From: anubis@iseclab.org Subject: Anubis - Analysis Report Date: Wed, 19 Jun 13 03:25:55 +0000 MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----=_NextPart_1eba40115388acd645178ab2bfe65cf0a" X-MimeOLE: Produced By Anubis This is a multi-part message in MIME format. ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Location: http://anubis.iseclab.org/index.php?action=result&task_id=1eba40115388acd645178ab2bfe65cf0a&format=html Anubis - Analysis Report
=C2=A0
3D"anubis
Anubis - Analysis Report
3D"anubis

Analysis Report for 13ab5707294543531e6e68903a17d165.spyeyetracker

 Comment on this report

Summary:

Description Risk
Write to foreign memory areas: This executable tampers with the execution of another process. 3D"high"
Performs File Modification and D= estruction: The executable modifies and destructs files which are not t= emporary. 3D"low"
AV Hit: This executable is d= etected by an antivirus software. 3D"high"
Packed Binary: This executab= le is protected with a packer in order to prevent it from being reverse eng= ineered. 3D"medium"
Autostart capabilities: This= executable registers processes to be executed at system start. This could result in unwanted= actions to be performed automatically. 3D"medium"
Creates files in the Windows sys= tem directory: Malware often keeps copies of itself in the Windows directory to stay = undetected by users. 3D"medium"
Execution did not terminate corr= ectly: The executable crashed. 3D"medium"
Modify system files: This ex= ecutable modifies files in the windows system directories. 3D"medium"
Spawns Processes: The execut= able produces processes during the execution. 3D"low"
Performs Registry Activities= : The executable creates and/or modifies registry entries. 3D"low"


Table of Contents=

3D"expand expand all=C2=A0 =C2=A0collapse all 3D"collapse

1. General Information

=C2=A0 -=C2=A0Information about Anubi= s' invocation =C2=A0
Time needed: 242 s=C2=A0
Report created: 02/02/11, 20:07:49 UTC=C2=A0<= /td>
Termination reason: Timeout=C2=A0
Program version: 1.74.3362=C2=A0

2. 13ab570729.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Primary Analysis Subject=C2= =A0
Filename: 13ab570729.exe=C2=A0
Command Line: "C:\13ab570729.exe" =C2=A0
Process-status at analysis en= d: dead=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSVBVM60.DLL=C2=A0 0x73420000=C2=A0 0x00153000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BMSCTF.dll=C2=A0 0x74720000=C2=A0 0x0004C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BSXS.DLL=C2=A0 0x7E720000=C2=A0 0x000B0000=C2=A0

2.a) 13ab570729.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BMicrosoft\=E2=80=8BCTF\=E2=80=8BSystemShared\=E2=80=8B=C2=A0 CUAS=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2= =A0 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 AuthenticodeEnabled=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 DefaultLevel=C2=A0 262144=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 PolicyScope=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemData=C2=A0 0x5eab304f957a49896a006c1c3= 1154015=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemSize=C2=A0 779=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemData=C2=A0 0x67b0d48b343a3fd3bce9dc646= 704f394=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemSize=C2=A0 517=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemData=C2=A0 0x327802dcfef8c893dc8ab006d= d847d1d=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemSize=C2=A0 918=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemData=C2=A0 0xbd9a2adb42ebd8560e250e4df= 8162f67=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemSize=C2=A0 229=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemData=C2=A0 0x386b085f84ecf669d36b956a2= 2c01e80=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemSize=C2=A0 370=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 ItemData=C2=A0 %HKEY_CURRENT_USER\=E2=80= =8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2= =80=8BExplorer\=E2=80=8BShell Folders\=E2=80=8BCache%OLK*=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 932=C2=A0 c_932.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 936=C2=A0 c_936.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 949=C2=A0 c_949.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 950=C2=A0 c_950.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BTerminal Server=C2=A0 TSUserEnabled=C2=A0 0=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BKeyboard Layout\=E2=80=8BToggle=C2= =A0 Language Hotkey=C2=A0 1=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BKeyboard Layout\=E2=80=8BToggle=C2= =A0 Layout Hotkey=C2=A0 2=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BShell Folders= =C2=A0 Cache=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BLocal Settings\=E2=80=8BTemporary I= nternet Files=C2=A0 1=C2=A0

2.b) 13ab570729.exe - = File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\13ab570729.exe

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
\Device\KsecDD=C2=A0 0x00390008=C2=A0 8=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\13ab570729.exe
C:\WINDOWS\system32\MSCTF.d= ll
C:\WINDOWS\system32\MSVBVM6= 0.DLL
C:\WINDOWS\system32\SXS.DLL=
C:\WINDOWS\system32\imm32.d= ll
C:\WINDOWS\system32\rpcss.d= ll

2.c) 13ab570729.exe - = Process Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\13ab570729.exe=C2=A0 =C2=A0
=C2=A0 C:\13ab570729.exe=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\13ab570729.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\13ab570729.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\13ab570729.exe

3. 13ab570729.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by 13ab570729.exe=C2= =A0
Filename: 13ab570729.exe=C2=A0
MD5: 13ab5707294543531e6e68903a17d= 165=C2=A0
SHA-1: 83202fb08379b959dfad57b90d1b2= 25631ad5125=C2=A0
File Size: 217600 Bytes
Command Line: C:\13ab570729.exe=C2=A0
Process-status at analysis en= d: dead=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0

=C2=A0 -=C2=A0SigBuster Output =C2=A0
UPX All_Versions SN:1634

=C2=A0 -=C2=A0Ikarus Virus Scanner =C2=A0
Trojan-Ransom.Win32.PornoBloc= ker (Sig-Id:1507186)

3.a) 13ab570729.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0

3.b) 13ab570729.exe - = File Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\drwtsn.bin\

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\13ab570729.exe

=C2=A0 -=C2=A0Directories Created: =C2=A0
C:\drwtsn.bin\

3.c) 13ab570729.exe - = Process Activities

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\explorer.= exe

4. Explorer.EXE

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: 13ab570729.exe wrote to the v= irtual memory of this process=C2=A0
Filename: Explorer.EXE=C2=A0
Command Line: C:\WINDOWS\Explorer.EXE=C2=A0=
Process-status at analysis en= d: dead=C2=A0
Exit Code: -1073741794=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BBROWSEUI.dll=C2=A0 0x75F80000=C2=A0 0x000FD000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHDOCVW.dll=C2=A0 0x7E290000=C2=A0 0x00171000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPTUI.dll=C2=A0 0x754D0000=C2=A0 0x00080000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BappHelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bcscui.dll=C2=A0 0x77A20000=C2=A0 0x00054000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCSCDLL.dll=C2=A0 0x76600000=C2=A0 0x0001D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bthemeui.dll=C2=A0 0x5BA60000=C2=A0 0x00071000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSIMG32.dll=C2=A0 0x76380000=C2=A0 0x00005000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x00BC0000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bactxprxy.dll=C2=A0 0x71D40000=C2=A0 0x0001B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsutb.dll=C2=A0 0x5FC10000=C2=A0 0x00033000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSCTF.dll=C2=A0 0x74720000=C2=A0 0x0004C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Burlmon.dll=C2=A0 0x7E1E0000=C2=A0 0x000A2000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BLINKINFO.dll=C2=A0 0x76980000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntshrui.dll=C2=A0 0x76990000=C2=A0 0x00025000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BATL.DLL=C2=A0 0x76B20000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwebcheck.dll=C2=A0 0x74B30000=C2=A0 0x00046000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWSOCK32.dll=C2=A0 0x71AD0000=C2=A0 0x00009000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bstobject.dll=C2=A0 0x76280000=C2=A0 0x00021000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BBatMeter.dll=C2=A0 0x74AF0000=C2=A0 0x0000A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BPOWRPROF.dll=C2=A0 0x74AD0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsi.dll=C2=A0 0x7D1E0000=C2=A0 0x002BC000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETSHELL.dll=C2=A0 0x76400000=C2=A0 0x001A5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcredui.dll=C2=A0 0x76C00000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bdot3api.dll=C2=A0 0x478C0000=C2=A0 0x0000A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brtutils.dll=C2=A0 0x76E80000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bdot3dlg.dll=C2=A0 0x736D0000=C2=A0 0x00006000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOneX.DLL=C2=A0 0x5DCA0000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Beappcfg.dll=C2=A0 0x745B0000=C2=A0 0x00022000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSVCP60.dll=C2=A0 0x76080000=C2=A0 0x00065000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Beappprxy.dll=C2=A0 0x5DCD0000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMPR.dll=C2=A0 0x71B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bdrprov.dll=C2=A0 0x75F60000=C2=A0 0x00007000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bntlanman.dll=C2=A0 0x71C10000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BNETUI0.dll=C2=A0 0x71CD0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BNETUI1.dll=C2=A0 0x71C90000=C2=A0 0x00040000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BNETRAP.dll=C2=A0 0x71C80000=C2=A0 0x00007000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bdavclnt.dll=C2=A0 0x75F70000=C2=A0 0x0000A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bbrowselc.dll=C2=A0 0x71600000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMLANG.dll=C2=A0 0x75CF0000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMM32.dll=C2=A0 0x76390000=C2=A0 0x0001D000=C2=A0

4.a) Explorer.EXE - = Registry Activities

=C2=A0 -=C2=A0Registry Keys Deleted:<= /a> =C2=A0
HKU\=E2=80=8BS-1-5-21-8429252= 46-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BW= indows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BMountPoints2\=E2= =80=8BCPC\=E2=80=8BVolume\=E2=80=8B{a1094daa-30a0-11dd-817b-806d6172696f}
HKU\=E2=80=8BS-1-5-21-8429252= 46-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BW= indows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BMountPoints2\=E2= =80=8BCPC\=E2=80=8BVolume\=E2=80=8B{a1094da8-30a0-11dd-817b-806d6172696f}
HKU\=E2=80=8BS-1-5-21-8429252= 46-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BW= indows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BMountPoints2\=E2= =80=8BCPC\=E2=80=8BVolume

=C2=A0 -=C2=A0Registry Values= Modified: =C2=A0
Key Name New Value
HKU\=E2=80=8BS-1-5-21-8429252= 46-1425521274-308236825-500\=E2=80=8BSOFTWARE\=E2=80=8BMICROSOFT\=E2=80=8BW= INDOWS\=E2=80=8BCURRENTVERSION\=E2=80=8BRUN=C2=A0 3D"info" drwtsn.bin.exe=C2=A0 C:\=E2=80=8Bdrwtsn.bin\=E2=80= =8Bdrwtsn.bin.exe=C2=A0

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0

4.b) Explorer.EXE - = File Activities

=C2=A0 -=C2=A0Files Deleted: =C2=A0
C:\13ab570729.exe
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\13ab570729.exe
C:\WINDOWS\system32\ntdll.dll=

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
unnamed file=C2=A0 0x00228144=C2=A0 1=C2=A0
unnamed file=C2=A0 0x0022415C=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\ntdll.dll=
C:\Windows\AppPatch\sysmain.s= db
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

4.c) Explorer.EXE - = Process Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\drwtsn.bin\drwtsn.bin.exe= =C2=A0 =C2=A0
C:\drwtsn.bin\drwtsn.bin.exe= =C2=A0 =C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\drwtsn.bin\drwtsn.bin.ex= e
C:\WINDOWS\system32\winlogo= n.exe
C:\WINDOWS\system32\lsass.e= xe
C:\WINDOWS\system32\svchost= .exe
C:\WINDOWS\system32\svchost= .exe
C:\WINDOWS\system32\svchost= .exe
C:\WINDOWS\system32\svchost= .exe
C:\WINDOWS\system32\svchost= .exe
C:\WINDOWS\system32\spoolsv= .exe
C:\WINDOWS\system32\alg.exe=
C:\WINDOWS\system32\wscntfy= .exe
C:\WINDOWS\system32\ctfmon.= exe

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\drwtsn.bin\drwtsn= .bin.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\explore= r.exe
Process: C:\WINDOWS\system3= 2\alg.exe
Process: C:\WINDOWS\system3= 2\ctfmon.exe
Process: C:\WINDOWS\system3= 2\lsass.exe
Process: C:\WINDOWS\system3= 2\spoolsv.exe
Process: C:\WINDOWS\system3= 2\svchost.exe
Process: C:\WINDOWS\system3= 2\winlogon.exe
Process: C:\WINDOWS\system3= 2\wscntfy.exe
Process: C:\drwtsn.bin\drwt= sn.bin.exe

4.d) Explorer.EXE - = Other Activities

=C2=A0 -=C2=A0Mutexes Created: =C2=A0
drwtsn815ed175

=C2=A0 -=C2=A0Keyboard Keys M= onitored: =C2=A0
Virtual Key Code Times
VK_LBUTTON (1)=C2=A0 76=C2=A0

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbb7= a653=C2=A0 1=C2=A0

5. drwtsn.bin.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by Explorer.EXE=C2=A0=
Filename: drwtsn.bin.exe=C2=A0
Command Line: "C:\drwtsn.bin\drwtsn.bin.exe= "=C2=A0
Process-status at analysis en= d: dead=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSVBVM60.DLL=C2=A0 0x73420000=C2=A0 0x00153000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BMSCTF.dll=C2=A0 0x74720000=C2=A0 0x0004C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BSXS.DLL=C2=A0 0x7E720000=C2=A0 0x000B0000=C2=A0

5.a) drwtsn.bin.exe = - Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BMicrosoft\=E2=80=8BCTF\=E2=80=8BSystemShared\=E2=80=8B=C2=A0 CUAS=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2= =A0 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 AuthenticodeEnabled=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 DefaultLevel=C2=A0 262144=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 PolicyScope=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemData=C2=A0 0x5eab304f957a49896a006c1c3= 1154015=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemSize=C2=A0 779=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemData=C2=A0 0x67b0d48b343a3fd3bce9dc646= 704f394=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemSize=C2=A0 517=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemData=C2=A0 0x327802dcfef8c893dc8ab006d= d847d1d=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemSize=C2=A0 918=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemData=C2=A0 0xbd9a2adb42ebd8560e250e4df= 8162f67=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemSize=C2=A0 229=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemData=C2=A0 0x386b085f84ecf669d36b956a2= 2c01e80=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemSize=C2=A0 370=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 ItemData=C2=A0 %HKEY_CURRENT_USER\=E2=80= =8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2= =80=8BExplorer\=E2=80=8BShell Folders\=E2=80=8BCache%OLK*=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 932=C2=A0 c_932.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 936=C2=A0 c_936.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 949=C2=A0 c_949.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BNls\=E2=80=8BCodepage=C2=A0 950=C2=A0 c_950.nls=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BTerminal Server=C2=A0 TSUserEnabled=C2=A0 0=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BKeyboard Layout\=E2=80=8BToggle=C2= =A0 Language Hotkey=C2=A0 1=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BKeyboard Layout\=E2=80=8BToggle=C2= =A0 Layout Hotkey=C2=A0 2=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BShell Folders= =C2=A0 Cache=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BLocal Settings\=E2=80=8BTemporary I= nternet Files=C2=A0 1=C2=A0

5.b) drwtsn.bin.exe = - File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\Documents and Settings\Adm= inistrator\=C2=A0 0x00090028=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
\Device\KsecDD=C2=A0 0x00390008=C2=A0 8=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\MSCTF.d= ll
C:\WINDOWS\system32\MSVBVM6= 0.DLL
C:\WINDOWS\system32\SXS.DLL=
C:\WINDOWS\system32\imm32.d= ll
C:\WINDOWS\system32\rpcss.d= ll
C:\drwtsn.bin\drwtsn.bin.ex= e

5.c) drwtsn.bin.exe = - Process Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\drwtsn.bin\drwtsn.bin.exe= =C2=A0 =C2=A0
=C2=A0 C:\drwtsn.bin\drwtsn.bin.exe= =C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\drwtsn.bin\drwtsn= .bin.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\drwtsn.bin\drwtsn= .bin.exe

6. drwtsn.bin.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by drwtsn.bin.exe=C2= =A0
Filename: drwtsn.bin.exe=C2=A0
Command Line: C:\drwtsn.bin\drwtsn.bin.exe= =C2=A0
Process-status at analysis en= d: dead=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0

6.a) drwtsn.bin.exe = - Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2=A0<= /td> 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2=80= =8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8BCod= eIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0

6.b) drwtsn.bin.exe = - File Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\drwtsn.bin\config.bin

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\drwtsn.bin\config.bin
C:\drwtsn.bin\drwtsn.bin.exe<= /td>

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\drwtsn.bin\config.bin

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\Documents and Settings\Adm= inistrator\=C2=A0 0x00090028=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
\Device\KsecDD=C2=A0 0x00390008=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\WinSxS\x86_Micro= soft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\c= omctl32.dll
C:\WINDOWS\WindowsShell.Man= ifest
C:\WINDOWS\system32\SHELL32= .dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WS2HELP= .dll
C:\WINDOWS\system32\WS2_32.= dll
C:\WINDOWS\system32\comctl3= 2.dll

6.c) drwtsn.bin.exe = - Process Activities

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\explorer.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\explorer.= exe

6.d) drwtsn.bin.exe = - Other Activities

=C2=A0 -=C2=A0Mutexes Created: =C2=A0
DBWinMutex
drwtsn815ed175

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0x40010006 at 0x7c8= 12aeb=C2=A0 1=C2=A0

7. winlogon.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: winlogon.exe=C2=A0
Command Line: winlogon.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BAUTHZ.dll=C2=A0 0x776C0000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNDdeApi.dll=C2=A0 0x75940000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BPROFMAP.dll=C2=A0 0x75930000=C2=A0 0x0000A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BPSAPI.DLL=C2=A0 0x76BF0000=C2=A0 0x0000B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BREGAPI.dll=C2=A0 0x76BC0000=C2=A0 0x0000F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSGINA.dll=C2=A0 0x75970000=C2=A0 0x000F8000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMCTL32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BODBC32.dll=C2=A0 0x74320000=C2=A0 0x0003D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomdlg32.dll=C2=A0 0x763B0000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bodbcint.dll=C2=A0 0x00930000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHSVCS.dll=C2=A0 0x776E0000=C2=A0 0x00023000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bsfc.dll=C2=A0 0x76BB0000=C2=A0 0x00005000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bsfc_os.dll=C2=A0 0x76C60000=C2=A0 0x0002A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BApphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSCARD.DLL=C2=A0 0x723D0000=C2=A0 0x0001C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Buxtheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcscdll.dll=C2=A0 0x76600000=C2=A0 0x0001D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bdimsntfy.dll=C2=A0 0x47020000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWlNotify.dll=C2=A0 0x75950000=C2=A0 0x0001A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMPR.dll=C2=A0 0x71B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSPOOL.DRV=C2=A0 0x73000000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bsxs.dll=C2=A0 0x7E720000=C2=A0 0x000B0000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsv1_0.dll=C2=A0 0x77C70000=C2=A0 0x00024000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwldap32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcscui.dll=C2=A0 0x77A20000=C2=A0 0x00054000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x016E0000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNTMARTA.DLL=C2=A0 0x77690000=C2=A0 0x00021000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0

7.a) winlogon.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BMICROSOFT\=E2=80=8BWINDOWS NT\=E2=80=8BCURRENTVERSION\=E2=80=8BWINLOG= ON=C2=A0 Shell=C2=A0 Explorer.exe=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BProfil= eList\=E2=80=8BS-1-5-21-842925246-1425521274-308236825-500=C2=A0 ProfileImagePath=C2=A0 %SystemDrive%\=E2=80=8BDocu= ments and Settings\=E2=80=8BAdministrator=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BWinlog= on=C2=A0 AutoRestartShell=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BEnvironment=C2=A0 TEMP=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings\=E2=80=8BTemp=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BEnvironment=C2=A0 TMP=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings\=E2=80=8BTemp=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BWinlogon=C2=A0 ParseAutoexec=C2=A0 1=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 APPDATA=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BApplication Data=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 CLIENTNAME=C2=A0 =C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMEDRIVE=C2=A0 C:=C2=A0 3=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMEPATH=C2=A0 \=E2=80=8BDocuments and Set= tings\=E2=80=8BAdministrator=C2=A0 3=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMESHARE=C2=A0 =C2=A0 3=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 LOGONSERVER=C2=A0 \=E2=80=8B\=E2=80=8BPC=C2= =A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 SESSIONNAME=C2=A0 Console=C2=A0 2=C2=A0

7.b) winlogon.exe - = File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc
c:\autoexec.bat

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 1=C2=A0
pipe\PCHFaultRepExecPipe=C2= =A0 0x0011C017=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\drwtsn3= 2.exe
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll
C:\Windows\AppPatch\sysmain= .sdb

7.c) winlogon.exe - = Process Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\WINDOWS\explorer.exe=C2=A0= =C2=A0
=C2=A0 C:\WINDOWS\explorer.exe=C2=A0=
C:\WINDOWS\system32\drwtsn32.= exe=C2=A0 =C2=A0
=C2=A0 C:\WINDOWS\system32\drwtsn32 = -p 360 -e 632 -g=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.= exe

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\explorer.= exe
Process: C:\WINDOWS\system32\= drwtsn32.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\explorer.= exe
Process: C:\WINDOWS\system32\= drwtsn32.exe

7.d) winlogon.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

8. lsass.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: lsass.exe=C2=A0
Command Line: C:\WINDOWS\system32\lsass.exe= =C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BLSASRV.dll=C2=A0 0x75730000=C2=A0 0x000B5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMPR.dll=C2=A0 0x71B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNTDSAPI.dll=C2=A0 0x767A0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BDNSAPI.dll=C2=A0 0x76F20000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMSRV.dll=C2=A0 0x74440000=C2=A0 0x0006A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcryptdll.dll=C2=A0 0x76790000=C2=A0 0x0000C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsprivs.dll=C2=A0 0x4D200000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkerberos.dll=C2=A0 0x71CF0000=C2=A0 0x0004C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsv1_0.dll=C2=A0 0x77C70000=C2=A0 0x00024000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bnetlogon.dll=C2=A0 0x744B0000=C2=A0 0x00065000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bw32time.dll=C2=A0 0x767C0000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSVCP60.dll=C2=A0 0x76080000=C2=A0 0x00065000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bschannel.dll=C2=A0 0x767F0000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwdigest.dll=C2=A0 0x74380000=C2=A0 0x0000F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bsetupapi.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bscecli.dll=C2=A0 0x74410000=C2=A0 0x0002F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bipsecsvc.dll=C2=A0 0x743E0000=C2=A0 0x0002F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BAUTHZ.dll=C2=A0 0x776C0000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Boakley.DLL=C2=A0 0x75D90000=C2=A0 0x000D0000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINIPSEC.DLL=C2=A0 0x74370000=C2=A0 0x0000B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bdssenh.dll=C2=A0 0x68100000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bpstorsvc.dll=C2=A0 0x743A0000=C2=A0 0x0000B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bpsbase.dll=C2=A0 0x743C0000=C2=A0 0x0001B000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BApphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0

8.a) lsass.exe - Reg= istry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSAM\=E2=80=8B= SAM\=E2=80=8BDOMAINS\=E2=80=8BAccount\=E2=80=8BUsers\=E2=80=8B000001F4=C2= =A0 V=C2=A0 0x00000000bc00000002000100b= c0000001a00000000000000d80000000000=C2=A0 22=C2=A0
HKLM\=E2=80=8BSAM\=E2=80=8B= SAM\=E2=80=8BDOMAINS\=E2=80=8BAccount\=E2=80=8BUsers\=E2=80=8BNames\=E2=80= =8BAdministrator=C2=A0 =C2=A0 =C2=A0 22=C2=A0
HKLM\=E2=80=8BSECURITY\=E2= =80=8BPolicy\=E2=80=8BSecDesc=C2=A0 =C2=A0 0x0100048098000000a80000000= 00000001400000002008400060000000100=C2=A0 45=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BLsa=C2=A0 NoDefaultAdminOwner=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0

8.b) lsass.exe - Fil= e Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
PIPE\lsass

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
C:\lsass, Flags: Named pipe
PIPE\lsarpc
PIPE\lsass

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\lsass, Flags: Named pipe
PIPE\lsarpc
PIPE\lsass

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\lsass, Flags: Named pipe= =C2=A0 0x00110024=C2=A0 30=C2=A0
C:\lsass, Flags: Named pipe= =C2=A0 0x0011001C=C2=A0 134=C2=A0
C:\lsass, Flags: Named pipe= =C2=A0 0x00110008=C2=A0 1=C2=A0
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
pipe\PCHFaultRepExecPipe=C2= =A0 0x0011C017=C2=A0 1=C2=A0
PIPE\lsass=C2=A0 0x00110008=C2=A0 12=C2=A0
PIPE\lsass=C2=A0 0x00110024=C2=A0 28=C2=A0
PIPE\lsass=C2=A0 0x0011001C=C2=A0 68=C2=A0
PIPE\lsass=C2=A0 0x00110004=C2=A0 5=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\Apphelp= .dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\drwtsn3= 2.exe
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll
C:\Windows\AppPatch\sysmain= .sdb

8.c) lsass.exe - Pro= cess Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\WINDOWS\system32\drwtsn32.= exe=C2=A0 =C2=A0
=C2=A0 C:\WINDOWS\system32\drwtsn32 = -p 416 -e 976 -g=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\system32\drwtsn32.= exe

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\system32\= drwtsn32.exe
Process: C:\WINDOWS\system32\= svchost.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\system32\= drwtsn32.exe

8.d) lsass.exe - Oth= er Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

9. svchost.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: svchost.exe=C2=A0
Command Line: C:\WINDOWS\system32\svchost -= k DcomLaunch=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNTMARTA.DLL=C2=A0 0x77690000=C2=A0 0x00021000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Brpcss.dll=C2=A0 0x76A80000=C2=A0 0x00064000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x005F0000=C2=A0 0x002C5000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Btermsrv.dll=C2=A0 0x760F0000=C2=A0 0x00053000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BICAAPI.dll=C2=A0 0x74F70000=C2=A0 0x00006000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BAUTHZ.dll=C2=A0 0x776C0000=C2=A0 0x00012000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bmstlsapi.dll=C2=A0 0x75110000=C2=A0 0x0001F000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BACTIVEDS.dll=C2=A0 0x77CC0000=C2=A0 0x00032000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Badsldpc.dll=C2=A0 0x76E10000=C2=A0 0x00025000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BATL.DLL=C2=A0 0x76B20000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BREGAPI.dll=C2=A0 0x76BC0000=C2=A0 0x0000F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BApphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0

9.a) svchost.exe - R= egistry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAPPID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 =C2=A0 Microsoft WMI Provider Subs= ystem Host=C2=A0 3=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAPPID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 LaunchPermission=C2=A0 0x0100048084000000900000000= 00000001400000002007000050000000003=C2=A0 3=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 AppID=C2=A0 {73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }\=E2=80=8BLOCALSERVER32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiprvse.exe=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BCOM3=C2=A0 REGDBVersion=C2=A0 0x0700000000000000=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0

9.b) svchost.exe - F= ile Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\lsarpc, Flags: Named pipe= =C2=A0 0x0011C017=C2=A0 72=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll
C:\WINDOWS\system32\wbem\wm= iprvse.exe
C:\Windows\AppPatch\sysmain= .sdb

9.c) svchost.exe - P= rocess Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\WINDOWS\system32\wbem\wmip= rvse.exe=C2=A0 =C2=A0
=C2=A0 C:\WINDOWS\system32\wbem\wmip= rvse.exe -Embedding=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\system32\wbem\wmip= rvse.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\system32\= wbem\wmiprvse.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\system32\= wbem\wmiprvse.exe

9.d) svchost.exe - O= ther Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

10. svchost.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: svchost.exe=C2=A0
Command Line: C:\WINDOWS\system32\svchost -= k rpcss=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Brpcss.dll=C2=A0 0x76A80000=C2=A0 0x00064000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x005F0000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BDNSAPI.dll=C2=A0 0x76F20000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwinrnr.dll=C2=A0 0x76FB0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brasadhlp.dll=C2=A0 0x76FC0000=C2=A0 0x00006000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0

10.a) svchost.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAPPID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 =C2=A0 Microsoft WMI Provider Subs= ystem Host=C2=A0 4=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAPPID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 LaunchPermission=C2=A0 0x0100048084000000900000000= 00000001400000002007000050000000003=C2=A0 4=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAppID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 =C2=A0 Microsoft WMI Provider Subs= ystem Host=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAppID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 LaunchPermission=C2=A0 0x0100048084000000900000000= 00000001400000002007000050000000003=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAppID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00C04FB68820= }=C2=A0 =C2=A0 Windows Management and Inst= rumentation=C2=A0 5=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAppID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00C04FB68820= }=C2=A0 LaunchPermission=C2=A0 0x0100048094000000a40000000= 00000001400000002008000010000000000=C2=A0 5=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BAppID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00C04FB68820= }=C2=A0 LocalService=C2=A0 winmgmt=C2=A0 5=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }=C2=A0 AppID=C2=A0 {73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4= }\=E2=80=8BLOCALSERVER32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiprvse.exe=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BAppID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 LocalService=C2=A0 winmgmt=C2=A0 2=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}=C2=A0 AppID=C2=A0 {73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}\=E2=80=8BLocalServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiprvse.exe=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 AppID=C2=A0 {8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BCOM3=C2=A0 REGDBVersion=C2=A0 0x0700000000000000=C2=A0 8=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0

10.b) svchost.exe - = File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\SETUPAP= I.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll

10.c) svchost.exe - = Other Activities

=C2=A0 -=C2=A0Mutexes Created: =C2=A0
WMIPRVSE.EXE

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0
Exception 0x6ba at 0x7c812aeb= =C2=A0 1=C2=A0

11. svchost.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: svchost.exe=C2=A0
Command Line: C:\WINDOWS\System32\svchost.e= xe -k netsvcs=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BNTMARTA.DLL=C2=A0 0x77690000=C2=A0 0x00021000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x005B0000=C2=A0 0x002C5000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bshsvcs.dll=C2=A0 0x776E0000=C2=A0 0x00023000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bdhcpcsvc.dll=C2=A0 0x7D4B0000=C2=A0 0x00022000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BDNSAPI.dll=C2=A0 0x76F20000=C2=A0 0x00027000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwzcsvc.dll=C2=A0 0x7DB10000=C2=A0 0x0008C000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Brtutils.dll=C2=A0 0x76E80000=C2=A0 0x0000E000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWMI.dll=C2=A0 0x76D30000=C2=A0 0x00004000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BEapolQec.dll=C2=A0 0x72810000=C2=A0 0x0000B000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BATL.DLL=C2=A0 0x76B20000=C2=A0 0x00011000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BQUtil.dll=C2=A0 0x726C0000=C2=A0 0x00016000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BMSVCP60.dll=C2=A0 0x76080000=C2=A0 0x00065000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bdot3api.dll=C2=A0 0x478C0000=C2=A0 0x0000A000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BESENT.dll=C2=A0 0x606B0000=C2=A0 0x0010D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Brastls.dll=C2=A0 0x76B70000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPTUI.dll=C2=A0 0x754D0000=C2=A0 0x00080000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BMPRAPI.dll=C2=A0 0x76D40000=C2=A0 0x00018000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BACTIVEDS.dll=C2=A0 0x77CC0000=C2=A0 0x00032000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Badsldpc.dll=C2=A0 0x76E10000=C2=A0 0x00025000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BRASAPI32.dll=C2=A0 0x76EE0000=C2=A0 0x0003C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Brasman.dll=C2=A0 0x76E90000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BTAPI32.dll=C2=A0 0x76EB0000=C2=A0 0x0002F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BSCHANNEL.dll=C2=A0 0x767F0000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWinSCard.dll=C2=A0 0x723D0000=C2=A0 0x0001C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BPSAPI.DLL=C2=A0 0x76BF0000=C2=A0 0x0000B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Braschap.dll=C2=A0 0x76BD0000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsv1_0.dll=C2=A0 0x77C70000=C2=A0 0x00024000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bschedsvc.dll=C2=A0 0x77300000=C2=A0 0x00033000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BNTDSAPI.dll=C2=A0 0x767A0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BMSIDLE.DLL=C2=A0 0x74F50000=C2=A0 0x00005000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Baudiosrv.dll=C2=A0 0x708B0000=C2=A0 0x0000D000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwkssvc.dll=C2=A0 0x76E40000=C2=A0 0x00023000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bqmgr.dll=C2=A0 0x5B9F0000=C2=A0 0x0006B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMPR.dll=C2=A0 0x71B20000=C2=A0 0x00012000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BSHFOLDER.dll=C2=A0 0x76780000=C2=A0 0x00009000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWINHTTP.dll=C2=A0 0x4D4F0000=C2=A0 0x00059000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwuauserv.dll=C2=A0 0x50000000=C2=A0 0x00005000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmisvc.dll=C2=A0 0x59490000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVSSAPI.DLL=C2=A0 0x753E0000=C2=A0 0x0006D000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bw32time.dll=C2=A0 0x767C0000=C2=A0 0x0002C000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Btrkwks.dll=C2=A0 0x75070000=C2=A0 0x00019000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bsrsvc.dll=C2=A0 0x751A0000=C2=A0 0x0002E000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BPOWRPROF.dll=C2=A0 0x74AD0000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bseclogon.dll=C2=A0 0x73D20000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bnetman.dll=C2=A0 0x77D00000=C2=A0 0x00033000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bnetshell.dll=C2=A0 0x76400000=C2=A0 0x001A5000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bcredui.dll=C2=A0 0x76C00000=C2=A0 0x0002E000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bdot3dlg.dll=C2=A0 0x736D0000=C2=A0 0x00006000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BOneX.DLL=C2=A0 0x5DCA0000=C2=A0 0x00028000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Beappcfg.dll=C2=A0 0x745B0000=C2=A0 0x00022000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Beappprxy.dll=C2=A0 0x5DCD0000=C2=A0 0x0000E000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWZCSAPI.DLL=C2=A0 0x73030000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwuaueng.dll=C2=A0 0x50040000=C2=A0 0x001AB000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWINSPOOL.DRV=C2=A0 0x73000000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCabinet.dll=C2=A0 0x75150000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bmspatcha.dll=C2=A0 0x600A0000=C2=A0 0x0000B000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bsrvsvc.dll=C2=A0 0x75090000=C2=A0 0x0001A000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bpchealth\=E2=80=8Bhelpctr\=E2=80=8Bbinaries\=E2=80=8Bpchsvc.dll=C2=A0 0x74F40000=C2=A0 0x0000C000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bes.dll=C2=A0 0x77710000=C2=A0 0x00042000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bersvc.dll=C2=A0 0x74F80000=C2=A0 0x00009000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bdmserver.dll=C2=A0 0x74F90000=C2=A0 0x00009000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bcryptsvc.dll=C2=A0 0x76CE0000=C2=A0 0x00012000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bcertcli.dll=C2=A0 0x77B90000=C2=A0 0x00032000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwscsvc.dll=C2=A0 0x4C0A0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bmsi.dll=C2=A0 0x7D1E0000=C2=A0 0x002BC000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bsens.dll=C2=A0 0x722D0000=C2=A0 0x0000D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwinrnr.dll=C2=A0 0x76FB0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bsfc.dll=C2=A0 0x76BB0000=C2=A0 0x00005000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bsfc_os.dll=C2=A0 0x76C60000=C2=A0 0x0002A000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bbrowser.dll=C2=A0 0x76DA0000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwbemcomn.dll=C2=A0 0x75290000=C2=A0 0x00037000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWbem\=E2=80=8Bwbemcore.dll=C2=A0 0x762C0000=C2=A0 0x00085000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWbem\=E2=80=8Besscli.dll=C2=A0 0x75310000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWbem\=E2=80=8BFastProx.dll=C2=A0 0x75690000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BSXS.DLL=C2=A0 0x7E720000=C2=A0 0x000B0000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiutils.dll=C2=A0 0x75020000=C2=A0 0x0001B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Brepdrvfs.dll=C2=A0 0x75200000=C2=A0 0x0002F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomsvcs.dll=C2=A0 0x76620000=C2=A0 0x0013C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcolbact.DLL=C2=A0 0x75130000=C2=A0 0x00014000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMTXCLU.DLL=C2=A0 0x750F0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWSOCK32.dll=C2=A0 0x71AD0000=C2=A0 0x00009000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCLUSAPI.DLL=C2=A0 0x76D10000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BRESUTILS.DLL=C2=A0 0x750B0000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiprvsd.dll=C2=A0 0x597F0000=C2=A0 0x0006D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNCObjAPI.DLL=C2=A0 0x5F770000=C2=A0 0x0000C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwbemess.dll=C2=A0 0x75390000=C2=A0 0x00046000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bipnathlp.dll=C2=A0 0x66460000=C2=A0 0x00055000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BAUTHZ.dll=C2=A0 0x776C0000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bncprov.dll=C2=A0 0x5F740000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Brasadhlp.dll=C2=A0 0x76FC0000=C2=A0 0x00006000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BApphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bupnp.dll=C2=A0 0x76DE0000=C2=A0 0x00024000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSSDPAPI.dll=C2=A0 0x74F00000=C2=A0 0x0000C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BRASDLG.dll=C2=A0 0x768D0000=C2=A0 0x000A4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwups2.dll=C2=A0 0x50E60000=C2=A0 0x0000C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsxml3.dll=C2=A0 0x74980000=C2=A0 0x00113000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bdssenh.dll=C2=A0 0x68100000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bdbghelp.dll=C2=A0 0x59A60000=C2=A0 0x000A1000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bwbem\=E2=80=8Bwbemsvc.dll=C2=A0 0x74ED0000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bwbem\=E2=80=8Bwbemprox.dll=C2=A0 0x74EF0000=C2=A0 0x00008000=C2=A0

11.a) svchost.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Keys Created:<= /a> =C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2=80= =8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting\=E2=80=8BUserFaults<= /td>

=C2=A0 -=C2=A0Registry Values= Modified: =C2=A0
Key Name New Value
HKLM\=E2=80=8BSOFTWARE\=E2=80= =8BMICROSOFT\=E2=80=8BWINDOWS\=E2=80=8BCURRENTVERSION\=E2=80=8BWINDOWSUPDAT= E\=E2=80=8BREPORTING\=E2=80=8BEVENTCACHE\=E2=80=8B3DA21691-E39D-4DA6-8A4B-B= 43877BCB1B7=C2=A0 FlushCacheFiles=C2=A0 0x43003a005c00570049004e00440= 04f00570053005c0053006f0066007400=C2=A0

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BHARDWARE\=E2= =80=8BDESCRIPTION\=E2=80=8BSystem=C2=A0 Identifier=C2=A0 AT/AT COMPATIBLE=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{d63a5850-8f16-11cf-9f47-00aa00bf345c= }=C2=A0 =C2=A0 WBEM Framework Instance Pro= vider=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{d63a5850-8f16-11cf-9f47-00aa00bf345c= }\=E2=80=8BInProcServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bcimwin32.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8BCLSID\=E2=80=8B{d63a5850-8f16-11cf-9f47-00aa00bf345c= }\=E2=80=8BInProcServer32=C2=A0 ThreadingModel=C2=A0 Both=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BAppID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 LocalService=C2=A0 winmgmt=C2=A0 2=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{4590F811-1D3A-11D0-891F-00= AA004B2E24}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwbemprox.dll=C2=A0 2=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{4590F811-1D3A-11D0-891F-00= AA004B2E24}\=E2=80=8BInprocServer32=C2=A0 ThreadingModel=C2=A0 Both=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{4FA18276-912A-11D1-AD9B-00= C04FD8FDFF}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwbemcore.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{73E709EA-5D93-4B2E-BBB0-99= B7938DA9E4}\=E2=80=8BLocalServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiprvse.exe=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{7C857801-7381-11CF-884D-00= AA004B2E24}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwbemsvc.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{7C857801-7381-11CF-884D-00= AA004B2E24}\=E2=80=8BInprocServer32=C2=A0 ThreadingModel=C2=A0 Both=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 AppID=C2=A0 {8BC3F05E-D86B-11D0-A075-00= C04FB68820}=C2=A0 2=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{9A653086-174F-11D2-B5F9-00= 104B703EFD}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bfastprox.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{CD1ABFC8-6C5E-4A8D-B90B-2A= 3B153B886D}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bfastprox.dll=C2=A0 2=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BCLASSES\=E2=80=8B\=E2=80=8BCLSID\=E2=80=8B{CF4CC405-E2C5-4DDD-B3CE-5E= 7582D8C9FA}\=E2=80=8BInprocServer32=C2=A0 =C2=A0 C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwbem\=E2=80=8Bwmiutils.dll=C2=A0 3=C2=A0
HKLM\=E2=80=8BSOFTWARE\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BCOM3=C2=A0 REGDBVersion=C2=A0 0x0700000000000000=C2=A0 26=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWBEM\=E2=80=8BCIMOM=C2=A0 Log File Max Size=C2=A0 65536=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWBEM\=E2=80=8BCIMOM=C2=A0 Logging=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BProfil= eList=C2=A0 AllUsersProfile=C2=A0 All Users=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BProfil= eList=C2=A0 DefaultUserProfile=C2=A0 Default User=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BProfil= eList=C2=A0 ProfilesDirectory=C2=A0 %SystemDrive%\=E2=80=8BDocu= ments and Settings=C2=A0 4=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BProfil= eList\=E2=80=8BS-1-5-21-842925246-1425521274-308236825-500=C2=A0 ProfileImagePath=C2=A0 %SystemDrive%\=E2=80=8BDocu= ments and Settings\=E2=80=8BAdministrator=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 CommonFilesDir=C2=A0 C:\=E2=80=8BProgram Files\= =E2=80=8BCommon Files=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 ProgramFilesDir=C2=A0 C:\=E2=80=8BProgram Files= =C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 3=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 ComSpec=C2=A0 %SystemRoot%\=E2=80=8Bsyste= m32\=E2=80=8Bcmd.exe=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 FP_NO_HOST_CHECK=C2=A0 NO=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 NUMBER_OF_PROCESSORS=C2=A0<= /td> 1=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 OS=C2=A0 Windows_NT=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 PATHEXT=C2=A0 .COM;.EXE;.BAT;.CMD;.VBS;.V= BE;.JS;.JSE;.WSF;.WSH=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 PROCESSOR_ARCHITECTURE=C2= =A0 x86=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 PROCESSOR_IDENTIFIER=C2=A0<= /td> x86 Family 6 Model 3 Steppi= ng 3, GenuineIntel=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 PROCESSOR_LEVEL=C2=A0 6=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 PROCESSOR_REVISION=C2=A0 0303=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 Path=C2=A0 %SystemRoot%\=E2=80=8Bsyste= m32;%SystemRoot%;%SystemRoot%\=E2=80=8BSystem32\=E2=80=8BWbem=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 TEMP=C2=A0 %SystemRoot%\=E2=80=8BTEMP= =C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 TMP=C2=A0 %SystemRoot%\=E2=80=8BTEMP= =C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager\=E2=80=8BEnv= ironment=C2=A0 windir=C2=A0 %SystemRoot%=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 4=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BEnvironment=C2=A0 TEMP=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings\=E2=80=8BTemp=C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BEnvironment=C2=A0 TMP=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings\=E2=80=8BTemp=C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BWinlogon=C2=A0 ParseAutoexec=C2=A0 1=C2=A0 2=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 APPDATA=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BApplication Data=C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 CLIENTNAME=C2=A0 =C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMEDRIVE=C2=A0 C:=C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMEPATH=C2=A0 \=E2=80=8BDocuments and Set= tings\=E2=80=8BAdministrator=C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 HOMESHARE=C2=A0 =C2=A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 LOGONSERVER=C2=A0 \=E2=80=8B\=E2=80=8BPC=C2= =A0 4=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BVolatile Environment=C2=A0 SESSIONNAME=C2=A0 Console=C2=A0 4=C2=A0

=C2=A0 -=C2=A0Monitored Registry Keys= : =C2=A0
Key Name Watch subtree Notify Filter Count
HKU=C2=A0 1=C2=A0 Key Change,Value Change=C2=A0= 4=C2=A0

11.b) svchost.exe - = File Activities

=C2=A0 -=C2=A0Files Deleted: =C2=A0
C:\WINDOWS\PCHealth\ErrorRep\= UserDumps\lsass.exe.20090702-212117-00.mdmp
C:\WINDOWS\PCHealth\ErrorRep\= UserDumps\winlogon.exe.20090702-212125-00.mdmp

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS= ~1\Temp\WER1275.dir00
C:\DOCUME~1\ADMINI~1\LOCALS= ~1\Temp\WER1275.dir00\svchost.exe.mdmp
C:\WINDOWS\PCHealth\ErrorRe= p
C:\WINDOWS\PCHealth\ErrorRe= p\UserDumps
C:\WINDOWS\PCHealth\ErrorRe= p\UserDumps\lsass.exe.20090702-212117-00.mdmp
C:\WINDOWS\PCHealth\ErrorRe= p\UserDumps\winlogon.exe.20090702-212125-00.mdmp
C:\WINDOWS\Prefetch\DRWTSN3= 2.EXE-2B4B52AC.pf

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\PCHFaultRepExecPipe, Fla= gs: Named pipe
C:\WINDOWS\SoftwareDistribu= tion\EventCache\{005CDD85-B361-444A-AF89-B49D160705B2}.bin
C:\WINDOWS\system32\ntdll.d= ll
C:\WINDOWS\system32\wbem\Re= pository\FS\INDEX.BTR
C:\WINDOWS\system32\wbem\Re= pository\FS\OBJECTS.DATA
PIPE\lsarpc
c:\autoexec.bat

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\PCHFaultRepExecPipe, Flags= : Named pipe3D"info"
C:\WINDOWS\Prefetch\DRWTSN32.= EXE-2B4B52AC.pf
PIPE\lsarpc

=C2=A0 -=C2=A0Directories Created: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS~1= \Temp\WER1275.dir00
C:\WINDOWS\PCHealth\ErrorRep<= /td>
C:\WINDOWS\PCHealth\ErrorRep\= UserDumps

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\PCHFaultRepExecPipe, Flags= : Named pipe=C2=A0 0x0011001C=C2=A0 3=C2=A0
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
C:\PCHFaultRepExecPipe, Flags= : Named pipe=C2=A0 0x00110004=C2=A0 2=C2=A0
C:\PCHFaultRepExecPipe, Flags= : Named pipe=C2=A0 0x00110008=C2=A0 2=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\Prefetch\EXPLORER.= EXE-082F38A9.pf
C:\WINDOWS\system32\dbghelp.d= ll
C:\WINDOWS\system32\ntdll.dll=
C:\WINDOWS\system32\wbem\wbem= prox.dll
C:\WINDOWS\system32\wbem\wbem= svc.dll

11.c) svchost.exe - = Process Activities

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\system32\= lsass.exe
Process: C:\WINDOWS\system32\= svchost.exe
Process: C:\WINDOWS\system32\= winlogon.exe

11.d) svchost.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

12. svchost.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: svchost.exe=C2=A0
Command Line: C:\WINDOWS\system32\svchost.e= xe -k NetworkService=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bdnsrslvr.dll=C2=A0 0x76770000=C2=A0 0x0000D000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BDNSAPI.dll=C2=A0 0x76F20000=C2=A0 0x00027000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brsaenh.dll=C2=A0 0x68000000=C2=A0 0x00036000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0

12.a) svchost.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0

12.b) svchost.exe - = File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0
pipe\PCHFaultRepExecPipe=C2= =A0 0x0011C017=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\SETUPAP= I.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll

12.c) svchost.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

13. svchost.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: svchost.exe=C2=A0
Command Line: C:\WINDOWS\system32\svchost.e= xe -k LocalService=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNTMARTA.DLL=C2=A0 0x77690000=C2=A0 0x00021000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSAMLIB.dll=C2=A0 0x71BF0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x005B0000=C2=A0 0x002C5000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Blmhsvc.dll=C2=A0 0x74C40000=C2=A0 0x00006000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Biphlpapi.dll=C2=A0 0x76D60000=C2=A0 0x00019000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bwebclnt.dll=C2=A0 0x5A6E0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwsock32.dll=C2=A0 0x71AD0000=C2=A0 0x00009000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bregsvc.dll=C2=A0 0x76AF0000=C2=A0 0x00012000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Bssdpsrv.dll=C2=A0 0x765E0000=C2=A0 0x00014000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0
c:\=E2=80=8Bwindows\=E2=80= =8Bsystem32\=E2=80=8Balrsvc.dll=C2=A0 0x70F80000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0

13.a) svchost.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0

13.b) svchost.exe - = File Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\SETUPAPI.= dll
C:\WINDOWS\system32\WINSTA.dl= l
C:\WINDOWS\system32\WTSAPI32.= dll
C:\WINDOWS\system32\faultrep.= dll
C:\WINDOWS\system32\ntdll.dll=

13.c) svchost.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

14. spoolsv.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: spoolsv.exe=C2=A0
Command Line: C:\WINDOWS\system32\spoolsv.e= xe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSPOOLSS.DLL=C2=A0 0x742E0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BDNSAPI.dll=C2=A0 0x76F20000=C2=A0 0x00027000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Brasadhlp.dll=C2=A0 0x76FC0000=C2=A0 0x00006000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Blocalspl.dll=C2=A0 0x75BB0000=C2=A0 0x00056000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bsfc_os.dll=C2=A0 0x76C60000=C2=A0 0x0002A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwinspool.drv=C2=A0 0x73000000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bnetapi32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcnbjmon.dll=C2=A0 0x742A0000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bpjlmon.dll=C2=A0 0x74280000=C2=A0 0x00007000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Btcpmon.dll=C2=A0 0x72400000=C2=A0 0x0000E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Busbmon.dll=C2=A0 0x723F0000=C2=A0 0x00007000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bmswsock.dll=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwinrnr.dll=C2=A0 0x76FB0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bwin32spl.dll=C2=A0 0x75C10000=C2=A0 0x00024000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETRAP.dll=C2=A0 0x71C80000=C2=A0 0x00007000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNTDSAPI.dll=C2=A0 0x767A0000=C2=A0 0x00013000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x01010000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Binetpp.dll=C2=A0 0x74300000=C2=A0 0x00015000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0

14.a) spoolsv.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BEnvironments\= =E2=80=8BWindows NT x86\=E2=80=8BPrint Processors\=E2=80=8Bwinprint=C2=A0 Driver=C2=A0 localspl.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BBJ Language Monitor=C2=A0 Driver=C2=A0 cnbjmon.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BLocal Port=C2=A0 Driver=C2=A0 localspl.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BPJL Language Monitor=C2=A0 Driver=C2=A0 pjlmon.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BPJL Language Monitor=C2=A0 EOJTimeout=C2=A0 60000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BStandard TCP/IP Port=C2=A0 Driver=C2=A0 tcpmon.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BStandard TCP/IP Port\=E2=80=8BPorts=C2=A0 StatusUpdateEnabled=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BStandard TCP/IP Port\=E2=80=8BPorts=C2=A0 StatusUpdateInterval=C2=A0<= /td> 10=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BMonitors\=E2= =80=8BUSB Monitor=C2=A0 Driver=C2=A0 usbmon.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BProviders\=E2= =80=8BInternet Print Provider=C2=A0 DisplayName=C2=A0 HTTP Print Services=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BProviders\=E2= =80=8BInternet Print Provider=C2=A0 Name=C2=A0 inetpp.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BProviders\=E2= =80=8BLanMan Print Services=C2=A0 DisplayName=C2=A0 LanMan Print Services=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BProviders\=E2= =80=8BLanMan Print Services=C2=A0 Name=C2=A0 win32spl.dll=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BPrint\=E2=80=8BProviders\=E2= =80=8BLanMan Print Services\=E2=80=8Bservers=C2=A0 addprinterdrivers=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0

14.b) spoolsv.exe - = File Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\spoolerlogs\
C:\spoolerlogs\spooler.xml

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\spoolerlogs\spooler.xml
PIPE\lsarpc

=C2=A0 -=C2=A0Directories Created: =C2=A0
C:\spoolerlogs\

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\SETUPAP= I.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll

14.c) spoolsv.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

15. alg.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: alg.exe=C2=A0
Command Line: C:\WINDOWS\System32\alg.exe= =C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BATL.DLL=C2=A0 0x76B20000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWSOCK32.dll=C2=A0 0x71AD0000=C2=A0 0x00009000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BMSWSOCK.DLL=C2=A0 0x71A50000=C2=A0 0x0003F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCLBCATQ.DLL=C2=A0 0x76FD0000=C2=A0 0x0007F000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BCOMRes.dll=C2=A0 0x77050000=C2=A0 0x000C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x00600000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bhnetcfg.dll=C2=A0 0x662B0000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8Bwshtcpip.dll=C2=A0 0x71A90000=C2=A0 0x00008000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BSystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0

15.a) alg.exe - Regi= stry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0

15.b) alg.exe - File= Activities

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0
\DosDevices\pipe\=C2=A0 0x00110018=C2=A0 2=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\System32\SETUPAP= I.dll
C:\WINDOWS\System32\WINSTA.= dll
C:\WINDOWS\System32\WTSAPI3= 2.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\ntdll.d= ll

15.c) alg.exe - Othe= r Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

16. wscntfy.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: wscntfy.exe=C2=A0
Command Line: C:\WINDOWS\system32\wscntfy.e= xe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bxpsp2res.dll=C2=A0 0x007C0000=C2=A0 0x002C5000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSCTF.dll=C2=A0 0x74720000=C2=A0 0x0004C000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bapphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0

16.a) wscntfy.exe - = Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2= =A0 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 AuthenticodeEnabled=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 DefaultLevel=C2=A0 262144=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 PolicyScope=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemData=C2=A0 0x5eab304f957a49896a006c1c3= 1154015=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemSize=C2=A0 779=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemData=C2=A0 0x67b0d48b343a3fd3bce9dc646= 704f394=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemSize=C2=A0 517=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemData=C2=A0 0x327802dcfef8c893dc8ab006d= d847d1d=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemSize=C2=A0 918=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemData=C2=A0 0xbd9a2adb42ebd8560e250e4df= 8162f67=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemSize=C2=A0 229=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemData=C2=A0 0x386b085f84ecf669d36b956a2= 2c01e80=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemSize=C2=A0 370=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 ItemData=C2=A0 %HKEY_CURRENT_USER\=E2=80= =8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2= =80=8BExplorer\=E2=80=8BShell Folders\=E2=80=8BCache%OLK*=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BProductOptions=C2=A0 ProductType=C2=A0 WinNT=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BShell Folders= =C2=A0 Cache=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BLocal Settings\=E2=80=8BTemporary I= nternet Files=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BUser Shell Fo= lders=C2=A0 Local Settings=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BUser Shell Fo= lders=C2=A0 Personal=C2=A0 %USERPROFILE%\=E2=80=8BMy D= ocuments=C2=A0 1=C2=A0

16.b) wscntfy.exe - = File Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS~1= \Temp\cf05_appcompat.txt

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
C:\WINDOWS\system32\winsock.d= ll
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS~1= \Temp\cf05_appcompat.txt
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\Apphelp= .dll
C:\WINDOWS\system32\SETUPAP= I.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WS2HELP= .dll
C:\WINDOWS\system32\WS2_32.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\advapi3= 2.dll
C:\WINDOWS\system32\apphelp= .dll
C:\WINDOWS\system32\dwwin.e= xe
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\gdi32.d= ll
C:\WINDOWS\system32\kernel3= 2.dll
C:\WINDOWS\system32\ntdll.d= ll
C:\WINDOWS\system32\ole32.d= ll
C:\WINDOWS\system32\oleaut3= 2.dll
C:\WINDOWS\system32\shell32= .dll
C:\WINDOWS\system32\user32.= dll
C:\WINDOWS\system32\wininet= .dll
C:\WINDOWS\system32\winsock= .dll
C:\Windows\AppPatch\sysmain= .sdb

16.c) wscntfy.exe - = Process Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\WINDOWS\system32\dwwin.exe= =C2=A0 =C2=A0
=C2=A0 C:\WINDOWS\system32\dwwin.exe= -x -s 232=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\system32\dwwin.exe=

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\system32\= dwwin.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\system32\= dwwin.exe

16.d) wscntfy.exe - = Other Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

17. ctfmon.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Explorer.EXE wrote to the vir= tual memory of this process=C2=A0
Filename: ctfmon.exe=C2=A0
Command Line: "C:\WINDOWS\system32\ctfmon.e= xe" =C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSCTF.dll=C2=A0 0x74720000=C2=A0 0x0004C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSUTB.dll=C2=A0 0x5FC10000=C2=A0 0x00033000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0

=C2=A0 -=C2=A0Run-time Dlls =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bfaultrep.dll=C2=A0 0x69450000=C2=A0 0x00016000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2HELP.dll=C2=A0 0x71AA0000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWS2_32.dll=C2=A0 0x71AB0000=C2=A0 0x00017000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINSTA.dll=C2=A0 0x76360000=C2=A0 0x00010000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWTSAPI32.dll=C2=A0 0x76F50000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSETUPAPI.dll=C2=A0 0x77920000=C2=A0 0x000F3000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bapphelp.dll=C2=A0 0x77B40000=C2=A0 0x00022000=C2=A0

17.a) ctfmon.exe - R= egistry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 OsLoaderPath=C2=A0 \=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemPartition=C2=A0 \=E2=80=8BDevice\=E2=80=8BH= arddiskVolume1=C2=A0 2=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 AllOrNone=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 DoReport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeKernelFaults=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeMicrosoftApps=C2=A0<= /td> 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 IncludeWindowsApps=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BPCHealth\=E2=80=8BErrorReporting=C2=A0 ShowUI=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Auto=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BAeDebu= g=C2=A0 Debugger=C2=A0 drwtsn32 -p %ld -e %ld -g= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion=C2=A0 DevicePath=C2=A0 %SystemRoot%\=E2=80=8Binf= =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 DriverCachePath=C2=A0 %SystemRoot%\=E2=80=8BDrive= r Cache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 LogLevel=C2=A0 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackCachePath=C2=A0<= /td> c:\=E2=80=8Bwindows\=E2=80= =8BServicePackFiles\=E2=80=8BServicePackCache=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 ServicePackSourcePath=C2=A0= D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BSetup=C2= =A0 SourcePath=C2=A0 D:\=E2=80=8B=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 AuthenticodeEnabled=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 DefaultLevel=C2=A0 262144=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 PolicyScope=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemData=C2=A0 0x5eab304f957a49896a006c1c3= 1154015=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 ItemSize=C2=A0 779=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{349d35ab-37b5-462f-9b8= 9-edd5fbde1328}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemData=C2=A0 0x67b0d48b343a3fd3bce9dc646= 704f394=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 ItemSize=C2=A0 517=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{7fb9cd2e-3076-4df9-a57= b-b813f72dbb91}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemData=C2=A0 0x327802dcfef8c893dc8ab006d= d847d1d=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 ItemSize=C2=A0 918=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{81d1fe15-dd9d-4762-b16= d-7c29ddecae3f}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemData=C2=A0 0xbd9a2adb42ebd8560e250e4df= 8162f67=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 ItemSize=C2=A0 229=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{94e3e076-8f53-42a5-841= 1-085bcc18a68d}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 HashAlg=C2=A0 32771=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemData=C2=A0 0x386b085f84ecf669d36b956a2= 2c01e80=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 ItemSize=C2=A0 370=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BHashes\=E2=80=8B{dc971ee5-44eb-4fe4-ae2= e-b91490411bfc}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 ItemData=C2=A0 %HKEY_CURRENT_USER\=E2=80= =8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2= =80=8BExplorer\=E2=80=8BShell Folders\=E2=80=8BCache%OLK*=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8B= CodeIdentifiers\=E2=80=8B0\=E2=80=8BPaths\=E2=80=8B{dda3f824-d8cb-441b-834d= -be2efd2c1a33}=C2=A0 SaferFlags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Domain=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BServices\=E2=80=8BTcpip\=E2=80=8BParameters= =C2=A0 Hostname=C2=A0 pc=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 2=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BWPA\=E2=80=8BPnP=C2=A0 seed=C2=A0 1274198464=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-21-84292= 5246-1425521274-308236825-500\=E2=80=8BSoftware\=E2=80=8BMicrosoft\=E2=80= =8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2=80=8BShell Folders= =C2=A0 Cache=C2=A0 C:\=E2=80=8BDocuments and S= ettings\=E2=80=8BAdministrator\=E2=80=8BLocal Settings\=E2=80=8BTemporary I= nternet Files=C2=A0 1=C2=A0

17.b) ctfmon.exe - F= ile Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS~1= \Temp\cb0f_appcompat.txt

=C2=A0 -=C2=A0Files Read: =C2=A0
C:\WINDOWS\system32\ntdll.dll=
C:\WINDOWS\system32\winsock.d= ll
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
C:\DOCUME~1\ADMINI~1\LOCALS~1= \Temp\cb0f_appcompat.txt
PIPE\lsarpc

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 6=C2=A0

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
unnamed file=C2=A0 0x00390008=C2=A0 7=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\system32\Apphelp= .dll
C:\WINDOWS\system32\SETUPAP= I.dll
C:\WINDOWS\system32\WININET= .dll
C:\WINDOWS\system32\WINSTA.= dll
C:\WINDOWS\system32\WS2HELP= .dll
C:\WINDOWS\system32\WS2_32.= dll
C:\WINDOWS\system32\WTSAPI3= 2.dll
C:\WINDOWS\system32\advapi3= 2.dll
C:\WINDOWS\system32\apphelp= .dll
C:\WINDOWS\system32\dwwin.e= xe
C:\WINDOWS\system32\faultre= p.dll
C:\WINDOWS\system32\gdi32.d= ll
C:\WINDOWS\system32\kernel3= 2.dll
C:\WINDOWS\system32\ntdll.d= ll
C:\WINDOWS\system32\ole32.d= ll
C:\WINDOWS\system32\oleaut3= 2.dll
C:\WINDOWS\system32\shell32= .dll
C:\WINDOWS\system32\user32.= dll
C:\WINDOWS\system32\wininet= .dll
C:\WINDOWS\system32\winsock= .dll
C:\Windows\AppPatch\sysmain= .sdb

17.c) ctfmon.exe - P= rocess Activities

=C2=A0 -=C2=A0Processes Created:<= /th> =C2=A0
Executable Command Line
C:\WINDOWS\system32\dwwin.exe= =C2=A0 =C2=A0
=C2=A0 C:\WINDOWS\system32\dwwin.exe= -x -s 380=C2=A0

=C2=A0 -=C2=A0Remote Threads Created:= =C2=A0
Affected Process
C:\WINDOWS\system32\dwwin.exe=

=C2=A0 -=C2=A0Foreign Memory Regions = Read: =C2=A0
Process: C:\WINDOWS\system32\= dwwin.exe

=C2=A0 -=C2=A0Foreign Memory Regions = Written: =C2=A0
Process: C:\WINDOWS\system32\= dwwin.exe

17.d) ctfmon.exe - O= ther Activities

=C2=A0 -=C2=A0Windows SEH exc= eptions: =C2=A0
Description Times
Exception 0xc000001e at 0xbae= a653=C2=A0 1=C2=A0

18. drwtsn32.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by lsass.exe=C2=A0
Filename: drwtsn32.exe=C2=A0
Command Line: C:\WINDOWS\system32\drwtsn32 = -p 416 -e 976 -g=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bdbgeng.dll=C2=A0 0x6D590000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BDBGHELP.dll=C2=A0 0x59A60000=C2=A0 0x000A1000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bcomctl32.dll=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0

18.a) drwtsn32.exe -= Registry Activities

=C2=A0 -=C2=A0Registry Values= Modified: =C2=A0
Key Name New Value
HKLM\=E2=80=8BSoftware\=E2=80= =8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\=E2= =80=8BShell Folders=C2=A0 Common AppData=C2=A0 C:\=E2=80=8BDocuments and Set= tings\=E2=80=8BAll Users\=E2=80=8BApplication Data=C2=A0

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2= =A0 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BSetup=C2=A0 SystemSetupInProgress=C2=A0= 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.iac2=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000020400001= 4000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.iac2=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.iac2=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.iac2=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.imaadpcm=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000110000001= 4000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.imaadpcm=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.imaadpcm=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.imaadpcm=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.l3acm=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000550000001= e000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.l3acm=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.l3acm=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.l3acm=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msadpcm=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000020000003= 2000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msadpcm=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msadpcm=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msadpcm=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msaudio1=C2=A0 aFormatTagCache=C2=A0 0x0100000012000000600100001= 6000000610100001c000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msaudio1=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msaudio1=C2=A0 cFormatTags=C2=A0 3=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msaudio1=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg711=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000060000001= 20000000700000012000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg711=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg711=C2=A0 cFormatTags=C2=A0 3=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg711=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg723=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000420000001= c000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg723=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg723=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msg723=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msgsm610=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000310000001= 4000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msgsm610=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msgsm610=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.msgsm610=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.sl_anet=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000300100001= 6000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.sl_anet=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.sl_anet=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.sl_anet=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.trspch=C2=A0 aFormatTagCache=C2=A0 0x0100000010000000220000003= 2000000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.trspch=C2=A0 cFilterTags=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.trspch=C2=A0 cFormatTags=C2=A0 2=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BAudioCompressionManager\=E2=80=8BDriverCache\=E2= =80=8Bmsacm.trspch=C2=A0 fdwSupport=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 midimapper=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.iac2=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.imaadpcm=C2=A0 imaadp32.acm=C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.l3acm=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.msadpcm=C2=A0 msadp32.acm=C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.msaudio1=C2=A0 msaud32.acm=C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.msg711=C2=A0 msg711.acm=C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.msg723=C2=A0 =C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.msgsm610=C2=A0 =C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.sl_anet=C2=A0 sl_anet.acm=C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 msacm.trspch=C2=A0 =C2=A0 3=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.I420=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.M261=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.M263=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.cvid=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.iv31=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.iv32=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.iv41=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.iv50=C2=A0 =C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.iyuv=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.mrle=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.msvc=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.uyvy=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.yuy2=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.yvu9=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 vidc.yvyu=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows NT\=E2=80=8BCurrentVersion\=E2=80=8BDriver= s32=C2=A0 wavemapper=C2=A0 =C2=A0 2=C2=A0
HKLM\=E2=80=8BSoftware\=E2= =80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\=E2=80=8BExplorer\= =E2=80=8BUser Shell Folders=C2=A0 Common AppData=C2=A0 %ALLUSERSPROFILE%\=E2=80=8B= Application Data=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BComputerName\=E2=80=8BActive= ComputerName=C2=A0 ComputerName=C2=A0 PC=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BMediaProperties\=E2=80=8BPri= vateProperties\=E2=80=8BJoystick\=E2=80=8BWinmm=C2=A0 wheel=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BProductOptions=C2=A0 ProductType=C2=A0 WinNT=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 AppendToLogFile=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 CrashDumpType=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 CreateCrashDump=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 DumpAllThreads=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 DumpSymbols=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 Instructions=C2=A0 10=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 MaximumCrashes=C2=A0 10=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 SoundNotification=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 VisualNotification=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8Bsoftware\=E2= =80=8Bmicrosoft\=E2=80=8BDrWatson=C2=A0 WaveFile=C2=A0 =C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-18\=E2= =80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BMultimedia\=E2=80=8BAudio=C2=A0 SystemFormats=C2=A0 CD Quality,Radio Quality,Te= lephone Quality=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-18\=E2= =80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\= =E2=80=8BExplorer\=E2=80=8BUser Shell Folders=C2=A0 Local Settings=C2=A0 %USERPROFILE%\=E2=80=8BLoca= l Settings=C2=A0 1=C2=A0
HKU\=E2=80=8BS-1-5-18\=E2= =80=8BSoftware\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BCurrentVersion\= =E2=80=8BExplorer\=E2=80=8BUser Shell Folders=C2=A0 Personal=C2=A0 %USERPROFILE%\=E2=80=8BMy D= ocuments=C2=A0 1=C2=A0

18.b) drwtsn32.exe -= File Activities

=C2=A0 -=C2=A0Files Created: =C2=A0
C:\Documents and Settings\All= Users\Application Data\Microsoft\Dr Watson

=C2=A0 -=C2=A0Files Read: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0Files Modified: =C2=A0
PIPE\lsarpc

=C2=A0 -=C2=A0Directories Created: =C2=A0
C:\Documents and Settings\All= Users\Application Data\Microsoft\Dr Watson

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
PIPE\lsarpc=C2=A0 0x0011C017=C2=A0 3=C2=A0

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
\Device\KsecDD=C2=A0 0x00390008=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\AppPatch\AcGenra= l.DLL
C:\WINDOWS\WinSxS\x86_Micro= soft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\c= omctl32.dll
C:\WINDOWS\WindowsShell.Man= ifest
C:\WINDOWS\system32\DBGHELP= .dll
C:\WINDOWS\system32\MSACM32= .dll
C:\WINDOWS\system32\SHELL32= .dll
C:\WINDOWS\system32\ShimEng= .dll
C:\WINDOWS\system32\UxTheme= .dll
C:\WINDOWS\system32\WINMM.d= ll
C:\WINDOWS\system32\comctl3= 2.dll
C:\WINDOWS\system32\dbgeng.= dll
C:\Windows\AppPatch\sysmain= .sdb

19. explorer.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by winlogon.exe=C2=A0=
Filename: explorer.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BBROWSEUI.dll=C2=A0 0x75F80000=C2=A0 0x000FD000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHDOCVW.dll=C2=A0 0x7E290000=C2=A0 0x00171000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPTUI.dll=C2=A0 0x754D0000=C2=A0 0x00080000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BNETAPI32.dll=C2=A0 0x5B860000=C2=A0 0x00055000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.dll=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINTRUST.dll=C2=A0 0x76C30000=C2=A0 0x0002E000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BIMAGEHLP.dll=C2=A0 0x76C90000=C2=A0 0x00028000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWLDAP32.dll=C2=A0 0x76F60000=C2=A0 0x0002C000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BWinSxS\=E2=80=8Bx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6= .0.2600.5512_x-ww_35d4ce83\=E2=80=8Bcomctl32.dll=C2=A0 0x773D0000=C2=A0 0x00103000=C2=A0

19.a) explorer.exe -= Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BSession Manager=C2=A0 CriticalSectionTimeout=C2=A0<= /td> 2592000=C2=A0 1=C2=A0
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2=80= =8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8BCod= eIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0

19.b) explorer.exe -= File Activities

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\Documents and Settings\Adm= inistrator\=C2=A0 0x00090028=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Device Control Communic= ation: =C2=A0
File Control Code Times
\Device\KsecDD=C2=A0 0x00390008=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\AppPatch\AcGenra= l.DLL
C:\WINDOWS\WinSxS\x86_Micro= soft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\c= omctl32.dll
C:\WINDOWS\WindowsShell.Man= ifest
C:\WINDOWS\system32\BROWSEU= I.dll
C:\WINDOWS\system32\MSACM32= .dll
C:\WINDOWS\system32\ShimEng= .dll
C:\WINDOWS\system32\UxTheme= .dll
C:\WINDOWS\system32\WINMM.d= ll
C:\Windows\AppPatch\sysmain= .sdb

20. dwwin.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by ctfmon.exe=C2=A0
Filename: dwwin.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.DLL=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCOMCTL32.DLL=C2=A0 0x5D090000=C2=A0 0x0009A000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.DLL=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.DLL=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BURLMON.DLL=C2=A0 0x7E1E0000=C2=A0 0x000A2000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWININET.DLL=C2=A0 0x771B0000=C2=A0 0x000AA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BCRYPT32.dll=C2=A0 0x77A80000=C2=A0 0x00095000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSASN1.dll=C2=A0 0x77B20000=C2=A0 0x00012000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0

20.a) dwwin.exe - Re= gistry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2=80= =8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8BCod= eIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0
HKLM\=E2=80=8BSystem\=E2=80= =8BCurrentControlSet\=E2=80=8BControl\=E2=80=8BTerminal Server=C2=A0 TSUserEnabled=C2=A0 0=C2=A0 1=C2=A0

20.b) dwwin.exe - Fi= le Activities

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\WINDOWS\system32=C2=A0 0x00090028=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\AppPatch\AcGenra= l.DLL
C:\WINDOWS\system32\COMCTL3= 2.DLL
C:\WINDOWS\system32\MSACM32= .dll
C:\WINDOWS\system32\ShimEng= .dll
C:\WINDOWS\system32\UxTheme= .dll
C:\WINDOWS\system32\WINMM.d= ll
C:\Windows\AppPatch\sysmain= .sdb

21. drwtsn32.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by winlogon.exe=C2=A0=
Filename: drwtsn32.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bkernel32.dll=C2=A0 0x7C800000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bmsvcrt.dll=C2=A0 0x77C10000=C2=A0 0x00058000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BADVAPI32.dll=C2=A0 0x77DD0000=C2=A0 0x0009B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BRPCRT4.dll=C2=A0 0x77E70000=C2=A0 0x00092000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSecur32.dll=C2=A0 0x77FE0000=C2=A0 0x00011000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BGDI32.dll=C2=A0 0x77F10000=C2=A0 0x00049000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSER32.dll=C2=A0 0x7E410000=C2=A0 0x00091000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bdbgeng.dll=C2=A0 0x6D590000=C2=A0 0x000F6000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BDBGHELP.dll=C2=A0 0x59A60000=C2=A0 0x000A1000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BVERSION.dll=C2=A0 0x77C00000=C2=A0 0x00008000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BShimEng.dll=C2=A0 0x5CB70000=C2=A0 0x00026000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8BAppPatch\=E2=80=8BAcGenral.DLL=C2=A0 0x6F880000=C2=A0 0x001CA000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BWINMM.dll=C2=A0 0x76B40000=C2=A0 0x0002D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8Bole32.dll=C2=A0 0x774E0000=C2=A0 0x0013D000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BOLEAUT32.dll=C2=A0 0x77120000=C2=A0 0x0008B000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BMSACM32.dll=C2=A0 0x77BE0000=C2=A0 0x00015000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHELL32.dll=C2=A0 0x7C9C0000=C2=A0 0x00817000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BSHLWAPI.dll=C2=A0 0x77F60000=C2=A0 0x00076000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUSERENV.dll=C2=A0 0x769C0000=C2=A0 0x000B4000=C2=A0
C:\=E2=80=8BWINDOWS\=E2=80= =8Bsystem32\=E2=80=8BUxTheme.dll=C2=A0 0x5AD70000=C2=A0 0x00038000=C2=A0

21.a) drwtsn32.exe -= Registry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0

21.b) drwtsn32.exe -= File Activities

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\AppPatch\AcGenra= l.DLL
C:\WINDOWS\system32\DBGHELP= .dll
C:\WINDOWS\system32\MSACM32= .dll
C:\WINDOWS\system32\ShimEng= .dll
C:\WINDOWS\system32\UxTheme= .dll
C:\WINDOWS\system32\WINMM.d= ll
C:\WINDOWS\system32\dbgeng.= dll
C:\Windows\AppPatch\sysmain= .sdb

22. dwwin.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by wscntfy.exe=C2=A0<= /td>
Filename: dwwin.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0

22.a) dwwin.exe - Re= gistry Activities

=C2=A0 -=C2=A0Registry Values= Read: =C2=A0
Key Name Value Times
HKLM\=E2=80=8BSYSTEM\=E2=80= =8BWPA\=E2=80=8BMediaCenter=C2=A0 Installed=C2=A0 0=C2=A0 1=C2=A0
HKLM\=E2=80=8BSoftware\=E2=80= =8BPolicies\=E2=80=8BMicrosoft\=E2=80=8BWindows\=E2=80=8BSafer\=E2=80=8BCod= eIdentifiers=C2=A0 TransparentEnabled=C2=A0 1=C2=A0 1=C2=A0

22.b) dwwin.exe - Fi= le Activities

=C2=A0 -=C2=A0File System Control Com= munication: =C2=A0
File Control Code Times
C:\WINDOWS\system32=C2=A0 0x00090028=C2=A0 1=C2=A0

=C2=A0 -=C2=A0Memory Mapped Files: =C2=A0
File Name
C:\WINDOWS\AppPatch\AcGenral.= DLL
C:\WINDOWS\system32\ShimEng.d= ll
C:\Windows\AppPatch\sysmain.s= db

23. wmiprvse.exe

=C2=A0 -=C2=A0General information abo= ut this executable =C2=A0
Analysis Reason: Started by svchost.exe=C2=A0<= /td>
Filename: wmiprvse.exe=C2=A0
Process-status at analysis en= d: alive=C2=A0
Exit Code: 0=C2=A0

=C2=A0 -=C2=A0Load-time Dlls<= /a> =C2=A0
Module Name Base Address Size
C:\=E2=80=8BWINDOWS\=E2=80=8B= system32\=E2=80=8Bntdll.dll=C2=A0 0x7C900000=C2=A0 0x000AF000=C2=A0


Inter= national Secure Systems Lab
Vi= enna University of Technology, Eurec= om France, UC Santa Barbara
Contact: anubis@iseclab.org
------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/gif; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/shadow.gif R0lGODlhmgAEAPcAAM3NzQAAANHR0aenp/j4+Onp6YyMjLOzswAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAmgAEAAAIVAANCBxI sKDBgwgTKlzIsKHDhxAjGjhAsaLFixgzatzIsaPHjyBDihx5AIDJkyhTqlzJsqXLlzBjypxJsyaA Ajhz6tzJs6fPn0CDCh1KtKjRowUCAgA7 ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/gif; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/bgmain.gif R0lGODlhCgAwAJEAAO7u7v////4BAgAAACH5BAQUAP8ALAAAAAAKADAAAAIqjI+gy+jvmASwxrms Djjv2ikfGI5QSJlXp65Ym5Swgc60PNe2nuMwDykAADs= ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/jpg; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/left.jpg /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAdAA0DASIA AhEBAxEB/8QAFgABAQEAAAAAAAAAAAAAAAAABQQI/8QAJxAAAAUCBAYDAAAAAAAAAAAAAAECAxEE BRIhMXMTJDRRYZGxssH/xAAVAQEBAAAAAAAAAAAAAAAAAAACA//EABgRAAMBAQAAAAAAAAAAAAAA AAABAjEh/9oADAMBAAIRAxEAPwDS1yrzZc4TUYozPsDV1rs5vOT4UJLg8ZVlRJzC1F6OPwGuPni1 MWmOAdFVzPnancV8g5eoQunW1O4r7A49TDnAPT//2Q== ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/jpg; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/center.jpg /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAdAAEDASIA AhEBAxEB/8QAFwABAAMAAAAAAAAAAAAAAAAAAAMFCP/EABwQAQABBAMAAAAAAAAAAAAAAAADARMU UVOSof/EABUBAQEAAAAAAAAAAAAAAAAAAAID/8QAFREBAQAAAAAAAAAAAAAAAAAAABL/2gAMAwEA AhEDEQA/ANBZ0nNJ2FBdrv0XhKkIBi//2Q== ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/jpg; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/right.jpg /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAdAAwDASIA AhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAABAUGCP/EACIQAAEDAgYDAAAAAAAAAAAAAAEAAgME ERIhMTJxwQUiUf/EABUBAQEAAAAAAAAAAAAAAAAAAAID/8QAFhEBAQEAAAAAAAAAAAAAAAAAAgAB /9oADAMBAAIRAxEAPwDoeOvmYQ4SFw+ON1Zo6pk8DX3AJ1CxdPObjMpLPIOp24cW7PrpVYhipsWo S4z6ocW4chIG0cJuBv/Z ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/jpg; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/leftCollapsed.jpg /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAdAA0DASIA AhEBAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAABAUGCP/EACMQAAEEAgEDBQAAAAAAAAAAAAEAAgMR BAUhEhNhMVGBkcH/xAAWAQEBAQAAAAAAAAAAAAAAAAACAQP/xAAYEQADAQEAAAAAAAAAAAAAAAAA AQIRIf/aAAwDAQACEQMRAD8A0tss8wydqKuquT7Ja7NkvmZ9+HITPnIy8izdPcPo1+JbJOer1K2m OAdBW8a+LPnDgRbrHm0sJJV1t9dFmRl7rbI0cOCisqLszvjBuiRfyrFag0sP/9k= ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/jpg; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/rightCollapsed.jpg /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAYEBQYFBAYGBQYHBwYIChAKCgkJChQODwwQFxQYGBcU FhYaHSUfGhsjHBYWICwgIyYnKSopGR8tMC0oMCUoKSj/2wBDAQcHBwoIChMKChMoGhYaKCgoKCgo KCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCj/wAARCAAdAAwDASIA AhEBAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAABAUGCP/EACMQAAIBAwQBBQAAAAAAAAAAAAECAwAE EQUSITHBIjJRcdH/xAAWAQEBAQAAAAAAAAAAAAAAAAABAgP/xAAaEQEBAAIDAAAAAAAAAAAAAAAC AAEDESFB/9oADAMBAAIRAxEAPwDQ8d/MhDCQsPhjmnNndJPAr5AJ7FRdvPyMk0SmoNbrt3e7nx4r VijClKsQRg0706zkuLfeI2IzgGh9E09L2T1uVA7AH3+VZ28KQQrHEu1F6FOx8dQT7f/Z ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/script.js var DOM =3D false, MSIE4 =3D false; if (document.getElementById) { DOM =3D true; } else { if (document.all) { MSIE4 =3D true; } } function getElement (identifier, index) { var Element; if (DOM) { Element =3D document.getElementsByName(identifier)[index]; if (!Element) { Element =3D false; } return Element; } if (MSIE4) { Element =3D document.all[identifier]; if (!Element) { Element =3D false; } return Element; } return false; } function getNextElement (element) { var Element, trElement; if (DOM) { Element =3D getChildElement (element.parentNode.parentNode.parentNode.par= entNode.parentNode.parentNode, 1); if (element.parentNode.parentNode.parentNode.parentNode.parentNode.parent= Node.tagName !=3D "TABLE") { Element =3D getChildElement (element.parentNode.parentNode.parentNode.pa= rentNode.parentNode.parentNode.parentNode, 1); } if (!Element) { Element =3D false; } return Element; } if (MSIE4) { trElement =3D element.parentElement.parentElement.parentElement.parentEle= ment.parentElement.parentElement.parentElement; Element =3D document.all.tags(trElement.tagName)[trElement.sourceIndex + = 1]; if (!Element) { Element =3D false; } return Element; } return false; } function getAttribute (element, attributeName) { var Attribute; if (!element) { return false; } if (DOM || MSIE4) { Attribute =3D element.getAttribute(attributeName); return Attribute; } return false; } function setAttribute (element, attributeName, attributeValue) { var Attribute; if (!element) { return false; } if (DOM) { Attribute =3D element.setAttribute(attributeName, attributeValue); return Attribute; } if (MSIE4) { Attribute =3D element.setAttribute(attributeName, attributeValue, 0); return Attribute; } return false; } function getContent (element) { var Content; if (!element) { return false; } if (DOM && element.firstChild) { if (element.firstChild.nodeType =3D=3D 3) { Content =3D element.firstChild.nodeValue; } else { Content =3D ""; } return Content; } if (MSIE4) { Content =3D element.innerText; return Content; } return false; } function setContent (element, text) { if (!element) { return false; } if (DOM && element.firstChild) { element.firstChild.nodeValue =3D text; return true; } if (MSIE4) { element.innerText =3D text; return true; } } function autoCollapse () { var i =3D 0; var collapseItem =3D getElement("autoCollapse", i); while (collapseItem) { change (collapseItem); i++; collapseItem =3D getElement("autoCollapse", i); } collapseAll (); } function collapseAll () { var i =3D 0; var collapseItem =3D getElement("toc", i); while (collapseItem) { changeToc (collapseItem, false, true); i++; collapseItem =3D getElement("toc", i); } } function expandAll () { var i =3D 0; var collapseItem =3D getElement("toc", i); while (collapseItem) { changeToc (collapseItem, true, false); i++; collapseItem =3D getElement("toc", i); } } function changeToc (element, show, hide) { var changeElement =3D getChildElement (element.parentNode, 1); if (changeElement.style.display !=3D "none" && !show) { changeElement.style.display =3D "none";; // double semi coloumn for some = reason necessary for NS } else if (changeElement.style.display =3D=3D "none" && !hide) { changeElement.style.display =3D "";; // double semi coloumn for some reas= on necessary for NS } } function getChildElement (element, no) { var counter =3D 0; for (var i =3D 0; i < element.childNodes.length; i++) { if (element.childNodes[i].nodeType =3D=3D 1) { if (counter =3D=3D no) { return element.childNodes[i]; } counter ++; } } } function change (element) { var leftCorner, rightCorner; var changeElement =3D getNextElement (element); if (changeElement.style.display !=3D "none") { changeElement.style.display =3D "none";; // double semi coloumn for some = reason necessary for NS //alert(getChildElement (element.parentNode.parentNode, 1)); leftCorner =3D getChildElement (element.parentNode.parentNode, 0); leftCorner.style.backgroundImage =3D leftCollapsed; rightCorner =3D getChildElement (element.parentNode.parentNode, 2); rightCorner.style.backgroundImage =3D rightCollapsed; setContent (element, replaceFirstChar (getContent (element), '+')); } else { changeElement.style.display =3D "";; // double semi coloumn for some reas= on necessary for NS leftCorner =3D getChildElement (element.parentNode.parentNode, 0); leftCorner.style.backgroundImage =3D left; rightCorner =3D getChildElement (element.parentNode.parentNode, 2); rightCorner.style.backgroundImage =3D right; setContent (element, replaceFirstChar (getContent (element), '-')); } } function replaceFirstChar (text, character) { return character + text.substring (1); } ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/info.js ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/png; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/anubis_left.png iVBORw0KGgoAAAANSUhEUgAAAGYAAABkCAIAAAD7ddI+AAAACXBIWXMAAB54AAAeeAHLqwMfAAAg AElEQVR42uW9d5gd13EnWlXndPeNcycnzAzCIGcCIAiABJiDSIkU6ZVWwZYctFqt/LzPWsf1+nmd 1rZkyZQVbCtZ4UkWSYkZJJhAgARBgCQyCAwGaQaDyfnOjd19TtX+0TMgQFIW9SxS++j79Yfvfhf3 zu2uW6fqV7/61Wk82NkDgMAKgQHhbX2IvPYFOP1lCIAAFlB+lr+EAAK/oIdmtCQKiAX4bf4uVCQi YNkSEgAARP+iYGQFAABEtNaKiNYaAKy1iBi9frHx4W0/259sMgIBFGQQlLfZy8SKUUTDgwMVFZlE IjnzMqLgBZOBMAq4jsMibC0BICAisjC+dn4i9IvzMhQFQgCEIm+vsyMAy2R2/Pd+53evu+6GX/+N 3wABEASIfq0LXoPaIWNDEenq6mppaYnH4yYMkOjiXxSZflEmIxBCUcgKRAH8vA6aOS56kcnR3mOP PkaAJzs6TTkkIRRCIARAkegAscBGoXSfPfUnf/xHHceOolgiUAgojMIogoKv/+Pv4KEFeSaY/tyi g6AARAF9JkIJAEhog917dinNfpC3NhSIM134Xpp+szCgIMI/f/sb2pGhoT6WdQCaRQARAAQIhQDk F5UBNKCAyNt2Bpf8zXM954rF4pKli4YHx0REpu17SbZERGYeGOg9ffo0ErBEpxfZKPptURBRfmEm e0cjwvGO46l0uqGhwVpzaQa8YF8BBK31c88953muViqyLCK82fvhXW0yFEA+fPhwfV3dxPgEAM44 2RuxmyhFe1/aM/0pEZCf9N53lcnoQmxCnI6UInL61OmKiop8PoeEl3jNJThWhoeHxsbGEMFaq7UG RPg/yWxvk8kuIHsQESRElImJ8cnJyUQyWSqV2PLrTYAyfQAcP36c2YoIIgoIYpRR381ehiAIr9VG UbCWU6dOKqVc1ykUCoj4k2ITER47diwW8wREKRUG4Qz6h3d9LMMLKZCZEbG3t9dxHUc7oTEAwPzm mIaZz3adYWZEARA/CGYSOr4+UbyLTCYIFoEBQAAREERQ5Fx3l+fFgJQfsGVh5tcQmdCMV4ox4fj4 mAADIFvxfZ/FThf0giA0jXjfZV6GMlM243TBrRR1dhyPebEwNNayMcaYAFAABKah/LQTTUxM5HJT IsLM2nGMMYSI0/nhwtvkXbkwpx/WWqWUCY3v+9pRYRgISD6XK5VLb3rlZ8+eCcNQRIiIWRytme2/ AkrehSZTSgVBUCwWc7kpx9HGGAQ0xoRheFFUes0cExMTnucpUlG2DcIwQir/jqBsxHwNDg46juN5 XhAGxoQAMDU1pRRdQG0XsNtA/4CIAIKIOFoP9A8gkgjDuxpkXBrXEJm5q6sLkZSiMAgAwLIdHBwA EWaLhCxyAXlls1nH0REoA8Sx8bEwDCKY8u/FZNZaIspms57nKa2iIOU6TkfH8dCEETehiGSa5Jbx iXERgAjHMguL4zhsGenfzcIkIkQcGxuL6uuIpFZK9fb2MtuIqIgwGinK5XL9/f0XEiQAjI2PZbNT pNS7vMa8gPwRAAGttYPD/cpRjtZR/SSEfQP9E+PjilBYpsEbs6u1JgRhEEAkY0Nrw2Ixz2xhmuzG d6mXXfASARBGBMOG0RoTKqUssyAEJty3fx+IaCJhCwgkYgJf2AALCooAErGYjhPHp9Plaz/FuxqX RW4RBEH0r+u6USz3PG/XC7vCMLRsEREBRaRUKhaLpQhSiAgiAWB3d3eUTKeh778TviwIQgDw/cBx HCKK0Ed3d9fRVw8DCBJF9E6xWIogSMS/EpFW6vTp06VSkRT8Ahtx76zJBADAGIOIQRC6rgsAiCLA RPjoo48YEwhwlEmttUQqShSAyJaV0ufPn89mJyybX2w1/o56WVQwikixWIzHE1EOjUBDZ+eJAwf2 4XRhKsyMF6UOIhIRY4JDhw7gDJt2SVB7l8YyFBGtlYj4vh9RZswc1eqOo+/70b2lUikCFtaa133a GBuLxXa/+EIQlAH4Fxv437GFKUQUi8WjiD41lc1kMhKhVWAi7O/r2/nczgju20vZWmtZKSUi586d O336FPyfUTS9PSabXjgMwCxCRFrrCCYMDg41NDRGqRAArWUv5j380IO5fI5FgjAAIkEQEEEgIrbT ZNm2bdvCIEQgBA1CkcV/IUCN3p6lSAAAyIACiIjK0y4KI2Jff39DQ6PnxUUIQZEgMuSyuXt++C9K gWUrAEDIAmzFBAxWsQEUPHLo6OGDh1EARYgQCJBAwIq806v1bUL/ON0AAEBFhnn+ggURf10sFHK5 XFNTEwIyMykSEFfj888+8/S2x/fs2sXlwM+WpWTTOpWJ1zi6QtgpFoJiPv+Nr//jYH+X4wSEPkYM LShEfIezAR482Y1CIOrnh3oQgAStIAsgiUKx27c/8fWvfcVLpBAxk8lsuGLDzh07wjCM8gAJEMLI 8Mhdd951zZZr0snKZDytyS3bUjEojYyMDw8Nne06ff58tzH2qquuvfqa65OZlLEGQIjeaZJDfeq3 fhsBZzr4Py+TYaRLASARRMBUMrb1sa2O4yBguVzOVFTU1dUNDAxEDA8DC3A8kRgcGGyfv4DAyU7k RscmS6VAUDU3NyxbvvSKyzcsW7w6Ga88fOjQnj0vNDY219XWiQghvqZYQnkHYtvb5WWAVoAFySHP hoYw/PR/+US+VGTmKBts3rz5XM+502fOAACSCEiks8tni6l4xbw5Cxobmh0noVQcgGKeW1uXWrZs zsKFc4cGhnY898Lzu/d87OMfX7FypQCLACqKxHvvAHn7tpiMgBgMkogoYDJheOZUx2f/5i8NGCSK 0EYyndq4cWNXV9eZM2cEJZ5MlIsFEUBBsVgqBiZg103EYnGthBAQlEJdU125ecv6uvqak6fOvrJv /+//we83zWoBRJbpRP0OZIKfv8kQgIQErAAj6s7OMz+6575yaWp+e8vjT25LpdOBMUgIhMlk8oor rpjMZjtPnLjqyit37NgRBOVpbQ8QoUIKDfvILoELLFFzL/RDYwwoLpXK7e3z/+C//1F94ywB1Fpb ART+/6HJBEgQ0GazU9/9/g97zpy7Yt26q7dsWrx04a994teHRwaAEIgigYrSztKlS9rntA/09u/b 93KkdgGMOnXAkU4KUaxha1ytq6vSibjDbLOTpWyuqFWsUA43btzy65/4ZDpdIQD49rvZv8lkctH5 ESAiiYhY0aSefGrb1seent++6Mp1q2+++uqBkYmtTz0zMdb/zLOPOZ5GjRZCBkLlhezHvZjxLQoQ AAg7mhyFxWJOLINIPOYtWNC+YsXS+trq/NRkoTDluLq6ripfCHbvPvjqsbPaSTHTH/7BHy1bsSwE xogWRwSgGRIJeUbn8GYXIT+d+Jt+MAD9nEzGoLUOw9BxnNzU1Fe+9JVSSVYsWHz7Ldc0trU++ORz p493bFw2f/NNV+7Yue9P//xPnATHE3Eha8WApIiQxSAAsrANly5eeOWm9alEDMIg7jiW+ey5npf2 H+wbGApZGAmZtIGmlrpbbr0elXlu165SOTzZ2X3n+z/wKx//JJKaEUQCQCTqg2lwjQiXGu6tOuVF 7/u3mizq+yNiGIRaOa+88soPfnDP4oUrVyxceOftG7v7Bh577IhIeOcdm5pqGrc9tdvA+KbN6378 o8ceuP/RcpAXtI7jKNdxYx4BCLMCtqZsjc8cOG4iMAoACDGRjIu1ABwEITOhxBJJXQomWtrqli5f Qsp55pnngkDSibrrr79p6dKlixcvdh0vouq04/BFeqtLxR34k/E8vy0LMzIaMAjDg/c/uH///kUL F6+/bM2Vm9Y9v/voKweOzG2Jfei9N58fyD20fef6NcvXrVu1a9dLRw4fW71m0WWrVx48cGzHju37 Dr9cDn1HK0SxJgz8giYBMIEopphYqwkdlIpUYlZjQ1tLc7oqkw9LXd3nT5/qZovGiHJcVAQAGnUY mnK5TERtbbMXL16yYMGChQsXNdQ3ep5njIlQzgVHY6S3pt2nn4vJBImEBQHFyt2fvzsMbEtLyy3X X9fe2nr/k8+c6xm/bPG8W29evXvvgX37z9x+5w2VVbFHH9pbLJZuf/9VMc/b+czeXG7q5luu+fxX vnDk2FGtFLNlG/zyRz+klDAHGi2JFUGlnVRFxosnJyenus+dHxjqExUsaF/YNqt9+9PPHz5yQum4 oBIQRH9G5xG1UCUMQ2ttPJ6oqqpeuHBBfX3D3Dlz6hvqm5qaE4m4gAoNTxPl0xUyigggCrNSKqp6 RQSAIlv/fzdZNAailc5PFb765X9wlDO3bc7NN98Qj8UfemRbYSp/+bo5V1155SOPHTh7/vwHP3Ct Y+WBh7fV1lW/59brz3X1Prfz5QXz2zdvWX+84+hffPYvSkGJWRxHl4qF5qYG5QCixF1ySBKJ+Kym We3z21Op1LbHHj9w8IDjpVBnwiBfX5e+9dab8rnigw89IZgE8AwUtSa2DICIBACRKWb0NGKMiVqr RKqurrayqnbJ0mX19fXNzbNqa2urqqpEeOaDM+t4ZpKDSDPzv2lhElGxUPzyF7/sObHZbXPe955b At9u3fZkISxeu2715WvW3Lf1qZ6h4V/+4Pv9Yv7hh5+aO3v2e9674aU9hw/u69l45ZolKxp3PPtc 7/mJfUf2dPed0dqJ+DVgJoUg1iIJaEKWoOQpuWzlkk3r106MDe/a/UrPYAmhrLBIaO66646Kirof P/jE0GieYp6xBjHimnAm5oNlSwqEBQmFxbLVUYcQVBhaAAiDIJlKEVFjY2NNdU37/PbKysq21tl1 dXWZTJVSyhi2hrXW/6aFWS77X7z7ywk3Nrut7fbb3jc1WXjmye1hkL9i4+rla9be//BT2dGBO2+/ hVTyhz96YPHieTddt/m5Z/d2njhxzfWbW1pnP/7404R84y3XfPnrX9y1+wXX9ZiFSAlbABBhhUqY FE0PA1gTJOLeusvXLF2yADEQazxCTzuO4zhuvGzscy+8uPdQR2hAO06kA0S8EIPYWkNEIBEfhSIi IgREQAAQEQSRHzAzi1hjEFE7bnVVzeXrN3z0I78yrQ7/qSYTRBCazrLC0+MKANYGn/ubLyXdhjlN tXfdecNwvvD40y9JYXLT6rZ1m9Y99OjR7r6+O25d1ljR+r0fPVc/J/bBW6/d9sTu0yfP3XTdlY2z Z/340adq06lbb9hy+OSZL3/tS/39XY7nRBr/SE+GF7SeMs04Rv9p2SKK64BWipAUkiLleK5Suqm5 uaKqdseOndOV5kUF54WxjRnINv2EBIDlwmTZhYgmEvEJ0RiRhMZ+7rNfaGmZjaD0z4JKRCnFNlIF wLe+fo+nU421sffefs1YNvfU0/uDor9i6YK1m1Y/8dTuc+dGNm9c1TZr/vd/uLWmOvkfbrpl+869 HR1d12/Z2DJnzo8feqQuk7zhxmt27z986MDBqlSq11hwHUGZucpIhY2XDKMhRvkOAEIDoZkmfhEt 58uI2Dc0NiNMY601M8NFfy6CaQh48ZOI0ZSLIcdFLQucGZFhYe3oSOtMbykzwvTwEFsWRk/HH/jx QyOD2cbq5ttu2+hjfuv2vUHJzq2vu+aajTtePtHZObZ0UdsVa5du3fZiGcM777j61ZfP7D98es1l KxYtW/LQtu2uo2+9fsuBg0f3HDzR3NTwsY98RCkHAfEiOeMb21SRmANm5GYXHhdeV0pFI4lKqWhh vkXW/U2Oi74UAauqqhobmwgVs3lLJnttxFTAUe7BfYf2vXxgzqymG67dkM7UPvr4i4EPlUl8zy3r Ok+dfuVQd2VNzQ1bNj2/+0DPwMj7btk0Mjyx48VXWxszW65a+9TO3bl8/rabrn+1s2vPK4faGmvf 856bi6UAGFEIopU57RN4MduKiJH7vDFxI6IxJvK+aLn9XCigCFIQqSAIr7/uRiLFzEqpn24yBEZE EUYAFJwcn/jud767bNGyVcvnL1zY9vATe7NT2mFz3dWXTflju3bvSyj3hhvW9Y0M7D965oq1K+tS VY9se4FT9n3v3XLw8JGzZ07ddPWGyan88y8fyaTT773uqlNne/buO1xXUxf4IQGhIAjwdMSR1zna G80ROUK0DGdCPl4YfH1TV70kYL3h9eknCBdAb3VVzW23vc9ajrRy9JYimQACoSAKf/av/nr5kqUN dXXXXr3lyad2DY5OEZi1yxc2Njc9+exBPwjWL59Xk3G3Pr+juaVh89pVjz/2ylQ5uOGmBbl88Pze Q2uXzm1pqn/iuZeCkG++dvNEdmrn8y8qpA998EMKNTBGA8H/ymW/KUKMLi96EnkiX/oQy2IZWKbZ YhaxDMxsrA0NWxbLKGBDE70z9H0W6/uBIv2xX/nVeDyJUQGA8hbCv0zzAYrUN77xzZrqmkQsfsf7 3vvKgY7O7kE05ebGzOWbVu3YuW9sLGiqq1+/dtFT258LjVx37fqDh46f7Z1oX9i0dH7r977zfDKV 2bhhw/bndo9NTm1cs6KyqvLeB7aKtWtWrVi/fs0TTz5xquu0cpGRlVKR9vMtmizqtJfL5ZGhIWst aZ1IJBzHuYRouSgIEpFSSimltdLa8TzP8zzHcaqrqxOJOLN4Ma+xubGxoWl2W3tT06yLp+J/usmi 4KKVev75F86e7Vo4b/6NN1yXz+d2vnTAiJPW/s3XXHnyXPeRztNJFb9x85Vnu3s6zwxfdcVlmvjZ l/d7Mbntxs17XugYHcnedceWs8PZV0/3NKbjl69ZtX3Xy+OT2XltzRs3Xv70U88uXrjYS8QOHT2U SMdDE2ilhd/SDgERmkfEeDze2NwcedkF5PVazpfXHpHgwVqrrLLG2jAMymWlVOj7zc3NjuM0NTZe dtma1tbZhC5IVIfK60w2I0WSi3OWAIAQKICx0f4f/fj+lcs2LWpvXdTe/rUf3BOSgO+vXLMslUzt emIHK1i+uK2iIvXAk8/WVmfWrVv1wBNPhsa/Zt2K0MIL+zsWttS2z5n1jz/eHhi8as2q7Gj2zOnu dFxfd82mA0dOn+06c/stN5lY5g/++Pdyg12xdDIQUWJkGntqttPw4gIBeeE8o9cjSzlKo0MRhiPC aZwh06NjUWyazoOI0Qfxoj0Astns5ORkGIYvvLhn69Yn/+pvPltdVas0vhZUBfXrNToXWkTT05FC CMb43/zWdxcsWO663i03Xvf0M9vHpopWqLk6ecWGy7dvfyE/Va6qcC/fsPzFvYcLhfLN164/09N3 tnugNu1t2rjuB49uD63ZsmnN8c6ToyOTLQ0N8xe23//ojtAvX75+oXbUy/uPzJ3XNqdt9rfue/KG a2+4YnHbn/3t50v5QkyjirkAYq1VpC5k7Tec8PQSRkShSLoADNMD/AgSNRzYAkc0ORGKsEgQBAgg loMwrEinldbJZLKpsampqWne/IXLV65Np9PThQG+6cIUuuinkwt+R8I7d+2ayFJ1JnP9lstGJocP nehgSGiBLZsv6+8d7Dg5FtPelWvbJ4uFwyfOzJtVPatl1r88sB2tunzd8nOD/ee6+uY2NDW1NT34 z8+6qK5Yu/xMb0/P4FB1VfrytZc9/dzLwHLVxg17DxyZGBu99ca11ZUVmzbffNnqJa++euTpnbv8 oFDIT9TUV73Wvrp0n4wIvk5fGwlOJzskQmOMsdYYwxZdN0EM8Xi8rq4uFovNnj27oaHRcXRba2ss Fq+szKQrKhSR1toYY6zIDKkbobw3mgwvffKakmtqdPLxrc8sXLq5ta5m1fL53/rePT64StTclsZ5 c2b94IePMuuGVGr5okX3PP4is2zesPLU6bP9Q5ONVRWrViz7/v1bwdobr7r8wNGOsamwssJbMK/l 3gcfDYjXrlk2NjJ+8tS5BQvmxbzY/ldPVlZ4ly1a8L37tzW3zL3lhpvPdw9ff+37TnQeOnn6yMze GGqaWnhtJB4vFDpEFJqwXPaVourq6lQqtXTpsrq62lnNLZ6brK9vqq2tRaRohvhCpENCa5kIAdAw s2HLgKgII73b68GgvpRFuzC1MD0FaY2554cPzGpsJ7LXXr9+/76DwyM50Rm0wU1b1h84+Gr/+LiL savWX93dk+3rGZ/dXFdTV/XIM3tJm1Url/f3j3b3jLY21syb0/Dg15+1El+9bPbI8NDAcDGWdBYu mrPziRcZYNWqhceOdWUL4bUb5k+MjnWfG7vzI3cePnB4ctyfKOSOHT9RVZO2tqD0dEs5qh4tW0e7 zBJxirW1Ne3t85ctXzG/ff6cOXPiiQQRzcywAKFmO81rExDzDCWEyCyoVIQERcjKNMkjM8XZhbL0 J2XMaXsxCwB2dJw61z04f8GqJYtaK6vc++89ypgUg0sXtWdS3oEDnUzU0EBt7c33PbSLjN50+YqO M91j44XKSnf1ykUPPLAdwVu3ZlnHyeMTWd/zEqtWzt+166Dvy6rL5pVLxe7e4Zrqirraimefetlx nCWL5x460BlLViyY1/qDHTvIcQ8d3pdOJ0FCpZSwZbEIRKisZaV0uey7rnfLLe95zy3vqa2tA0AB HS0Ua8ACALjTPMZMH/2Ca15UVkZ79+D0c4EIh17g+18HD/WlVPcMvcuMqMql8L57H5i3cEncpas3 rN25Y3c+dAxITNvNm9a8dPBwrmAUwcYr15zsOdc7MNpcl2loqN5+/0uo3JUL5uWzxZ6BkWTcXbRo 4QMPPoJaz5tdDUynzva4jrt2ycrDRw7mjL9u4eKJ0cnhyanGhnRVZe2RU9sbZzWZQn50ojicHZuY 6quqSgtYEYyKSLZi2Sjl5HK5//jBD33gAx9USlsrIkCoBOhNVC0IP0fR6KUZc1ryjIgETC/u3quU xySrV8/HMp841lcSrZRd2F6fSqq9h44DxWbX1jS1zfv+vY+SBCtXLu0fGR0aKWsHVy9asu/Q8QDM sva2oBSc6ZkIgZcvaew+O1TwbV19IqW9c92j4tn57a1HDp0MxMxrqxsZzI8FsnJ25djAaDnEoyf2 VWQ0Q5mQQAgJrbFa6zA0sVjqL//yr1pmtYqgtUKkJep64tu+2dPrCiZGUcAOiM3lJ7dvf6G5aXYm TusuW7LzhX1lE1OKiIvXXH3Fnr2HjPHElK7atLqjs3dkvJRM6AXzZh86fMoAtDTXplKJjlOnBZ21 q5cePHiCyUl4qn1O25FTZ0OGxXObJiaz49lyVUUiEY919Y155Cye03rqbK9hmtM+69ipMwBqbKyX NAuKFQQgtELCNvQXzJ//+c//3axZLYDTjNkMyJiBrW88/lVm62d5+8WNE0AEQdYoWinc8eyzFela RFq9ZJ5fDDp7BgIgsuGCuU2pVMWBI2dInIbadFNL/dGDpzjE2XNb2WBP9wi6vHhBa3f/+Um/VFlR 1VhXd6LzlICZ3dCAxjk/NoykF82d03m20wi21TeV/XC4UExoXZVKnR8YTHpeTVXV+aGhsfFhRwyK YNRWRkRmD6mYzc+eNbsilY6oDoZp94IZGuTN2Zyfkfx5a16GKEBCBlWQnZx8ec/hxtrGTNpdunL5 Swdf9f1Qo3WJN16x/sDBV4uBMVxcuWJRf+/YxGhOoVm0tO3k6a7AGFerubNbjnaeAXQWzqnLjk8M Tk4w6iXz5/T09JXLYSoRT6cr+geGmc3sttl9/UMmDNPVDiXckfHRqriqAK80Pjky3JOMJxQjiRAw WEuos5OFP/vjv1g6f+kXP393aaoAPI3Ipq/8HVYxWmEBErQWik8//Ux1plkMts9tYqWPdp4j5TgY Vmdis1ta9x14FZXjxnnJ0vbDh04ZX6oysbrGZMfpbgZsbqh1tD7dOwiol85v7uw8bR1lBdta6s92 9ZCoutrq0Mp4Nu86ura6rn9wFIxpaMgM5XK5clBXmQqyPhsZGO3FWMyiK0jRTj9FP6irnzUxkr1h y7XXbNry5bu/lB2bFMtRN1XeKTUjXSKkQwLifCF7+NDxqkxDzNHLFi84fLyzGBIIkgSXrVra3d2b zZYZeOHi2cWyf753lJDmtjbmS9nhiRwAtrc2Dw8P5wOTjCdb6jOnz3SL9hLxeG1VxfmBYRE9q7Fu fCLrB5JKeKlEbHB4IoZOa3PjwOiUz1RVUzU2nvdRTQTZULs+xhgIQQCkWCr9/u//YWtr2xOPP3HV xg1XX7X5i1/44tTk1OtVze+cyRCBARH37NnneZWkqKGxora6prOzG8lFxphLy5Yt3HfgKKJLEly+ dtXhVzuKYSBi5s+d3dc7WAxYazV3VuPZrvMsalZjHYdmcCwrQE21laVyeTJfRMaG2szw8HBopSKd AMO5fNklp76ytq93DMmtqasdmMiWkQQs2sAFTrCv8mPFoV4M/M7OE8tXrUhlKp5/bvdNN9y0Ytny b379G2wtIV5adL4zJhMQ5nLRf2nP0drq2QL+8lVzzp/rHx/NiQVN1NLSJAhd3X0gqrWhKpNKdXT2 GLLxpNNc39h9ZghIpROJqnS8p29Yg57dWNs/MFZkRKG5zTUDQ6OlwBJSfV3V0MgIA1ZWJGxgyr5x HEynUmPDYw6qisrM4PgIIuupicRYn9N/WnWfaClObG6ta0nGhnp7n3/xpcuvvKq3t7+7+9yNN95k A/P0k08pVG/7Jn9vNBmJKIQTHSdt4GmVTqadtjm1R189rcDTBCC8YsXSY50dgRUQXLZg9mDv4GQu ZAozlTESGBsqsUh9TZXYYCJbcki1NFT19o1b7dmAZzdWD41MMGnXdVNJdyI7IYCVValcbjK01k06 qFW5WNBi00lvKj/s2nJNIb82YW9udj66rPquBVWrkrSirvqaDZtOnu7OFv3FS5a+/PL+lpampcuW 7Xj22XwuRwL0jrjZa51RRNFEu597ua6uxUrY2lJnw2BgaNwCgZVE3G2Z0/bqsVMaPZfNyqULjh0+ huSEYma1NUzmSvkiAEhTU+Xo+KgfcJyotjbdNTjFytOCdTXeyMi4KJ2IKwAoFGUBFq0AABd/SURB VEoIUleRHp/IseVMJm6FS4WCqznuqkI+HwbB3Ex8U2NyRTpshUJtMFVhc36ptGzJirltc/YfOrBs xYIg8M+fG1y2YklDY+szTz2jEQkMRTw1XqJ9AyAUIiEloAQoQl7TuxlGldTFCYRQaHp04U1NNrPd phjyp8anRs5PxWJx1LkVC9vPnx7N+sYoAJHWlirfBP1DBWDdUBt3Y7qnd0iEQaS+qfL86EiRSQPX 13l9YxMsTnXCUZ4dzAbAGEPO1MSGx3LMVFvhBWXxfXQI69LJgVyZBWoyiampgrXkxZSjdLGIk4CO V0qbrGcNABmiUIXdk2MHjnZuWL1sYOAs6bChvrbj+NnFixbU1szav/9I3E1YCBCVABkQJgDkyHQC yEgCQsJKmAQAooTGSoQEI+0lA0b1FgrhT04lF4d/ennf/lS6ghAqUvHGxsYTJ04joYBVuty+oL7r 3Okyi0+2ecm8ztGJ8UCIJUbYXF09OjCgQGJKZSpqhsYLBqiyKm2Kk1gYSko+GVM+xMYCrUBXJtJ+ 2fctoRfT6fRwPhdqrKzOTE5kmcHzXEQqlcMg8OOuViwAYAkFQDF7qF7teDWZSSYSqZ7Byfb29nPd 3XEx85rrxrP50cli6KQDBEuIQGRJMSkGQLEU+k657Polx/iaQwWMCOKIxECUEtbMmlkLE1ggy2SY 7E83maPdl18+mKmsYuu3NDeWfDs8NsUCAK7WurWlqftkl8MKubxoQcvZM92MnkUd99xkLJadyCqU mKPibnx8ooQKYhXpqbINjAGxXtxlcU1QZJ6oqnVHRod8Dh3X0aiDbD4FqjZdNZHNW8G45wZhaIxI GLqkkAERrRYBiQPFoTwxNTI0mm2fveDk2f6WljZAGuntm9tcn0xVnj3V6YQmJoHDvgZREs0FEYAg Ws3oWEexg6xRItbCMoKlaAkLiSgGEgZgS2yJf2pZjgN9QxPZXHWtB1CaP6e1r2+wEDAoR6xbWVWZ 9Cr6u0djEovp8uzazI5tXSQ60I6XjFmAiUKBwSZiMUQsFH3FfiyTHM2bwFgVToW2cOTphwf2PFQo jDzy6mPZQnHEab7h5vcRSVAuK5B0KjlxpocRMhXJUqlkLJMxDjAJWBSLokA8loYEjY/09w0OzWpo fPX4Gfcqx81kevonFi9or6uqvOfrf3f95Qvb2mZXtc616WqdrnW9ZMxxUMRlFtYijgAqFBKDEgqK JWUIfEASIEaaCWYI/1r21dNEMGDH0eMVVbVCkHL1rMb65184FIgWECXBrIb6XHayUAqNSqZqqww5 Y5NlK3FNNpPyCsV8mUNfQiTo6jl1orNjbGi4MHVqsu/UxKnzNU5+CoLwlfjCkGtTjoO5bCr2Ym6y wrWBDYrgWw+Vq3KFEignHvPKgW8FFFhnRjATqWiscF1CDY4ODo9NLF80X/xS2fcr6+q6BsY3bqhu qkl37zxqYude2Yud2fKsjdfv6xqqqJ7V0jRr9aJ57S2NlXVVGE+QTiCRA4ghM5IBJZp867vKtQYd oKjRSVHl+pNMJiJKaRI8fqwzmaoUxPrajKexr28IdBzIJ5lsbV3YN9RrFPqO8WqqByazJWtcO8rD 4+Pj5a29Rw4cPuukK8PB4MnHH07MWplKpq5Yu2wqVSIcbZRsjMSGZQ2soFBmMuwpG8/EHLCWgjDm ui6pQskHJM9VZd+3gEGx4BGJEkarmRGAkVMaVKkwPpb1HJVwnPGJiaaGzCtnzgtgY20Val2Hfl45 7/8PvzSoq8dUrfKq8rncw/c/UpdSc+dUhwjipWvrG1cuWdjYUCNurERxxZRAFhsKaMuAQARATIDA +OZW0xHbq0Gd6zo3Z8mVhrm5qSE3OZEvlC1lEHzlYGVtTeeR8wAOcmFObezcnudObb/PTp5viulY xh3TFR/50KfLXqK1Qm999CnVOBeNeeqFF//4Vz98z/NPzmuyEJQcSGouGwTRcQAdohNLVAQ+k7Gp uNIIpbIvggnPKxRLSNovFeKuY8EIgGsBRazidEyZsalioezbIB5PDo2Mzmqs3BOGU1MTlTXVQaat KKO9Id913a3/47PfbJ5/hYCXSSckM/KxX7k9pvzqmjrlpbMTY//y9bsnek/NmdPW2L70svVbamfN DZRjVCwkzdNDV/yv1PjaWuNop6erR+tYlA1aZ7f29p3n6f09FDlpN143NnrKCf3Bjpe+/eAX57l4 S2O6si2jg4DYHsuOPnHv91Zce9vtH749my09sutUQ1Ork25+5IWO1e//xPHt32tLpeIheGSIlbEx scpgXCXTk8YWEWvScQvghyEjJBLxQtkXAeuX4p62CEyAHJHr5AA41oZ+ObQcr6gYHBldtbjZIZ6c HK+sruHKtudPd37qS1/96g8frW1ZCjahLUqYq61Mr1yz7Ovf+OauF/drcv7yd3/L7Tl7c5UTGz5T 7D312GMP5ysalqzdsPbGW9Kt84qoGQlZptnuSAYfNRtkmoUlrRVbv6/3vJusR1ExJ13ZUN81OApg XDEYYkInkp470LWrY+vfLht68dPzvFsawlnOGIYFbUppk2tMwNXrlnzmNz+Zrq+/4ZarkjzAUqqN Nxw60lWzZvNwVUsWXWTfWCggaSiWcUpiHEvGc6WCMKXdeGBcn0NUfsKN+/lAE6vyeEKFCCIgRUcF irRVriiUkg0LxbypqExMThTi8VpPqeFJv7E2VZ+pWfIff+vQydHh0QDjtQEh6PLw0IkP3HljWsHv /Ponf+WuX1pz2dLs0Kl4eaSiNJT0J5IYLq/kze5AYv8Dj/73T/zof/23cLQHSQQVKM0InhWHxRKF 6BArJWDJRoMYdO7cuYrKFGC5IRN3Azs5lAedKAOTMqrc+83/+X+PP//IB5Y2L270Sirnu8ZhTIeo RBix1vP6D7709EP3/fWf/9WXv/CV973n5tGec6id5nkLv/SP3/2N3/nzjgnJJuIl5SpQmoXLJqG8 uHaCIDAs8aQXBmUJA0JwYvF82VryQgYrpNlLBLFY6HpGxyw5gIJBMSxPlQrJVLxY9I2VeCI+Np6t qqxIxLzOc0OPP7m7uXU+s0HwfX+8bXZD4Je+853v737pwBWbNv7X3/zVXQ/f116VRuFAiaDREAZB 3iN/UZU0jZ354Wd+vfPRezT4ZY2MGGk2SYTEYqTZByJmdhyvr7ff8xyBoKUhwdlykAOfNTmIhaFX fvxPie6Xr22O1fijFE76GBhHiyXPgkY0ytW+X2OmOl561hX8zd/8zNXXXDu7vqpYmgqA5s2/7E// 1z99+P/5i30TOKyShrQFxxg3TvEEOaEfMqFy0YQ+sRCDdt2pshXyEBUpbYAsOgwkyIAGwRKJZVso FBLxmDXGmCAej01M5lIVmeqaqlf2HZy/5HLfKgUmRqXB8yc+/ME7Vq+5bHQi941v/+Dr//yNoy/t KHV3VIJlobJSSMZl45ALCj3ya0v911aZ4/d8df8jP4yBFVCGyBIisBZLwIwIogiRAGh8fJJAA0N1 fWp0YspnQrI82dP1zL23tSSWxMuuTFhV8BSnrGg/FId8DEGRAa1QZqWg3Hv20//5Nyoy1QRwx21b RgdOOmSNjs1asuGv/v6eX/rMn/XFm8+UYMKryKLrxBKeo8PAAlA85paDsjBodAh1wCFySOWyByGr cskplZ1yoMuGQiFDwGg4LJaS8bgJTLlUrKhKT07mtONWVlbE4+lAYsIqRna45/jtt26pr6v0YvHf /K3PrNqw4f233rzj+99eXO2RKQkqAA1oHS4nWTgEA0jaqmBkeRWceOD757Y/4bCxBBZRCWixABZA UJSOthFA0CAOAlY31nSfGi4rxvJQ3+6Hb2rWczCH1pQcFkI0GDMoAGUKrMMEguJYzQ74qdLw81vv y6eb9u7evfma9b/zXz7+2b//TvPidVbFFy7Z8tVvbbv+ursq8t27tz6YUzFxPa21DQ0wpDw3X/YZ XRLSStmwEAODxXwMA5dLaEE0gxCDcJSOLNpSkHBdBF0o5VMVySDkctlPJDxrBQQ02vx4X/uc+vfe cv0X7/7i+MTU0uWr33/nLd0vPOH1n09XsSFLoGNWjBKjjLK+q1KGvRARVUFJeWk6cezhH8xes55T lQxEMr1rKaNCIELEcskvlwIi7al4OlPRNz4BUOx6advlVWauk9foG1TEmqwD4BjSloDERtvaETAj EEprSu978r7hrmPNDXW33faetcsWfurXPnD+7GGSEIyes/Dy54/2Pn9u6tpP/aHXvtLXjtZgTACA cdcrlkMG5RFpArY+ohEbihsH6yZsnMKYYDpQlWWVKbIbkpMvFmOeQ6DyuXy6IhkYG9ownnAJlEY/ yA+7UP6/PvWf4rH4Jz/1ac+LH3hlb2nozK57/3lRRYwCnx0BFMcCCpUd8h1RIjGjlYkBpgQgTgXK 9pzdtyuGVhAFtABaFEamSMXIDIbZqiDteSmiwkQ223+60YwsTFoFeV+FTKwZXauRdYgqJEJBxYgA JFZbRINxDFpVkQd7Pv2fP+2XnAcfebQqpT/90TsGOvYBlEOAyvpWrFz4oycP9YyH4Hqui4HxAVXM i/lBIMwk1tXoG5+1l4fYuKrqpcyJcuLVcvKlcTpS9PK17ZkFq6YMlkLjKK1Qlf1iLBELQymXg3RF ihBLU30QjP6P3/2vj/z4R3v37osnM//pk5/8+Mc+svuB7zdj3rM+YVRViqCQKGDPggIMCUokllgh K5KgNimde56NQQAADIpBRdUogmgA9H0/FotZKlelPSgXpVic6j59RYVOmHyomBUqaxCIJOKaIi6F UQRBCKyyypIKTblRyXjXiafuv3//mZGy5G686dqKWLrKTf79P99b0dAa1xkfMo2tK6dOlxG0IrA2 RIXa0UGULkE0QcjsY6zkZGxjm14QT9c3ttbXxpJVhSl/tL+3f9chr4JMpAAgXSr7GU8LQLFQisfi WqukY3/v9/9bdSI2v33+P3ztW6nKBz/x8Y9MDZwbPvTiygyxb0mIBAXZEKFozyAACwZG+yAE4ihA YIlrLgx0FSfHMJOKClDGCOJaQivZqXEnlsEwla6kUgj5wHcm+5tdHzAQccmqyLwWLSMDMk4PVSAI MqJVVlBQSFu7JBWc3vrtJc3pD99xB0P8e/c/ODwx8IW/+N1qpzTSd8qlUHQQGFQ6weSKRVd8V0sQ GiHHOoREXDYKfT/mBI1Lj5Uy2zvG7t3+6jce3PXAzuOHe0SoEQMTmEAQRHG+DBUxEOJSLqyKJRNJ 76Mf/MCJ0ycDxVesX7d+9cpUiorjXS/9v/+wNO04YRlJGCFiMhgtI0s0gD19W49Ih8Ei6NgwUZ4c 7DpPgEAhIyombcESagKYGB8jclCc6urkZK4wlc8mIYwrK8wkDsjF0xn8xhkKG4kqGR3HQVNamILj ux+66tpNn/u7L/f09t391/+zqsL55Y+8t/PE+a3P7AZPIMy70V4qIgqQtA5NyCjkKABEVmHAATu9 o5Z0Q7KSYgRCRKIUK1JZAuNbH0lIU9G3MUehgvxUoao6QyQg4be//72HttX82p0f/thHP9Ldd+z+ L//tEi9M2vIFadUlqtYL+yJfWiAp4BhIUCqztaBAgEiIwFpAAoByuYyIwrYyk5rIZsuFyZR7YSCG 36LGVykVhiERxSGYq3Pf/9z/WL+4bcv69VU19dt3v/ilL37u/Tdf+bk/+e0t6xZxcSThMEkoLEAa lBuEPoJ1tBagwACAJ5CMxaoF0oIZwwmBmLEgYJXDTKHhUACI0C+HjuOQony+mErFHdfLZoc+/sEP j/Zl/+yzf9vb3/XoV++eY0YrqYgS/GzzWSJaYaGQV0hwqQWiDcJCpZUiSKcT+WKhMDmSiSGAMAsI 01tTkkczMNZaREhj0G5Gzz7yrZs2Lr7voYe++8PHVq/ZACrQ2lZVJrds3qQ0kqIoIilSxhgQQSKJ RG3MgMwcIFqxRgMoYY/YodAhI8awYRDUjvJ9E+mqiwXfizmJZHJ4cmzjmvVN6cqP3vXeH33tc42l gRZb8MSXn3VMXwABhocGlcKL7v8EAqARsVAoeq4LwPGYWywHEhSSyopMi3Lf+njmhdkCB7nO5hIU fvdPf3vlBz7VUFW9afNNI0X+7Of+rmlOc9GIRYdRs4ijUKNwaBE0omK2gEYg1LpYKvYbgyjKCBgT Wr+AYgoT45naFggpmmY3IStFiqhcNo7rpJIVufECavi1X77jh5/9kxY72ODkwQbEWqGy+DNcC4CI 2DAIHK2CwFwwmBBoRMxOTiYTCUXoeV6h7JtiLoFGABFp+vY5P0uDUIklG7KjNPLihD303buvef8v z2mq/eu7/3FgeHLd5iv7hjtEuYKaBaLN8tgKgkIiEQYwbEuzGlOrlrUqVAq1G0unkqlZTXVVmczh oyfvf3gnsRYBpTAMo+FjNEa0Jkc5pampfTu3Pfy1Ly3VxUZVBC4Z1BY9eWv3VLugIUUAAhFh4IgI mt70CQC1iIyOjWndoJXyXLdUDtkvJeMoQoAaxcLFm+q8tTafA5xF1ygvZcrrq+TU49/6yv691936 8RfFX9I+58C+VwUJBJgBiaKVKACEBIDCrEDWrVxRFY+97323EqLSqe9857urF7c2NFWePKUs2Cie RBu8C4hWOvSN4yjX1du33tu3rbwqrVIqbzjwrKPEKesoBv1sK1NRVHLY1w0GTc9Ls3C0K1sQWmTr kczMYf3MHWgDWCbtoNbGkgQxLi6O2Xnlvh3/9KdtSanS1uYnPGQFIsyAJKhERJAxkl5YREMavC98 9u7hvmEwzKF5ee/ex594zHAg2oiWUIyIaE3GWABQWgWBcRyViHmSHVhR7daanGI/IMdgAkUjhADm Z27xTm8QbC/armSa2EAUTymNWgOwDUIjYomTJnSZdTQ5ivaNBwCBuCgKBRnREBlCS8JKLBJa40pI BBaVQ5gsTayrh6l9W//xMx899vIL1nFC8oBDIANoQZRmIkQDSkT5hfDo0TPNLfOf37WTMDSW/VDt 3n1wfCzLxljwAwossEOCEIRCHnhBaF1HUk6SrI6xr7kASIDEgIykGNQl3ckLO+bzGyfLprfbFEFk jwKHLIIlCBkpJBcFiVlyuRISRtyjZfEJC45YZQNlSw5YRBAVHXjRwdOdVZaZDisJagZtgQAu7EMj oAwQKfCCwnzIXZGGGlvw2CpRrrUKwTCIMHCJKAzEFwiMKe7Z/1LLgrY9e3YZ0f2jk8P5QrZU2vro Ng9iyneVjYXAoqzFsg+otVNkU4bQ8TwD8WjToGi8T4mVmbt4RPfnjNrAlqJ2suJpsHnxMf1ORiVs BYFp5r5IQCSstdb5fK6+keKoyGhlrLJGQBvi6IaC2iot+IZ5DgCylkIRJhAS1EIkRIyCGKo3DX5I qMEilgrBaM9g14n85GDB6rxfLIV5UD4oY9FnFZa5fPsH3jtvTlNazQ9FxTOxj//GXfXV8dmNDa+8 dFpTUkJXWeWCIsMSWAcJxIpF13VFWJRm1MhKIQAIkzDKzEQvzjTDo2UHjGLf0BYREAa04JgQfasN KUILggqMklArpXL5KUAWJSGIcNkRJnEUWyWM0T1AL+SaiyKbYtDTMDcaXBALYrQWIIA3bTWL4TDm qOW1Tt/Bx7/7yo8ZIAf6q9u/NDFlDauhGHTeW907OFb0pX7B3PJIHcQSX9u/21rfL4y9Mt5bDMOe KVW79EaGOsXsATjCyoCnBDmwITsaXLIG2CIBowYhkDAaKAUBmZmfESaJ7vUHTGKB4RLkJSBAABrE MAujkJKZDyqwWoRzU9menq7a2txUYZIo0MAMcYvaBQaEQLElGwm1L8x8C4gWUkIhR3xpgBwCiSVg QZdfP30anbMixDBYUplcgBS3oCQ0ijSwNMQEFUhAlAsrYgED4pAa77VahUyepSSgiqupBB0MiocO PJnrOfyjXEdv3/DI6MQT7kjH8fNDY6M7Hyr2dZzg4pSYCiYCUQRWYHpzXyUkUfhFYSUBGAYhIm1B 22juHqMLQ0QRZDGe8q0pOWDM9B4ESkAs0P8GwRd06Efe1xkAAAAASUVORK5CYII= ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/png; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/anubis_right.png iVBORw0KGgoAAAANSUhEUgAAAGYAAABkCAIAAAD7ddI+AAAACXBIWXMAAB54AAAeeAHLqwMfAAAg AElEQVR42uW9d5glV3Uvutbau6pO6pymZ7on59HkqEmaUQQkEAKDzeXamPds4IKFkfE19nXE6TmD je1rgw2PC5jkR5BASALF0Wg0w2g0scNM55xPDlW191r3j+oejYQEyEbiPqivvvN111d1uvpXa6/4 W6vwbNcI/Ng2BJCXcboggAKQ6Cq55lpEeWXvVECAgCyAaEH+8UFGAPjcXYlEn0opADDGIKJSKjoe IYxiF1BmBGBhRQoRbIThK/pwAQCE0Wp4pZ/P97kNlufuBUQhiYiAiLWklOc4YWiAGZ+DVQBk4Ya5 VCrmctnFi1stM6B+paUMBYSEQDQy/fjWpQDYq/dkrdGOUy77IyMjK1asYETtKGYG4KsLEwVAEFAA 8Yuf/+Ijj3znH/7xY9VVNUAEr/ijJ2QBBAJQP6adUBBFUBiFFQIRoNjOSxd+73f+x0DfFYUCbEAs iszvAAiEQiRkKuHlzm4C/OZ933S0B/yCf4QW9h/R3YpCVigKhAiAf0y7CBAjCaIgsiCAZsHJyVHt yCc/9QmMlqOQgBJQAiQAjMwEAmht6AcFpfn4iWOhDRAY5XnfL8iCP7q7RRayQlaQacEAvfo7COKC Llv4FGGRIAx6enpGRoaZBRFfaDOj60WUog0b15VKpcGhwec03cKXP0/9/Qh3lB+fInuBWkNEnMdC K+V57uOPP661BoTvQWH+fGtNS0tLqqqqo7PjVTbz/6dsIgAiIPM28emTJ5Si5zyMF54sAJieSzc3 NZ07dw6QXzXTT//H4BWJPWqtrbWIMDs7OzU1+Tz5QnmeVBIWCvnq6uqeKz0LyF5dyLig/n+SIZvH QUAQUUSYbUdHxzxSKC8QIhFhy+VyOZFMZjKZdHoOUZBwAbtrVeRPKGSRcCBiGIRKKQGJxbxLly4R 4UvrPiwWi67rKKWuXLksEomYPGcpBF8J1H6MkL1AqSOAgIgfBJHPysx9/b3MLx7PRcdDYxztOK4z MjKCiMwMz1lY/AnUZZGDCkKRuwEiLNb3fbYCgAI8NzdrTDiPrCDIVfXEzGxZ/ICBlOfFBgf6UQRk PjIAAARGsK9E4PnjXZhyjaoGRCFEY4x2HGYWkXw+l06nr5EaAsHIOTImMMZYy2FoYl6su7NDqYU1 PC9ojCI/yboschqYraM1sxCRiIRh2NfX+6KnlyvlQj4vIGEYaEf5vm9Co5Sy1v60OBmROgeAIAwj q6dIeZ53jZRd68pDGIbGGAQ0xjiOzudzpVIpCIIocfTT4coKiDAijY+NO1qLCCCIyPjY+FWf66rn pRTlcjkAMCYMwsDzPMdxJiYmdHThT48ri4hhGMzOzUYiJyKOo7PZ7FWvjUWQkNmCyMTEuGULAGEQ KEWI1N/fz8wviEl/ohcmIVt2HEdYJPrPRURgLj0XBeMiooiiWD40YWdnh+s4kcpTWnmel81miein SJcBACmVzeZm52av6i1EHBsby+fzpGjeF5MIUjsyMhLluK21ACgis7OziEhEPw2QIQCCILMtlQrW hsaGiAQCIKwJXa2FGUEQQVgUYXpubnR8TAijCMnRWjlqYmrMWovX+LKCP3mQoVz7zyFiZ1cHi0Ei EUBBYBE2JvApsgZsNRGInH7mdGBCQbDMSiljQkZr2CACCD/nveJPrF8mgBJZuoGBAQBEpMgaIGKp VC6XSyKCgIho2YZheOzJY57nRee4rhsEAQBEn4DwU6LLmBSUy6Wenh6tFEW1D4TIjSiVylFqCIkA 5MLFcwMD/ZERJSLHcXw/giz86cmXCYBYNtlsenh4WCnNNoquUUSIlLU2sowCbExw3333EqEAR+Ve 13WDIEREY8xz3ttPLGRX9TMKopw9e8aYQETomowPIkTxZhQ6njlzuru7K3JKIvsYjydKpZKILJz2 0yBlKAAcBJXjTz0Zi8WMeaFjZa2JHI5yufylL3/RcXQUgTNzlCzzfV9EtFYiAj81rqz09FwZHByM 2AXW8rVRgbUcBQOPPf7Y2OhotCoBRERqampyuWxkB2KxOBHBT2DAFDlhwAACQggagcIg/Na3vjWf Mos0F0KU/QKiIAxYJF/If/1rX/VinrUcfQsitbQsmpiYjFa41pqIWGSh+PhKOWb0Kq9BERawSAAE RFG1HM49e+782QsoyAbAKhMwW2EBIBQAy1Yp+MLn/y2fzSMDCSIoEfK8eEvLotGxMUREYU+7iAow SjIyQFRy/NGjpl/d9RdFzQQCCEDoKweHh4Y/8fH/WSoUiBzPS7hOIuUoYT9fyPkmFLAnjh3Lzs49 8ch3XNcRYFIUWktEra2t+Xy+VCwCQGjM6jVrDDMqEmHAKC+Or4QF1a/6uiRmAUCldCHrP/7Yw08+ +ejilta9u65fuWJ1c0tLU1N9wo3HVNxwUCzn88XMY0889rcf/UhTcxMLC4BhVko5jrN+3fqnTz6N iCLg+2FDUxNIRFp4JetLrxJkKFfVCgqigCJ9pevyv3/x85qcm4/csXXr5tYlzVZsJpOdncnmZudC P1AKUMt0evLEyafrmhoMWEFEVJGt3Lhx4/TUVCaTQUAQsQybr9ssQCwRP09eOcP5akAmDCKslBLL gpaQzp87878+/enDB64/esPBltaWy5f777vv3Mx0oeIHAGxtOQxLE5NjfQNXCuVcqiYBCgARAZkF AFavXlVXV3fs2DECZGYiWtTUsqhlMQu5jg7Zny+Z/P9YyghJUERIIYiMjw598l8/vnvXztbFTceO P3XsiVOzcxkrRsCygLFYqZSDoKRdiifcqlhKUBAhlkiWiyVEXLVq1YoVK06cOBGGYRSHsrWlQrnz UueqNRsAgAijnAc9x0z7ka6Zs13Dr7zSJ4VgjEGQqYnRP/9//rS3tycej4ElrbXjOYIIiEDIEAgF mjxhh8Vi5IsAum7s6NGjTx4/vm79+tqampMnTxaLRWARFlfrQj7/utte29M7EotXv+Xn3rpu3SoR g0AIipF/dPqfAK0gvyqQCSJAPp/75L98/MSJJ5Ixx9hKTVWipjZOpErlcC6dD4whpVFpjryxaGFF SkkIBHft2tPatrh3oLejo9OaEAEREJiBpbmp9VP/8smujsuPP/HUydOnl65a9o7/+raammoQxRGT 70cMWfcQAL/QQXvpv3MNKewaWUUUEQKMHHERAeD5n5kdoEsXLv3Zn/8pEZuwcN2mlQcObE8l3bnp dBiYZLI6VV07NTN34ULHlSu95YoPiKgokagKrYSGAYkBBEF7quxXHPLE+gSswBEjoW9uvvH2uobF d9x6c2tT3YOPP3789Nme3u47br/ltltfa9iiiioJzNcyuP8jQD4PspeXx7z2rIUkfVTPiJiZeI2F F2H7mU9//Ktf+/LadcvjMeeGQ4fE6gfuf3h8ZNpoEGISdgiXtLbs3bl95bKliqgchuC4hVLl+FOn Orouk3KEUAAINbMAFhRqZFUulcMS/cHv/eHRI7uOPXT8xKWe1Rs33HXbDRNDw/c+8NiFK13xOP7K +3+lqro6DEPHcYwxVwXjPwfZSy7MlwoMGK95XFfr3YhIACYMXdcBgCD0u7q6Ojo6Hn74oXxp2nXx 5ptvYBt2XOwcGZqOu3WlohGsELHrOgCESpWKZRYBAFfbMCgRuUp7SscsEBIxQFDxbRCGYYiiYm7q TW9+/c+85fanjp3WUP/aWw+Mz0589etPITq3375l+ZLWr9574sLly12Xz7/97T+3e/duY0PHdUQE UOQ/DdnotXD8EL6okPBVEYtsvNba9/3JqYnLl7uvXLnS1dU5NDTIzLFYzHG0EQMAYtmGgdZISlav Wb5ieXvKiefT2aGRsdGJyVyhFAoaFlSKuOKiBdCG0fWSSjsiGBobc7xdW/ccPXrT9h2bnj17/uyZ 7i1bNx06tPf06XOnzlx8401H2lurvvCNB/tHKrt3bDl8YPPxp06fevZM9+WunTt33vXmu3CB0SEo /ynIznWOznNmYL4ISAqttUgEzymmhTUI4GhCsKVSeXx8bGpyqn9gYGpq8vLlK+n0XLlcivxyusrz QgFAEQ8BUaw15a1b1t90y+Gh0d4rvZfRuq0tS5Yva6+trfbLxUIua02IKIzKiCJyrcXPfu4LpFwi Zazdsmnzr//KBx984LGqquojN++r+P69X3sykYi//o37MunKvV/9zq6dqw7s23H/g2ef7epbtrT+ zbfd3Ds8/MDDj4yMjDiuuufX70GFAoKEwvzyo4NrICMiZnM1DR+tNlwg4yBSOp2emZkZGxudmprq 7LiUSc9MT88wW2ZWSmmtI6rTPEo4r8MAhBQZwxoSAD5K8a43viZVlbj//oempvOOmxKTDf3Cju07 Xnv76wqFQm9P7+j4aKlUDhnLAYugDWFsfDKeSIahIcK4G//dD/3uxg2bjz1x6kpP7w1H9ixb0fat +x+emZ57052vDRV+6cuPrmxvf8PtO548fvy7pweS1ak3vuG15Ur5wQe/0z80ENrwfXe/N1WdNNY8 r2nl5UJ2oXvUGKM0aU3W2mw2PT09PTQ8mMlkent6Z+dmJyYmmLlYKDiuCwCOowRslDhWpJBQWJCQ LShSUUvNvOIHEDFaaa74LY2pn7nrNbnc9Fe+8nUWbSUhEFu6KH7owO66huanTj3z7PlO3yK6cRZC MEoYULEVIIoegjHh8iWrdm25vq297uiNN3RemDhx/Mz2XUv3Xr/1W994un9w8M47b/USqc9+6WtL W5rfeset3z1z5tHTZ5NO4o7X3uZ66r5vPTA4NOCHlbs/cHcimXgp2toPBdn5zuEow/C5f/vMd089 PZeeNWEgIkprQiSi6NsFIKqqMjAD4wIHAEQAkZmV0lcthghH+WgTho6Gfds23HBwf0yrMCiHYeib 0GdBpUXcjs4rp797plT2lXZBEJAsAxJbsYgEAEiK2RJhEPiHDhy8+10f+PYDj7HQ6153y8jw4GMP H1u3fv0NN+576JFjXV19b3vLm9gWv3rvAzWNrW++89aLZ545eeKs46Zuvu2m6trkvd+8b3BoqBRU PnDP3bGY959YmF2jAnZkZPA3PvRBRyuKihACKM9x7q9qNBEBQkZYYFk+9wPI81qNYOH8o0eP5NIz 42Nj1prQDyxbK8zCxtogBBFUpCJiMQogzGchBOZTjDLfVIKhHy5evOLud79/69pV93/niZl84Wde f+vE4OhDjxxfvXbZa19z4Ev3Pzo1UPmFt9wwkRv++v2Xli9Z8sbXbz791Omnzg5hsvZ1t+xtTiW/ 8tXvDIzPFIPJ3/jN9yvlLuTwAHDeLgB+H1baPGTqv9396wK2XC5+64H7tVYwT7QXIIzYphLR8eeZ p7iQWJ33aK/54Xn+fkSPQMS+vr7xiali2S+UfN+wH3JoxFhgJkSKHgZGrICFvzXfpbSQ94h8AuOH y5YszWVKIdDhg/smR4bOnuvYt29vVSJx6pkLJd/efvRIX3/v2Y6uQ/v3eUpduNidyaQPHbk+lw/H R9NDg1NLljRs3rxmaLCvVLaXLnZv37FFABCuNuPNPy38Ps4CCqCod7/vV4lUKpV8+JFvmwVu17wa vwrGNfsPI83zwUDEMYnqkgDRneHzt6vHrxqc6NauyXjhfHcT4wff/4Ew5PM9oy7K0et3dvcMdPYO HTp4vbXm9Lkr1ZA8eGTTqUsdY8PpW47szmZzXd2TJZTD+3dPD06ns+WekeG1G5rWrGgdHSqMjk1O T49t27rdWl6Qh6ip7IeA7H2/+uvMrBSVS6WLFy84jhPZwZe6+odXAFcZJVH1zBhDUZLhhRGovJB7 cjUmQ4yYBiTKhrz/+oMHDx6cmJjq7L5SlUzu3bn9mfMdU7PpW47sGR4evnRpctnyurXrlzz93cth pXLD9Xu6ByYuD03VVzl7t6/t7R0o+NI/NLhz25bm+qa52bmz5882NzYvWbKExQLOF7oWJOUHSNk9 iMjCK1eufPKJJ4LAn9dcC77V97pmcI0ie97x5wta5OUuOH3wonb9qqx9z3FiYQREQQIKfdPU0GTB ramp37d1U0//UO/Q+PL2JSuWLn761GnXwf37tz3T1dvT039g12alE999tnNJW92qNct6rowNDw+s WtWwdPHiK1eGCoEeHZ+68eDOoFKyTA899OC+vXs9z0MUASaKEt/0AyB7z933RNA6jtNY33DmzJlK pYIEJgyjhCdbJiRhFhGxDBxVf66uVIGFRhqJos2FLcI0WoyR5f0h+XKIaC0jYZRqA0Zkeuc73pnJ 5AeGxlYsbVu9YvmFrt7hienDe7exXzjxbNfa1asWLfUuXBqZG8+/7qaDAxMTZy+f27/9Os00MDo8 NpG+fvdOCXlkejpfDgqzc7fdfLRvYCgRj91379dvuvkoPidb36dV4PmQRYfa2tr27NmzYcPapcuW NtY3tjS3tLctqa+r10rFYzFH6agKwZatMWFwzeb7fhBU/Oe2QqEwOzubmZsr5PNeLBZRWF8O+QuR kJmBwQS8esWqd//yu9nw2PjUyPjUrh1biPBy/7BfyB4+eP2lK8P9vWM337hlYirX359JxtSWnevP XuoozOQOH9g5ODgxNVMqlvwDh3YMD/fmc8VMzneUc/DAvo6ODmNNZ1fXrt27WASRvm9i4sUgI8Cq 6qolS1qTiUQhn8/MpQM/mBgfL+TzlXLZr1TCMDShMcZE1fyrEqSUUlorPb85jhOLxZLJZFV1dVV1 dSwWm/fpfkhBE4gMrqPdSsnfct2WNStWZ+byNxw5OD4+NTY5U/L54L6dg1e6Bydnm9vaVy1pfubM ZRDn8MGd5y909I2N79i6OomxZy/0NzVUbVqzrvvy8Mj0VH1Tatv61T1dvWWJD42Obli9tK1t8cjo aE9fnxvzVqxYzhL5TD8Qsl/5tWsOoTU8O5f+/d/9/VOnTk1NTs7NzUXl+8gmKCKtteu6ES7ewhb9 qpXjOI6jtOu4ipSjtdaaMFrfsqC2nu+T4DzFh5mRUMAgMjJbJI/Bz+Zrmpf+jw/9wYZlbU+fPk1u za7tG65cvjwzW1jd3tZal7rQNzqeKdy6f+vk6MSzPcM7tm1IoPSNjKVzmZsOH+jpHbrcP7p3x+Yg KA/PzU5OTezdupkZh0an2IGRkaHbbjg8N5c3kHj08Yf27N6SSKT4uXj9mvtEnu+++B7I5o1XIpE6 cvSmVSuXN9TXxWLxMGpJsJzN5YXFChtrkYiIgEgW7BqpSB2wzLNcFwQKIfLjX9RKwHNuHlm2iIRA 1jeVShjXsT/+7d/xqhpGhmZv3L9zMj1zqXtkx9a1JGZwaLKQyx/cv6NnZGpiJttUrTeuXnXy0uVM Jnf7TQc7OjtGpzMtzU3L21vOX+o1odmz77rLPd35nF8phIcOX9/X25fzAz8IKtm5W2668ZnzXcmq 1MlTT+3dtztimD6/0e5qxxm9CGRXXSfH0e3t7Tt27Dhy9Mbbbnvt7a9/w4033XzkyI2HDh9euWrN 5s1bm5tbiHQ8nvT9IAhCy1IuFw0HgIIE2lEQ2SCFMO+rLnitz0NtIVsNAijpmTRRTFHi1ptu+Zm7 3uJ4NYeu39PSUHfhYi8p2L7tuvMX+wqF3KHrd13pHZqayzS3VLe2Lu7tG5mZHr/xyP6B/smR0fGl y5rqalO9fVMzmfKBvVtnxse6ByZWrW1rqsbhodzUtGlrrW1f1tTVNSQiMzPjq1cva2mq7R+YGZvK KB2sXL5U5r1CfOFTfSkpi9aIUgoArYgIWBZE5cViVdU1Tc3NK1asWr16zfbtO44evfGmm255/evf eNddb7rh8JE9u/dcf/2+ZcuXNTcvKhaLIpLPFyqVgIi0cp7vrC7EVkKAUTLXAiBbtXrlpj27bqhN 1f7sz7ypb2hyZHDkNYf2Xui6Mjw5u3v7pkyucOXKwKr21uq6msvDI7lC4fD+3R2d3elcpSrpbVm7 9tzFzrn83K1HDnZ2D47PFJvqYhtXt53tGJzLzd54/fbe7vF8iWYzQzcc2jUxNpfNlUKEybGh195y eHBoFrzU08cf27dju5uIX4PXta3cLwHZc/E2ApHiKJIgFAAkYp4Px6J4fJ6LD5RIJFsWLVrU2rp2 7Ybt23fefvsb7rjjztffcefOnbuXtC0FkXw+l8lkIzuhFFlriAhEAQKSAFprJRZLDQ1NtrYsQ6tT cbVszbqnnzyzZc0SdqCrf6YqFl+1dunFjh5TCnfu23y++3I2Y1ctbYrHqHe4MDM9fftN+7r6eofG Zlcva0ukEv2jY5mZmf17N4+OTw+PzC5ublm2aEl37+WMn487es+WzWfOdVoVrxRyCZc279hyvqPb I/dyZ8e2nduJ1DV9ini1y+pFILs2Dsd55kSkva/5vBpZ4kL6GhEwquTMj0hgi8KklNfQ0LJmzfqD Bw68/o433HTjTQDQ39/v+76jHWuZSIkwiwEQIgWiHB2bnppZtXJdPjt35KbDzzzTqcDfuHn12UvD xVxpz94NfX3D01PZ9RuWGuGhwYyDlT17Np05N1QsVlqb3MaWpu6eiXy2cPTI7o6Ojky6UteQWLN8 Wcel4XzB7t9/Xf9QR8a32ancgV2bM/nKxHQeUU1OTOw/tK1YKBTSQX9f76K21samJhFZ8GyvkTX8 EbfjR51s37MDIWgRamhoeccvvPNTn/z0G+98Uz5fVMqxbABEKQdAiSCgdVxO50anMhMz6ZIpFhYt aTh/ZaSutrGlITmVyaVnMhvXLs8b/9z5zp0btrgOXOkbAqaVy+pR65PnOtetW5uMu0Pj04Vsacua lajc089ebmmpb22qGRmfuTw0eP2BHcpCvmhOPnvu0P4dMW0NQCF0Hnv0+A37dsY9Wrl2w5e++BW/ YhBpIad2DfvqB5GlXu5ABAawgN+zA4sggibS1gqAeutbf+5v//ZjsVhchJUiayyRjipTDJXqGn2h 63QlxNnxmfZltbOBTE8UVi5tCsR0d/avXtUunh0cmElpr6kpUfTtQN/kdRsWhVzqHUoH5WDNqtYA zLmzHdvWbVAaJ6crY9MzW7YsJwmOPfNs69KVyxpbgZynz3akkmrtqmZRUBbqujSKFd62bTWTKOU9 dfxpEEKied4VPq/blr4/++R7d3j5FywEpoKkkBQgLVnS9ld/9TdrVq+2oU/CaAWArKCgkObZ2REA delK7/JVSwzTlb6R9cvbPXL6R2cT8VhddWIuW0lnsutXtIYM56/0rVq+NOEpJufZZ7t2btso6HRe 6UmlEm2LGw3A2XNX1qxclkzo6blyZ/fIwf3bxJSN8U48ffbIDXuJS0pRxcQee/L0ru0bauK0uHXZ ww8/mS9kQCywg6JeUEWi71+v/N4d/gMXzI9zAI4YLQgCWJ2qWrZkWSlb8JAwigoQEQhFHDGzc1PD k5MNdXVJzxsen6hLpRJaTxVLFT9c2txqBLv7utetWI6kh2en0DjLWloETFf3lUVNTbXVdRm/PDA2 vH5NO7o8NDDNBpetaOcQLzx7pbWtuaWxisQ5c743lapes6KVbBgAdQ+N+6Vg24aViFRd1fjoI48o hSgaWSPItemNV4PFKNdUi4kIWMq54kf/6iMbV2/88O/8UTZTJNRgLQGTiGJMxhPTU0PluUw1eHVx NT03Qwm3qt4xYTg6Nrls6TJmMzY+VVVVnUrEK5VwaGh0w+rljHoik87OpdcubwJ0LnT3rljW5moV GHO5p3/dxqUKTXomPzYyu2XzOsOlUmDOPHvx+r17XGKN1vfDk89e3Ljlupoqd1HjolMnzmUzGVSB kBGga1nLrwpkCwKHgmI5O5v52Ef+7sj+wzcfPpqezjY1Lyn5ARACiCBZdDEWG58ZYSNB1m+qTeUr wWQ+39JSA8aMTcw01je5jp7LFkIrTY31JKqvf2hpW7MVtI7q7u7ZuHoxoO4ZmXC0XtzSyICdPQNN i5J1NTHjy7mzVzZsXOXGGZVz+szFZW3t9TUxB0NSzoXuQVZ61YpWMVhfs/jb3/6OhZKgFSAr/GpD dnXLZXIf/euP3nDw0MHr9z1w/wPt7Ut/4zd+s1QuR8AykI+xULvpIOujmp0r1DXU+UzjM7n2xYti 6ExMpVOJWCrh+YHMpbNLFjWJ6OHxqca66kQ8Ltrr6R1oa65JxpOFwExNTa1qXwyAU+l8oZxd0b6I kIZHZkoVf+36ZQyczVYGBka2b91IEoBgKaRzHd2b1q+JObqupuXc2Y5CMQvEiM+bPPGq0IslIpkh W/svH//E5k3X3XrzrU88fjxVU33d1s3d3V0Y+KXJEVWYTbDvAqMNBGwFaTydbWhqRHJHR2abaxtd cvKFChiurkqEVqamploaa5AxUyiVK5XWxloBmpjNcmiWLGpiUX39wyuWLNJalQIeHZlYvWKZiCmF wbmLnbt3biUJEN3TZy5s2rQ25hIyIrnd3QON9Q0ti6pJkefVnjhxGhGBnxcdvxqQRVliherbDz5k A3PLLbcODAyOjIztPnDwiadOTo6MtCVjh9qb2kppNdDljPUkZkd1Lo3IE3PT1bU1DqrZqdmqVMpx sOIbG5ja6gQDTk5PNzfVEVI5sOOTMysWN6BQiXFsfHbZokYNemh0qq4qXpVIAKmB3snFzYviSceQ 7eweqkml2lvqQFT/wKggtLW1aiKxMDeTHx4cu27rcgG/sX7ZyRMXKiVfmK91FV4NyAiEBAr5/KOP PLJx06a2ttZTp55Zv2FjtuRf7hk4sm//5qb6rUl605q6t2+qv22xszNhG4oF11ZyhamqpKfFVkpF 1MpNOqG1+Xymti4lgOlsOpV0Xddl0pPT6WWL6m3AVnsjo3NtLXUOqXS2LDZobqhjkdnJMgnU1MaY wkw+nBiZ2LRmGQgGVi51d27evBGENYEC78LFnqXLG5NVjlZVNvC6Oi8rBJIfwi9DIRQCoGu8BZyf mYIMKChwzTS2+ZOv0V8ShbEkQmA04nce+k7LovZNmzcMD04Egb9p85pnzp5ZsYdRKYYAABegSURB VHT5pg2b/XK52uYbg1w7FDdXhfsXJVfUxMMgKBYKcVe5msvFohWuqYmz5bl0vqm6CkGKxTIAJOJK lJ6enmtq8LQgK69/ItfYWBUn8gOemZtpba0FkEIJMvnykqUtoRgk59K5S1s2rnHZaPQuXrrStnxp Iu6CFQs0Pjlnw6C9rclK2NTUdvzxU5qi6i7/QMgQhUBQgBhQgACQBJUICUPU+CGghElYQBhJICrf CiAzgQERIERlIYi7iWeeOd/YsGT9ujWdHX0tzY2kw/Hxvn3bNp250D2QmQ1VaIgAyLOmymQdr5wB LJXQUdqLKWsplys21CRYYDxfaapKOoS+j0FFGqs9Zpqazdc0xGLIwDiRDZRn6xMOizM6m25u8jRw iWl4Zrq5tRZERHhoZNKN6ZbGOLAemyz6JmhvqwMRoyDrm+Gemc1rV6HOx2Lx6eFcbi5nyI9KrCj4 kpAxWSYDZAmsFtbMmlkJgyiRGIjDiKECX3PZMRXX952KpRBQFINiIksIZAkDhNCpmsmU5rKFlYub 4mIGBwZWrVo1NJFJJFLJmuTFzoseKsUsAJYQABRL3NVB4JcrISJ5nssMmXS2tr4m1DhVyOuqKvRi viW/4tcmqhTo2UD7EEvGVFIKWJw0pUxtXZUBmpwr1lQ3xJRSIDPj44vr62OExDIXSPdMevGGlT7Z Ckv/YM+qNc1KVwQsEnZ19SxatKg6FSeEVFX1qdPP4DVAvSRkltgSAzAJK44WswiKJWAEQIvR4mOt 2HGsoxkRoxk7hEJKUIM47MckcELTd6U7mapdsbh5emQUkNrall7uG1u1bM3kTDadm45DJQ4kIFYL IiKDS0rC0BgJwjDuuVYwnS00VtWlQAXZgkbtuI7P4fTMZF2jy5w2QYnF9eIuiA2MyVVsrLoKFcyl y3E3HnOUQsmms8lYLO65FjWj19c7sG5NG3LFYTVwub+9rVVrDeCywNRsruzbtsWL2Po1tXWnTj3r aPcHk9gRrhILQIAYhUkYAYE1s2KLgoIOo7aMBKIxRAoFiJWqhGHgF01+RuXn0sP9Q0ODD3/3ctPy 7cuXtnVd6XVralzPmRid2rp2zejE5Nz0WEuCPBYAsSgahQQcYDLGWC6XyzXVScaZdK6wfkW7Agkq FSKpcvnk6cenTny+JpmYTBeSyabzG2Ph3LCphBaTMwUTq0kq9oslBxETMZzzw3SRLYCXrJoL2bXh dG//sv27azRVTGxsYCZ5a3VtTVNupgQoxcCMjk6sXt7e2dGLXjw9kh8fnWxsbIncpZeEjBgjeRFA URgCg5aAA095EjAhE7A4aEAsWzYlKZUy0+nekYmz3X0j46O5udFdK1pGTzy8ribWkJS5gdy6nYfr Gur7nzhT29RU8X3xyw21Nec6LhdmJlYkCMQSIC4wrRxEBdYKVAI/HvNAOfliWbnKelgCP7BBtWur g8zOKr8GsmGKZ0ozx/75w2Oz5SK4s2HqY/2P1y5ZMzCYa2hp7h9ajVTxxa+wUywValLOdK5kDc9m KoacVGNdYTIolsN8NrOkJTU6nWGUQHT/4Njhg9uSMV0IoLqusfNCx+GjLfM5mZeETAiEBJEBhZmI 0ZoEcchBmRi4jGFlYnT2fOflmakJ9POOQP/A3HTBNixb09y6oqG+tr2teveS2r5H7m3CELVe1Fgn gOMzxd1rV8yl0wnH8Rw1N5tV5WLKtYysBTQzo4hSHlFQKtp6rPi+5ypAKpZ9l1RS6yAIwNqamKNs JWnSdeTHHF5SowzQrhqpsJ3AOK9tq163aWbmQiUwf/JHH166vG08cMN8ps4fL2VyysSoqr6M3ngm 6zWk/LkpBBydHGlvT5y+lGGqBh0fHZ30NDY31uTHy8lUbcel7iM33QSI1prvszBZUARJUAjYEaNN xbXhxGj/s6eemOjtGBgYqmtb81/edU9N3Q3Wz8/NTles96nP3NtU1RKAg17s2ImTf/KhX3riwXtb Yl5Q01jbUJ/LpU0YLmmITU7MxONJ3walYsXkc1VL0AqTEceCT2BB4q7jl4tIulgqJzxPBMsVXyOk lMoYG/gcS1SH6ABpUSEaPyahoYQNygk3MTU++XP3vPmP/9/Pty3fJlpbN3PH628dzpmYXzr9hX9M mVwhG4xXjKptH9zQuryx8Up3EcCZmMyv29KuHLQMDLpQLOYz6cWtLd2j/V68aqDzvDXWgNVa6YWe LIymxNDV8WoggsIkCBwXkx/pe+bbD3Q+83QqN7kuBS0uratJnB3qcyz/2m/+nuHw0P6d7/rlX2q8 71EpVrQTt0o1tm38h8/f9/O//cf/9P738bIdtfUNmcycQ7yoNnHuQk+8ujq0HPoVx1oHQJCiiiYT WIa4p61fFoHAD5KJOKP4YWgBVFW8VChmjFXJKoNxscqFmCuAZEuYLDvJoQJve+Mv3Ptkp1O1mNzY 5PjwGw4f2r5l89nP33vh0W9uMDObahTXOcZNZvKVh//6d/oCSa7Z27567+xMxY03kVOFgRIBFh4Z HWlf1g6nBwFI69jw8PDSFUuNDcmSVQLEKkTHEjksnhVGAKUFFZKEM0Nf/pNfu++3finxzFcOuePX 1XISw6Sfri5PxivT2ckrO7Zv/Pk3vfmD/9e7qhS85a5bpia7QFcCQow3Ts0EZy/PbPjZu5trGhY1 pqYyvqdUPN6YSReraxOlgrFhEaXsitJWBYpKjor6SRIqVJU5TewXgoQbR+X7HAbGrXLjwpQvF2PJ uMS4gjkNpSKSsYDsZ9Gdqmtr2HHo7Pn+xngLSznJ4ze/5mBVc/M973vXDbs2LEpAlclrU8awuMSZ fU1L+N6V3qbJpzq/8Zfj/ceSnpvQCQzRFQNg+idmaluaY04VinKTzaMjw2x9rZWe596BkNhoNDcj MmJFYyKsXLzv309+4RPXNXrxOtHgB4FxyBPkQAkJr6qrOfb1L73/b/4pM2ePnzxzpffiuvXXLV3W kvHnMNbALIvbV9//4PHGhtpELF5XW93ZPRZPxI2VUslPpuK5crEUVgQDB7yYJQDNTMgaAC1SyGDJ K1SsE4sTgoRBGFTiSc+wBEGQ0k5CeVw2OqYYVVlhLh7vnJV3/9kf/o8/++Sy9buQcGbo8s++/raP /fXfW6C9G9eOPXtyW9zjsKxEqkIkQN81TPn1ixJLW5uffuLef8nN6CUbSNVXLCZ0IjNZcAPbUhMf nctU16YGBwf3HdgjIgSiGJGAtVgEtoSGSEDFwD5z7+c7vvAPR+tMY3nMIx8UOuS6bJBMRSkWqgVb Hui8cPLRj3/yE5/41Odm0vltO7a/7a13Tgx3xaiswPhWrd6w+7unn61vqEtV16Qz+Xg8ZkxgjUnE Y8Vi0bIlEgQLaASZgSw6BoiURlRCXq5itesSA7GY0FcuMmHohwly4hQ3xrXgGNJTKnk6jW/73T/6 gz/5p5WrtwdApXJuWXPdDUeOvu9997iCnScfaTA57ftGuRrRsyCWjKN9DCjMNPgzRxfHEgOnvvvv /4TFSXLQZx3kgbOVtpaEQOB5zujImON4zEwo0XsarBYbca0tgcNm8OEHur7y2evqQAXTpK0B5BCS LA5XAC2AFlRkyuvrvUc/+6k3vu62rfv2ve/ue7xYvLmp9g2vOzw11BEjK6wCicXjVbW11dpxM5l8 dV1VpVwygUnG42GpjIYJWMgYCgNdqTiVslNmVfEgpEoFOQw4JNQaHWGoBJV4zAWgMLCeo51YIotu 2qvuLcNofPGb7/nwn/7tF5Zs2Gd0zCE7M375ztsPE0B1Tf173/1/V0b6lqRAoRjQoMjHUBzSfpiy 4im2quhKekO8cntbov87X+TMEJL1mWbSufrmFDAQ6Lm5DAAhkkYgxnmXHgQYgcBSMXPp65/bWAVK KoEiwQRy3EEWW7DKAFDMkgAaCqvA98aGs70db7zrNZ/93Oc6Lp6tr6v+wD0f6OsfmJgZjdUuZ1HW SiLhVSp+EHKqOlksFxB0wnVtOSCLiIoFGASEHTBojSMQI4WlQgyMDYtaKRJidAsVP+W5wGBDo7UO XG8UYrlp/8Add6VSy//hX7+1dsPhsvZY/LGuZz70q7/Y13/h05/51L4DB1L58VR5ykkaqwmFDAbs iJIgzoCMFQ2hRmSOh2Y5+jcvrnro+NeXH72z4rQMZjLL1zSjeCCCoKPhCRFVjm3EsAQtiDG0faeP UXYoTkUBAEwpE4sZrUR8RyoOoZBjAVDYEQr8ddWxY1/8ZHmy98x3n/a8+Lve8954LP4r7/llFypB YUqjT6DiCTe0YWBsVXWykC8QqJjnFEqlkJwSuxVVE6hawSoKYwkbB+uKGxcbIhq2vibwiBhUqRLG XQ8AjQm0Bl873qotR9/zm08M5p64MLJ87W4wmiQc7jv3nne+Zeemtbff/trFLU1T/ZdOP/il9pQm FEYg4Ci8JrGWwJAGcMg6xNqg0uivcAq760z/yW8BlEbn0lU11Z6KE+lKOaiUfUQkvBo5gmJQABCD oPvEI41JIQmQFbEisQRlwNCCAvZIVDQQFgQJybP+Yiwc/8pn3/EL/+WX3/WueLLm6adP3/vvX/7t X38/BDPl3CghVlWnKpUgDCWWiFX8kkLlKF0OTc5gzZqthcZV50veyTm6WEl2VRIjVDOn6goQY+35 xnc1klhh9oMg5sUAVWB810VwvaG58MsPnsXatbXN7SEAQGW88/R7335nXUp/9d77/LLz3ne/lyeG 2lUpjgEa1BZJLAIoRhQMiUJUyNq1WjMysa9CBYW1SbvITGfHeorpbIqoyvOsCgzP14I1ggVkBmQk EUKAUma2ON6/lJjmR+Jaq0JARiHXugAEIIZAkElIRBhsS0yfP/tUbut+x0n81d98rJCZe+8vv6O+ JvH7v/1rf/mRf9ZaxWPxUrEsADFPZyo+kQYEI+IL5cqwZ9fObTfcmaz2KsV0eWqmPDVh8+Vy95CP TsgVTeCAEEIQBtrRqNDaUBEgaHLrF7VvqQh54hcrmdzk8Aff8/O7dq7PVfKf/cJXTp+6snNVU9jf tSgVigm0xBSjVVYEQIgRQaJ3VACCRNrJahDLCVNYVx07OdAjK7dApVRX5U2kK7FYzPf9WNIhS6gt KCZGBAoJcKJ/OFHJODYUQYCoVkww/14HEWBG5oVMBiMgiRNWNlY5Jz/zj6W5/lSK9mzbsnfPrkBx V8/lt7/1LYmkVxdLlvOhEFfHoFABUSwIgQkwMEKLzg3JVx7r+MRXj33x4YsPd85eKtcEizb6MUeh zxWDRNYhIScIjavFFV8sMrlKJwKDogOXwunRK/VO+a//6Nen0uP/6//7KkP8bXfeuWFxVc83PrUh FWhrUUhQrLKMz83ORmDASC9ZQQBBskrEBQwWu76TGSsEfjmEqlrCMOXEarK5ObSiBZBARIhREJgt BOVKDEQ9r0RMC0OXX/i2goghQwBJW1ntwbf/7V//693/ffmSTd09Q5/66ufTs7O/+kt3E0ldVXVm LosKYo4q+ZY0IYlvfQJDKuZWtdTXNDJaZFYMIfPITCVgJwwYlQJAcogrNjQhaa3mGWvgEkBYyM30 gI9vvvXguvXt9XXO7t277vmtD3d1D/zSXbcMHf/axpTv2rLWThiGTPxiNHy+pgCGKIigmEycbBLC XCGbyRfr65MoDpGTnptd0d7+gv5oUUjFYkErfLmNZChBLZWWm5n7/uEjI2P9H/7zv5wZzb7jrW/L Zicd10ul4oVCiRQ5juNXQiIUAMMhU6gcFrDGgkDMcEKwRqAqFqsXSAJ4gQEBcrRGsEHog3KBtLCQ hAmHuTR9eNe6v/i9D7zxtgN/99G/ePj4U3UNzYf37Nmzfuln/+K3V+h8HAIiCsPwhxzRG7V4R/zU lCuVYiadzdbWpIQtIlYqFQCg5w9DR6VwanIC4WVPfhEUT/w2W1xUHv/yP//F2990R2tV7fU79kxl ZhPJpBdzSkVfKa2U8n2jHQWCbFiMccg4FHrESlgDiDWIljkAZMscZdSj5tD53jwgESBFSuPhQ/vr apNaW1DBth37Pv35b37pa1+79fr1fff+6yozU4UBIlhrtdY/ZGscIYIwswBITQyLmelCqVhVlVAE SitjQhHRkb5aaLYSR6swCEgs4g/ZfbNAGhVFIkDlFmUhM3j2y59854f+EDXk54qpZLXjOpWKUURK kQlZaw0MEJILlE1PTQwaQa28pNaORhC0WovWJYEyIDJbRIWgObQaxVHIIozaolMylcuDI48//jcf +s0P7j90a0f3SDzIfvoP/nyLW0jailVe1E31skb0zs8tF0gqK0GxVAniMReAPdctFkuIqOcbw682 eDGj8LX892u7S74/8dyiJ2gTXF6hKC6zn/rj/37nu99fzuUc5WhNxggSAoi14DgoAsRaM77rnT+/ dfPadDY7Oj5dKBaCSt6KsWKHRvrYFgDiIoxECIpt1HlGLCCoRbm+9Ze0rzhzquMjH/nX37rnvx1Z VX3m0x/Z2Ohqy+go1/hMxEgvq0od/QkBTKAxpXyx4nuepwiTiUQ2k4kgex7ALBZhfk7wy+pYNAQA EDMuIPoqqFOFrQDf+OifdNnY0p1vdhwV+kYrLSAmFJWMmnPIgo3H1JLWWg3+2WcGfvEX32FNgUXu u+/+XVs2TxQl6mgmJAGI1uk8/1RAI2mxG1Ytv9zWun/L+r//4C96k5f21GkwlUB7FevXQBgC8cur UkdtU1qEkg5yuVyuhJ7raqW01jOzkyJC1xoRRBG2CEL/kXEcBiFE0QYTATmK/UaT31zvSnY8EfMc RwWBUTp6v57VmkQkFCNaRBvDwf0PfPPU009zaMDw1OjUX//5RzR4aAgsggASCrKICCpAEmYF4iHb QrpO26VJefSf/mBlZXR9zMa4RBJoYx3UFdLmPzD7J6pGMnokyDYIbTRPjhf6cjUKhuQiMEGIwA6h RwEgswhCNNHvRdmNeK1hBkAFgiKMxPN9KqK5GOM4WZ1ykq4jQWg9zwuFEAKHxAIHFFjw2Zi52ezx 488qnTCWHQyfOPbY4rbVFy70JhuWSDxhQBGi5oiObIEMMITkWce5dOrJ/9n1zdZYfFczOOW0o9GC IgSXQ7BokaJRUwtFWFEcWTwFaARfbKiqKC2IzI7lWVJGxAYhAKPWSmmxnggSCctCTwBHbatsGZU8 986o570qjBFCpQyRJYrKvVfPjHK5SiyKcDStTsBA3PG8CoQlNlo7PqDFiigbAisbU77rQewb930r Wy5PFYpjMxkj+sSJY21rlp545qQxJYEgEJ8oBC6LsGFQCK61SpTHtsEW91bBash7QZEUmAiO+bdx MAFoCzoarBcNw0cWZI6IKaKu7rCwW8SyA4GyVtmiIz6hZQFERkDCfL7MLFpLYNFhQEHNoHxrKyFq cCw4gvIiXYNCjsGFDrno7W0iV5sZSVBESTT4VYtCEXZdVyyCWAdJAkuGXVDKKgldTcnZzOxttx9c v3PN1Fw5XhMLhXbsP5y36g3x6qnpAqvQog/KgPLLYaHgl4qF2ULZTPR3BTNDWC6CjRFqlvBF3ggG oJlQgIkZo7fMCQMKWsWkrn1lIz6nXCxZAGBSAlpZo4wlo+OoQkWFQl5rrRVYFiWoIOJXMAOzFtFy tUManye4UVETQFAYOYoHGOaJBYjgiGiLFtAiGWCXrKPBhowceEqUAUfYA1DMDGmtpj/zt7/zeLVN OE51fdvAN76olKeVqlRKMDGdudIfePh3x78wOztXrsAI2eGv/ZkfUhnMp7/590Ynrmt0YmRNaOnF WLwCECiFwCgGkREEmSiqBIkw2hdzlUgbFEQrROQ4wsKVEESUAHK+kFNKaQskQCQEYFGMA8YxZQ98 xYZQI0i0yKIao4AYZY0LzEyACijiKxMjKjQIjCzAJMqCYiIxPpdyo51PPva1mcvffTjb0AjpZy4c Oz7RWTd47qGec2eDmYnttWZ7TaJa0JamiqVJX7FDrIxd7TmHN8VdAgfynCJAF8Ui+wZA29CiU1ak xcGwqEi/hHnHgJAQFAuwCDmCLoh2iCyyQcb5l2UtDKlAUKxcSwAQIDE4GpgoyBUzk9ODMzMz+VxW hP83Tybzg9H2+bQAAAAASUVORK5CYII= ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/png; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/high.png iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAFo9M/3AAAACXBIWXMAAAsTAAALEwEAmpwYAAAK T2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AU kSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXX Pues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgAB eNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAt AGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3 AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dX Lh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+ 5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk 5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd 0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA 4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzA BhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/ph CJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5 h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+ Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhM WE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQ AkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+Io UspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdp r+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZ D5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61Mb U2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY /R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllir SKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79u p+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6Vh lWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1 mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lO k06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7Ry FDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3I veRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+B Z7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/ 0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5p DoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5q PNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIs OpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5 hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQ rAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9 rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1d T1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aX Dm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7 vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3S PVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKa RptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO 32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21 e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfV P1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i /suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8 IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADq YAAAOpgAABdvkl/FRgAAA79JREFUeNpi+P//P8PDqJD/LLvFZH8asXIyAAAAAP//Yvh884bB3z9/ GBjfSKn8/8/4nwEAAAD//wAiAN3/AfLW1zAAlnjP/d/oAAUwJwAB/fz7AMkZIf8WBAUA5Pv6AAAA AP//AEQAu/8A/v79AN9hYNjhdHeT////AAHhLi//DyQNAAEKBgDiu9z9BPrr8gD87PYAAAAAAP8A AAME3vn4AB4GBwD9AP8A7hMRkQAAAP//Yvz77x/DncT0Y7JWEpb/Pn9kYPjzh4GRk4vh28XHDDzN feyMJ6wdbks+eKTCI8bJ8P/lLwYGBgYGBmYGBmY9IYZX514wMHFpahx5/us3w/eX3xj+M/6H2PXv H8P7c68Ynv3+w8D4798/hm8PHzEcNbb6xsDwn5MR4hgGdgmxYrsr5/oANM+9SgNBGIXhM7tRsQvr YlyRLaxSSRoLQavYBCsbGxXtbMU7ELwD6xReRiKCxBULGxt/iggJUVTIjyzJaHZmvmMRfK/geUES zgk6p2fnrd0dtg72X/pJUiIJklCZ1rOfWxUdbq9CtIbyfah8Hu2L26R4c7Wh7peWWTxch7TfIf0h 1EwOXjSHn9cUdu9oRT3Mx4xLBcjzN+AmE144jfHIojkcPeV+QYwfe5iij/+km8HAwTiJvdQZpE7g lEz8ijDKYSAWXqFQ9cLNcrVjMnxYgwEdemLxZi2+jMFa4/IYTgR35cpJLVhgPVhkLYhYDyLdvW6A JP7YJGPWpsIwCj/vd2+TmoQ0tIkkEEpdLG5xE+zUxcFBBEXBpSAWF1FwcnBTRHERioJKDYWCuDjq UOvg4lJ1ElIQRWyhBkpje9vc2+97X4eIU59fcM5zjqgpmBD6e4fW7j98bB8/zNROnyAaKyPBY4BE Edr39JZWSOKRJ80Hd2/k6/UMQIIqP+7ce54+m7/cnD2FE48lCdZPwXswQ+IYhoeRYhEpFOkuvCdp TsxNvn51TTq3br9I5tsz1dEylalxQvcP9nsH3UohHWwrOUEqOeRwCVcbIV3dZHN1g91jRx/Ju8ZE WlHNjbmYQt7hvIByMG7whv0k0FNP1/uei2vVn9vBs2OBfhZQ+6f7AMwMv+tJLLBtSmq2Jt2l5dan C5c+xyKUXUQpiiiIY0jAIQgQMIJBZkaigS0N9IOGIzevH5eggXR9I7dy9tybvW/fpw2IxTHkhFgA BDVj3wxvhpoRl4pvW4vtM6NTJzMxG8RVMzRLWV98OfmrvTCbfO1Mg7XMQOBLvlFfblw8/3T86pVO vlr9X+vvAF5tvsbqXTZWAAAAAElFTkSuQmCC ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/png; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/low.png iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAFo9M/3AAAACXBIWXMAAAsTAAALEwEAmpwYAAAK T2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AU kSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXX Pues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgAB eNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAt AGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3 AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dX Lh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+ 5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk 5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd 0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA 4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzA BhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/ph CJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5 h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+ Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhM WE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQ AkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+Io UspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdp r+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZ D5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61Mb U2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY /R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllir SKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79u p+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6Vh lWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1 mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lO k06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7Ry FDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3I veRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+B Z7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/ 0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5p DoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5q PNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIs OpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5 hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQ rAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9 rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1d T1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aX Dm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7 vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3S PVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKa RptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO 32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21 e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfV P1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i /suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8 IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADq YAAAOpgAABdvkl/FRgAAA71JREFUeNpi+P//P8OdS6H/GWZMYP757xPDfwAAAAD//2L49PGewf9/ /xkY/35k+P/7FyMDAAAA//8AIgDd/wHp6cwwFQqYzwAA1wAAAkEAAf3+/QCsoQT/LSj/AMTLAQAA AAD//wBEALv/AP///wDa0VvY39mHk////wAA6Nkh//7yQf/+81X/w7cH/AT49uAAAADfAAD/AAD9 /AADBLe/AAA48QAA9PYBAAQMcJEAAAD//yzDvwpBUQDH8e9BScYr2QwewHBTDAYPoLwL72Az224Z vQX5U7olsztYTG7iDje555yfxac+RvLE+8khDMcDlGHwyNR53COC9qbKetW5pklZLgvkM/4rcu+e LltUarZGu2PseaVPvAcJiq/llsSczgYjCVvkRMtG7uynBgCGbjib9ofzxY/mMeZlIAAD6PuuR3Ka moRFLE2IBaPFIuEfkLBJE5Fu5z8YLYzYDQYxECKIdNdWHK2onqSJ6yVN09Q1dec+w6Xre8t7qCqq Su117/C9vKbV0uZbt1NfGHCJwsDyP1eDickN4AcYQmWU5+JlYX7xbEluz4d1ecWGuILQREmDZGk1 r5DMxZyZSYdodI1ICUWTBHUwzW8e79ZPjVYb+r0iDCSANgi6f3hebcpwG8KXC7/9ZDGOhU4bnApM z+ZO5P5m+7jqHOVmssr4GIQhfLjg+QY7diSiqhQe7N2Xp4P9pEFIpazeVt4fMU2LfzbJGLSJOIzi v+/+dydJDRIKgiU1sVij1KE6uAlaxUEQxUEQHETBSdHVRXF0laJghQ4iOCoOVQQHQTSL6aKlATXN ee0pVNNUGnP3v/scEsTB9cHjPd7viWo/29pu7tPHW3c93pwvVU7hbhoFMgQAQ9Jrstx6SiJH7u2o Xr9mjBeLGCTLUuq1yw/yMntxfO9NjJOgug50EU1QBPAQGUKlQJa5tBo32NCr0xP7b18xxw5Fs+nG zIXy9mFy+c2gdcjegr4DfQ86D7oA2oLsB0KMYwJWo5cHgvB7UWbumN7unam/a0wobvVwTUK/9z+z DviDQ5YaOu2Yz1/gQ8Nfc3L5SmspFMIIOj9jbPI/c19Lbcr6WkK0IjQDwfPLoUQrtcknjw/WHSem tM2hNJIxXIRcHlwPRMAmwu8utNtK+A2Cr0JsvfT02do+Uc2wtuu/eHZmLmjOTQEYo/i+4nuCAImF Xg9s2mdSGTvx/OjxRyddbyj+i5HB09qri9XGwsNLy+HrqV+dpUkECoXy/Mjo4VfVPefubymOL+pg ERD+DAALf6+yZ4OlmAAAAABJRU5ErkJggg== ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/png; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/medium.png iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAFo9M/3AAAACXBIWXMAAAsTAAALEwEAmpwYAAAK T2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AU kSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXX Pues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgAB eNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAt AGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3 AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dX Lh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+ 5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk 5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd 0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA 4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzA BhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/ph CJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5 h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+ Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhM WE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQ AkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+Io UspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdp r+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZ D5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61Mb U2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY /R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllir SKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79u p+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6Vh lWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1 mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lO k06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7Ry FDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3I veRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+B Z7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/ 0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5p DoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5q PNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIs OpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5 hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQ rAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9 rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1d T1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aX Dm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO/PLi8ZafJzs07P1SkVPRU+lQ27tLdtWHX+G7R7ht7 vPY07NXbW7z3/T7JvttVAVVN1WbVZftJ+7P3P66Jqun4lvttXa1ObXHtxwPSA/0HIw6217nU1R3S PVRSj9Yr60cOxx++/p3vdy0NNg1VjZzG4iNwRHnk6fcJ3/ceDTradox7rOEH0x92HWcdL2pCmvKa RptTmvtbYlu6T8w+0dbq3nr8R9sfD5w0PFl5SvNUyWna6YLTk2fyz4ydlZ19fi753GDborZ752PO 32oPb++6EHTh0kX/i+c7vDvOXPK4dPKy2+UTV7hXmq86X23qdOo8/pPTT8e7nLuarrlca7nuer21 e2b36RueN87d9L158Rb/1tWeOT3dvfN6b/fF9/XfFt1+cif9zsu72Xcn7q28T7xf9EDtQdlD3YfV P1v+3Njv3H9qwHeg89HcR/cGhYPP/pH1jw9DBY+Zj8uGDYbrnjg+OTniP3L96fynQ89kzyaeF/6i /suuFxYvfvjV69fO0ZjRoZfyl5O/bXyl/erA6xmv28bCxh6+yXgzMV70VvvtwXfcdx3vo98PT+R8 IH8o/2j5sfVT0Kf7kxmTk/8EA5jz/GMzLdsAAAAgY0hSTQAAeiUAAICDAAD5/wAAgOkAAHUwAADq YAAAOpgAABdvkl/FRgAAA5dJREFUeNpi+P//P8OPBTH/WT6nq/5k1fvJAAAAAP//Yvj98KLB339/ GRi/T5b5//8vIwMAAAD//wAiAN3/AfvezjD+z4vPAPPjAAIYMgAB/f78APZwJP8CFP8A/uQDAAAA AP//AEQAu/8A/P79APekZNj4s4KT////AAH3kjT/AhAMAAAGDgD709b9BP7z6wAAAukAAAAAAP/8 AwME/d8DAP8bAAAA+wEAAypXkQAAAP//JMGxCcJQFEDR+36IUQlOYCX2IoiQyhksLSwcQaydQHAA V8gakiUUtPiQWokmEv97Fp4jQQOf07qIJ9NMmgeoQqdPey2IV3ki1X5xkcF97NIEQs2fw6VD2pvH RaP5WUuHVg0YYIYF5es9WkaIqmL1k9d29ka1B4YhxNly190cjj8eyNiXgTCMw8/73ZWeRhjFwHBm MUjEIEYTm0U6dicWg8FglkismhCRWA3+A5uwNGmstEgHF9fjetfr972GE/NveJ7nh6pirSW7PTrL LuuaXTeei9fWkqqiqogd9IPhzU5aCVegSMFUIJhm2Hq6DxpXa/J9EOr4+gYufkHzL8SrIrVZ7Hsb f/NiUZLDeR0LZ3DpB6UliD+F++mjyULbkAs2fvsfy8ditBBsrzNnNBZc4qEj/csEzcFFgr+63TT+ 8lbTdT1sz8dFBvtpsF0fIkO1frwnzjmy89390cPdSUkRMGZQO32cMMEkv3SRT4hNcRTHP+fcf3O5 8SZFmZXyL1k8q4mUmqWNUiSrKZJCWYkslK2dNIopWWhY2MyGlSwsFPVkgaFJqdlNozfP7b173/2d Y3FHFnI239X5ns/3fMXdWudRmdeLt+f49XU2PnAMTTfhFkAAifG6pPn0GjoH72fHb1yVic01CG2Z C9fm7fviuezIaWgqvB5AMwJrNi4mSJJDWkCcUb1dINpz9l528taVuH5y85F9fj4b7SgIq19guArV Gt4MwUObWhMkLpCJSSTfTlRkhI+PL1fjEGT94u5KJ0MqnQbJBdG/7/x3BFzwyrC+YmtpX6Uz9cMH 4KXilePh/wZuhteGlYqvK7p1akXG3953h3fO9CAgWxwpDDLQxEH/bAretP1RKtZXsCjk158dErOA jQbp6O75F2G5NyMORA6xI9pSE8AbaVWcaO/0y/zSwxOaF7W4t8juhrtjy7194zdPL9jSu5nwc6Ur Lui2nR90/+FXydFTD6Jd3SU0Qjbgfg8AcS6ciHwmrn8AAAAASUVORK5CYII= ------=_NextPart_1eba40115388acd645178ab2bfe65cf0a Content-Type: image/gif; Content-Transfer-Encoding: base64 Content-Location: http://anubis.iseclab.org/index.php?action=report_resource&version=3.2&resource=/images/expand.gif R0lGODlhDQAIAPcAACxivNTy/Pz+/AAAdwCA/wCl/wBM/wAA/wC4wwDiyAASOQAAd3fjxh22yQA5 OQB