Analysis Report for 1015.exe

General information
1015.exe
- csrss.exe

1. General Information

	Information about SandBox' invocation

Time needed:	240 s
Report created:	03/30/08, 07:23:51
Termination reason:	Timeout
Program version:	1.5

2. 1015.exe

	General information about this executable

Analysis Reason:	Primary Analysis Subject
Filename:	1015.exe
MD5:	957793372d0239cf6ccf5153e7b7af26
SHA1:	2e429f2018bc2ce2325afa34566b916b38475902
File Size:	77824 Bytes
Command Line:	C:\1015.exe
Processstatus at analysis end:	alive
Exit Code:	0

VirusTotal Result: 10/32 (31.25%)
AntiVir: HEUR/Crypted
AVG: Win32/PolyCrypt
BitDefender: MemScan:Trojan.DNSChanger.RY
Kaspersky: Heur.Trojan.Generic
Microsoft: Trojan:Win32/Alureon.gen!H
Prevx1: Heuristic: Suspicious Self Modifying File
Rising: Trojan.Win32.DNSChanger.GEN
Sophos: Mal/EncPkCO
Sunbelt: VIPRE.Suspicious
WebwasherGateway: Heuristic.Crypted

PE Header
Signature: 00004550
Machine: 014CIntel 386
Number of sections: 0002
Time/Date stamp: 47BC482D
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010E
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00010E00
Size of initialized data: 00001800
Size of uninitialized data: 00000000
Address of entry point: 0000BE1F
Base of code: 00001000
Base of data: 00012000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00014000
Size of headers: 00000200
Checksum: 00000000
Sub system: 0002Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00010000
Size of stack commit: 00010000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
k��ڒ|~� 00010D5A 00001000 00010E00 00000200 60000020
@VZ!EF 00002000 00012000 00002000 00011000 40000040

Import table (libraries: 1)
kernel32.dll (imports: 1)
ExitThread

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x003B0000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000

2.a) 1015.exeRegistry Activities

	Registry Values Modified:

Key	Name	New Value
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon	System	kdblh.exe
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cache	C:\Documents and Settings\user\Local Settings\Temporary Internet Files
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	Cookies	C:\Documents and Settings\user\Cookies
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders	History	C:\Documents and Settings\user\Local Settings\History

	Registry Values Read:

Key	Name	Value	Times
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	PerUserItem	1	1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	PerUserItem	1	1
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	ComputerName	USER	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url1	http://www.adobe.com/products/acrobat/readstep2.html	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url10	https://www.google.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url11	https://www.gmx.at/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url12	http://www.icq.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url13	http://www.google.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url14	http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url2	http://www.adobe.com/products	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url3	http://java.sun.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url4	http://www.google.at/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url5	http://www.adobe.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url6	http://www.ccleaner.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url7	https://www.amazon.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url8	https://wumt.westernunion.com/info/selectCountry.asp	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Internet Explorer\TypedURLs	url9	http://www.westernunion.com/	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cache	%USERPROFILE%\Local Settings\Temporary Internet Files	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	Cookies	%USERPROFILE%\Cookies	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	History	%USERPROFILE%\Local Settings\History	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache	Signature	Client UrlCache MMF Ver 5.2	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CacheLimit	163410	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content	CachePrefix		2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies	CachePrefix	Cookie:	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheOptions	11	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007101520071022	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CachePrefix	:2007101520071022:	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007101520071022	CacheRepair	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheOptions	11	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007102220071029	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CachePrefix	:2007102220071029:	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007102220071029	CacheRepair	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheOptions	11	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePath	%USERPROFILE%\Local Settings\History\History.IE5\MSHist012007110120071102	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CachePrefix	:2007110120071102:	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012007110120071102	CacheRepair	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheLimit	1000	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheOptions	8	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePath	%USERPROFILE%\UserData	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CachePrefix	UserData	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\UserData	CacheRepair	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheOptions	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePath	%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds Cache	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CachePrefix	feedplat:	2
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat	CacheRepair	0	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CacheLimit	8192	1
HKU\S1521122927282110043363485272372401003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History	CachePrefix	Visited:	2

2.b) 1015.exeFile Activities

	Files Read:

PIPE\lsarpc

	Files Modified:

PIPE\lsarpc

	File System Control Communication:

File	Control Code	Times
PIPE\lsarpc	0x0011C017	12

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

	Memory Mapped Files:

File Name

C:\WINDOWS\system32\kernel32.dll

C:\Documents and Settings\user\Cookies\index.dat

C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat

2.c) 1015.exeProcess Activities

	Remote Threads Created:

Affected Process

C:\WINDOWS\system32\csrss.exe

	Thread Overview:

Time	Number of threads
After 19 seconds	1

	Foreign Memory Regions Read:

Process: C:\WINDOWS\system32\alg.exe

Process: C:\WINDOWS\system32\csrss.exe

Process: C:\WINDOWS\system32\ftvmdmsrv.exe

Process: C:\WINDOWS\system32\lsass.exe

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\smss.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

2.d) 1015.exeOther Activities

	Mutexes Created:

Local\c:!documents and settings!user!cookies!

Local\c:!documents and settings!user!local settings!history!history.ie5!

Local\c:!documents and settings!user!local settings!temporary internet files!content.ie5!

	Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x0	1

3. csrss.exe

	General information about this executable

Analysis Reason:	1015.exe injected a remote thread into this process
Filename:	csrss.exe
Command Line:	C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\CSRSRV.dll	0x75B40000	0x0000B000
C:\WINDOWS\system32\basesrv.dll	0x75B50000	0x00010000
C:\WINDOWS\system32\winsrv.dll	0x75B60000	0x0004B000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\KERNEL32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\sxs.dll	0x75E90000	0x000B0000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x01320000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\imm32.dll	0x76390000	0x0001D000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000

3.a) csrss.exeRegistry Activities

	Registry Keys Created Or Opened:

HKLM\SOFTWARE\CLASSES

	Registry Values Read:

Key	Name	Value	Times
HKLM\SYSTEM\SETUP	SystemSetupInProgress	0	70
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS	*	1	1
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	*	1	1

3.b) csrss.exeFile Activities

	Files Read:

C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03.Manifest

C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.CommonControls_6595b64144ccf1df_xww_5ddad775\6.0.2600.2982.Policy

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

3.c) csrss.exeProcess Activities

	Remote Threads Created:

Affected Process

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\lsass.exe

C:\exec\popupKiller.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

	Thread Overview:

Time	Number of threads
After 176 seconds	1

	Foreign Memory Regions Read:

Process: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

Process: C:\WINDOWS\system32\alg.exe

Process: C:\WINDOWS\system32\csrss.exe

Process: C:\WINDOWS\system32\ftvmdmsrv.exe

Process: C:\WINDOWS\system32\lsass.exe

Process: C:\WINDOWS\system32\services.exe

Process: C:\WINDOWS\system32\smss.exe

Process: C:\WINDOWS\system32\spoolsv.exe

Process: C:\WINDOWS\system32\svchost.exe

Process: C:\WINDOWS\system32\winlogon.exe

Process: C:\exec\popupKiller.exe

3.d) csrss.exeOther Activities

	Windows SEH exceptions:

Description	Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x75b5a753	4

4. winlogon.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	winlogon.exe
Command Line:	winlogon.exe
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00011000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00094000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\NDdeApi.dll	0x75940000	0x00008000
C:\WINDOWS\system32\PROFMAP.dll	0x75930000	0x0000A000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\REGAPI.dll	0x76BC0000	0x0000F000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\MSGINA.dll	0x75970000	0x000F7000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\COMCTL32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\ODBC32.dll	0x74320000	0x0003D000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\odbcint.dll	0x20000000	0x00017000
C:\WINDOWS\system32\SHSVCS.dll	0x776E0000	0x00023000
C:\WINDOWS\system32\sfc.dll	0x76BB0000	0x00005000
C:\WINDOWS\system32\sfc_os.dll	0x76C60000	0x0002A000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\WINSCARD.DLL	0x723D0000	0x0001C000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\uxtheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\cscdll.dll	0x76600000	0x0001D000
C:\WINDOWS\system32\WlNotify.dll	0x75950000	0x0001A000
C:\WINDOWS\system32\WINSPOOL.DRV	0x73000000	0x00026000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\rsaenh.dll	0x0FFD0000	0x00028000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00023000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\wldap32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\sxs.dll	0x75E90000	0x000B0000
C:\WINDOWS\system32\cscui.dll	0x77A20000	0x00054000
C:\WINDOWS\system32\MPRAPI.dll	0x76D40000	0x00018000
C:\WINDOWS\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
C:\WINDOWS\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\rtutils.dll	0x76E80000	0x0000E000
C:\WINDOWS\system32\xpsp2res.dll	0x014B0000	0x002C5000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\NTMARTA.DLL	0x77690000	0x00021000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00B30000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000

4.a) winlogon.exeFile Activities

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

	Memory Mapped Files:

File Name

C:\WINDOWS\system32\Msctf.dll

4.b) winlogon.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 180 seconds	1
After 186 seconds	0

5. services.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	services.exe
MD5:	c6ce6eec82f187615d1002bb3bb50ed4
SHA1:	b958912d139cb8dbfeeacdd38ba048c4f452174e
File Size:	108032 Bytes
Command Line:	C:\WINDOWS\system32\services.exe
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\SCESRV.dll	0x758E0000	0x00050000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00011000
C:\WINDOWS\system32\umpnpmgr.dll	0x7DBA0000	0x00021000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\NCObjAPI.DLL	0x5F770000	0x0000C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000
C:\WINDOWS\system32\eventlog.dll	0x77B70000	0x00011000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\PSAPI.DLL	0x76BF0000	0x0000B000
C:\WINDOWS\system32\wtsapi32.dll	0x76F50000	0x00008000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x007B0000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000

5.a) services.exeRegistry Activities

	Registry Keys Created Or Opened:

HKLM\SOFTWARE\CLASSES

	Monitored Registry Keys:

Key Name	Watch subtree	Notify Filter	Count
HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME	1	Key Change,Value Change	1

5.b) services.exeFile Activities

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

5.c) services.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 188 seconds	1
After 193 seconds	0

6. spoolsv.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	spoolsv.exe
MD5:	da81ec57acd4cdc3d4c51cf3d409af9f
SHA1:	7047ed8bd91f3e57972483feaa56e3499cd8c668
File Size:	57856 Bytes
Command Line:	C:\WINDOWS\system32\spoolsv.exe
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\SPOOLSS.DLL	0x742E0000	0x00015000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\rasadhlp.dll	0x76FC0000	0x00006000
C:\WINDOWS\system32\localspl.dll	0x75BB0000	0x00056000
C:\WINDOWS\system32\sfc_os.dll	0x76C60000	0x0002A000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00094000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
C:\WINDOWS\system32\winspool.drv	0x73000000	0x00026000
C:\WINDOWS\system32\netapi32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\cnbjmon.dll	0x742A0000	0x0000E000
C:\WINDOWS\system32\mdimon.dll	0x008F0000	0x00008000
C:\WINDOWS\system32\msi.dll	0x7D1E0000	0x002BE000
C:\WINDOWS\system32\pjlmon.dll	0x74280000	0x00007000
C:\WINDOWS\system32\tcpmon.dll	0x72400000	0x0000E000
C:\WINDOWS\system32\usbmon.dll	0x723F0000	0x00007000
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\mdippr.dll	0x00900000	0x00008000
C:\WINDOWS\System32\spool\PRTPROCS\W32X86\filterpipelineprintproc.dll	0x00910000	0x0000A000
C:\WINDOWS\System32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\System32\winrnr.dll	0x76FB0000	0x00008000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\win32spl.dll	0x75C10000	0x00023000
C:\WINDOWS\system32\NETRAP.dll	0x71C80000	0x00007000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\inetpp.dll	0x74300000	0x00015000
C:\WINDOWS\system32\xpsp2res.dll	0x20000000	0x002C5000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00E80000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

6.a) spoolsv.exeFile Activities

	Device Control Communication:

File	Control Code	Times
unnamed file	0x00228144	2

6.b) spoolsv.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 202 seconds	0

7. lsass.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	lsass.exe
MD5:	84885f9b82f4d55c6146ebf6065d75d2
SHA1:	6473b34c05bc63eb0d66cad83355e6938cbe97e9
File Size:	13312 Bytes
Command Line:	C:\WINDOWS\system32\lsass.exe
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\LSASRV.dll	0x75730000	0x000B4000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
C:\WINDOWS\system32\NTDSAPI.dll	0x767A0000	0x00013000
C:\WINDOWS\system32\DNSAPI.dll	0x76F20000	0x00027000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
C:\WINDOWS\system32\SAMSRV.dll	0x74440000	0x0006A000
C:\WINDOWS\system32\cryptdll.dll	0x76790000	0x0000C000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\msprivs.dll	0x20000000	0x0000E000
C:\WINDOWS\system32\kerberos.dll	0x71CF0000	0x0004B000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00023000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\netlogon.dll	0x744B0000	0x00065000
C:\WINDOWS\system32\w32time.dll	0x767C0000	0x0002C000
C:\WINDOWS\system32\MSVCP60.dll	0x76080000	0x00065000
C:\WINDOWS\system32\schannel.dll	0x767F0000	0x00027000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00094000
C:\WINDOWS\system32\wdigest.dll	0x74380000	0x0000F000
C:\WINDOWS\system32\rsaenh.dll	0x0FFD0000	0x00028000
C:\WINDOWS\system32\setupapi.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\scecli.dll	0x74410000	0x0002E000
C:\WINDOWS\system32\ipsecsvc.dll	0x743E0000	0x0002F000
C:\WINDOWS\system32\AUTHZ.dll	0x776C0000	0x00011000
C:\WINDOWS\system32\oakley.DLL	0x75D90000	0x000CE000
C:\WINDOWS\system32\WINIPSEC.DLL	0x74370000	0x0000B000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000
C:\WINDOWS\system32\pstorsvc.dll	0x743A0000	0x0000B000
C:\WINDOWS\system32\psbase.dll	0x743C0000	0x0001B000
C:\WINDOWS\system32\dssenh.dll	0x68100000	0x00024000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x009D0000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

7.a) lsass.exeRegistry Activities

	Registry Keys Created Or Opened:

HKLM\SOFTWARE\CLASSES

7.b) lsass.exeFile Activities

	Device Control Communication:

File	Control Code	Times
unnamed file	0x00228144	2

7.c) lsass.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 209 seconds	0

8. popupKiller.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	popupKiller.exe
MD5:	b8ccbffde3c450d938921b77edd31e0c
SHA1:	a1d5f57a6fb6871d35dd3545d752a43bd0fc4482
File Size:	183797 Bytes
Command Line:	popupKiller.exe
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\COMCTL32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\comdlg32.dll	0x763B0000	0x00049000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\MPR.dll	0x71B20000	0x00012000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\WSOCK32.dll	0x71AD0000	0x00009000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\system32\wininet.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\Normaliz.dll	0x003A0000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\MSCTF.dll	0x74720000	0x0004B000
C:\WINDOWS\system32\msctfime.ime	0x755C0000	0x0002E000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

	SigBuster Output

UPX All_Versions SN:1634

8.a) popupKiller.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 214 seconds	0

9. svchost.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	svchost.exe
MD5:	8f078ae4ed187aaabc0a305146de6716
SHA1:	da0ff4006859a7580aba81f486f692dead2014fe
File Size:	14336 Bytes
Command Line:	C:\WINDOWS\system32\svchost.exe k NetworkService
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
c:\windows\system32\dnsrslvr.dll	0x76770000	0x0000D000
c:\windows\system32\DNSAPI.dll	0x76F20000	0x00027000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
c:\windows\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\mswsock.dll	0x71A50000	0x0003F000
C:\WINDOWS\system32\hnetcfg.dll	0x662B0000	0x00058000
C:\WINDOWS\System32\wshtcpip.dll	0x71A90000	0x00008000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00730000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

9.a) svchost.exeFile Activities

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

9.b) svchost.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 217 seconds	1
After 226 seconds	0

10. svchost.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	svchost.exe
MD5:	8f078ae4ed187aaabc0a305146de6716
SHA1:	da0ff4006859a7580aba81f486f692dead2014fe
File Size:	14336 Bytes
Command Line:	C:\WINDOWS\system32\svchost k DcomLaunch
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\ShimEng.dll	0x5CB70000	0x00026000
C:\WINDOWS\AppPatch\AcGenral.DLL	0x6F880000	0x001CA000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\WINMM.dll	0x76B40000	0x0002D000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\MSACM32.dll	0x77BE0000	0x00015000
C:\WINDOWS\system32\VERSION.dll	0x77C00000	0x00008000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\USERENV.dll	0x769C0000	0x000B3000
C:\WINDOWS\system32\UxTheme.dll	0x5AD70000	0x00038000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000
C:\WINDOWS\system32\NTMARTA.DLL	0x77690000	0x00021000
C:\WINDOWS\system32\WLDAP32.dll	0x76F60000	0x0002C000
C:\WINDOWS\system32\SAMLIB.dll	0x71BF0000	0x00013000
c:\windows\system32\rpcss.dll	0x76A80000	0x00063000
c:\windows\system32\WS2_32.dll	0x71AB0000	0x00017000
c:\windows\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\xpsp2res.dll	0x20000000	0x002C5000
c:\windows\system32\termsrv.dll	0x760F0000	0x00053000
c:\windows\system32\ICAAPI.dll	0x74F70000	0x00006000
c:\windows\system32\SETUPAPI.dll	0x77920000	0x000F3000
C:\WINDOWS\system32\WINTRUST.dll	0x76C30000	0x0002E000
C:\WINDOWS\system32\CRYPT32.dll	0x77A80000	0x00094000
C:\WINDOWS\system32\MSASN1.dll	0x77B20000	0x00012000
C:\WINDOWS\system32\IMAGEHLP.dll	0x76C90000	0x00028000
c:\windows\system32\AUTHZ.dll	0x776C0000	0x00011000
c:\windows\system32\mstlsapi.dll	0x75110000	0x0001F000
c:\windows\system32\ACTIVEDS.dll	0x77CC0000	0x00032000
c:\windows\system32\adsldpc.dll	0x76E10000	0x00025000
C:\WINDOWS\system32\NETAPI32.dll	0x5B860000	0x00054000
c:\windows\system32\ATL.DLL	0x76B20000	0x00011000
C:\WINDOWS\system32\REGAPI.dll	0x76BC0000	0x0000F000
C:\WINDOWS\system32\rsaenh.dll	0x0FFD0000	0x00028000
C:\WINDOWS\system32\WTSAPI32.dll	0x76F50000	0x00008000
C:\WINDOWS\system32\WINSTA.dll	0x76360000	0x00010000
C:\WINDOWS\system32\msv1_0.dll	0x77C70000	0x00023000
C:\WINDOWS\system32\iphlpapi.dll	0x76D60000	0x00019000
C:\WINDOWS\system32\CLBCATQ.DLL	0x76FD0000	0x0007F000
C:\WINDOWS\system32\COMRes.dll	0x77050000	0x000C5000
C:\WINDOWS\system32\Apphelp.dll	0x77B40000	0x00022000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\Normaliz.dll	0x00C70000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\psapi.dll	0x76BF0000	0x0000B000

10.a) svchost.exeFile Activities

	Device Control Communication:

File	Control Code	Times
WMIDataDevice	0x00228144	2

10.b) svchost.exeProcess Activities

	Thread Overview:

Time	Number of threads
After 229 seconds	1
After 237 seconds	0

11. jusched.exe

	General information about this executable

Analysis Reason:	csrss.exe injected a remote thread into this process
Filename:	jusched.exe
MD5:	d4f0f7437327dbaa264338baafb5e5af
SHA1:	c668421e98c76af8cd8542e6ca56992d6efe828f
File Size:	132496 Bytes
Command Line:	"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
Processstatus at analysis end:	alive
Exit Code:	0

	Loadtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\ntdll.dll	0x7C900000	0x000B0000
C:\WINDOWS\system32\kernel32.dll	0x7C800000	0x000F5000
C:\WINDOWS\system32\ADVAPI32.dll	0x77DD0000	0x0009B000
C:\WINDOWS\system32\RPCRT4.dll	0x77E70000	0x00092000
C:\WINDOWS\system32\Secur32.dll	0x77FE0000	0x00011000
C:\WINDOWS\system32\GDI32.dll	0x77F10000	0x00047000
C:\WINDOWS\system32\USER32.dll	0x7E410000	0x00090000
C:\WINDOWS\system32\WININET.dll	0x42C10000	0x000CF000
C:\WINDOWS\system32\msvcrt.dll	0x77C10000	0x00058000
C:\WINDOWS\system32\SHLWAPI.dll	0x77F60000	0x00076000
C:\WINDOWS\system32\Normaliz.dll	0x00330000	0x00009000
C:\WINDOWS\system32\iertutil.dll	0x42990000	0x00045000
C:\WINDOWS\system32\ole32.dll	0x774E0000	0x0013D000
C:\WINDOWS\system32\SHELL32.dll	0x7C9C0000	0x00815000
C:\WINDOWS\system32\OLEAUT32.dll	0x77120000	0x0008B000
C:\WINDOWS\system32\IMM32.DLL	0x76390000	0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CommonControls_6595b64144ccf1df_6.0.2600.2982_xww_ac3f9c03\comctl32.dll	0x773D0000	0x00103000
C:\WINDOWS\system32\comctl32.dll	0x5D090000	0x0009A000

	Runtime Dlls

Module Name	Base Address	Size
C:\WINDOWS\system32\urlmon.dll	0x42CF0000	0x00124000
C:\WINDOWS\system32\WS2HELP.dll	0x71AA0000	0x00008000
C:\WINDOWS\system32\WS2_32.dll	0x71AB0000	0x00017000

Analysis Report for 1015.exe

Table of Contents