpsrv.dll	0x765E0000	0x00014000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000

19. spoolsv.exe

	- General information about this executable

Analysis Reason:	Nbawaj.exe wrote to the virtual memory of this process
Filename:	spoolsv.exe
Command Line:	C:\WINDOWS\system32\spoolsv.exe
Process-status at analysis end:	alive
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\SPOOLSS.DLL	0x742E0000	0x00015000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\localspl.dll	0x75BB0000	0x00056000
C:\WINDOWS\system32\sfc_os.dll	0x76C60000	0x0002A000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00095000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\winspool.drv	0x73000000	0x00026000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00055000
C:\WINDOWS\system32\cnbjmon.dll	0x742A0000	0x0000E000
C:\WINDOWS\system32\pjlmon.dll	0x74280000	0x00007000
C:\WINDOWS\system32\tcpmon.dll	0x72400000	0x0000E000
C:\WINDOWS\system32\usbmon.dll	0x723F0000	0x00007000
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll	0x00900000	0x0000A000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\win32spl.dll	0x75C10000	0x00024000
C:\WINDOWS\system32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\inetpp.dll	0x74300000	0x00015000
C:\WINDOWS\system32\xpsp2res.dll	0x01010000	0x002C5000

19.a) spoolsv.exe - File Activities

	- Memory Mapped Files:

File Name

C:\WINDOWS\system32\WININET.dll

Analysis Report for 45653644

Summary:

Table of Contents