Download Link: hxxp://codecbest.com/download/codecbest1000.exe File Name: codecbest1000.exe File size: 238636 bytes MD5: eb3a53222f593580a9edd5d3656ea3aa SHA1: 4b672d950455e6724f76f8bf251c5d9e28a2dafb PEiD: - VirusTotal Result: 12/32 (37.5%) AntiVir: DR/Dldr.DNSChanger.Gen AVG: DNSChanger.AA BitDefender: Dropped:Trojan.Downloader.Zlob.ABOU ClamAV: Trojan.Zlob-2395 F-Prot: W32/Trojan2.AIES F-Secure: W32/Malware Kaspersky: Trojan.Win32.DNSChanger.arn Norman: W32/Malware Prevx1: Generic.Dropper.xCodec Symantec: Trojan.Zlob VBA32: MalwareScope.Trojan.DnsChange.2 Webwasher-Gateway: Trojan.Dropper.Dldr.DNSChanger.Gen File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 47ACC8BC Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005E00 Size of initialized data: 00028400 Size of uninitialized data: 00000400 Address of entry point: 00003247 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0003E000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005CA2 00001000 00005E00 00000400 60000020 .rdata 0000129C 00007000 00001400 00006200 40000040 .data 00025C78 00009000 00000400 00007600 C0000040 .ndata 0000A000 0002F000 00000000 00000000 C0000080 .rsrc 000041F8 00039000 00004200 00007A00 40000040 Import table (libraries: 8) KERNEL32.dll (imports: 59) CompareFileTime SearchPathA GetShortPathNameA GetFullPathNameA MoveFileA SetCurrentDirectoryA GetFileAttributesA GetLastError CreateDirectoryA SetFileAttributesA Sleep GetTickCount CreateFileA GetFileSize GetModuleFileNameA GetCurrentProcess CopyFileA ExitProcess SetFileTime GetTempPathA GetCommandLineA SetErrorMode LoadLibraryA lstrcpynA GetDiskFreeSpaceA GlobalUnlock GlobalLock CreateThread CreateProcessA RemoveDirectoryA GetTempFileNameA lstrlenA lstrcatA GetSystemDirectoryA GetVersion CloseHandle lstrcmpiA lstrcmpA ExpandEnvironmentStringsA GlobalFree GlobalAlloc WaitForSingleObject GetExitCodeProcess GetModuleHandleA LoadLibraryExA GetProcAddress FreeLibrary MultiByteToWideChar WritePrivateProfileStringA GetPrivateProfileStringA WriteFile ReadFile MulDiv SetFilePointer FindClose FindNextFileA FindFirstFileA DeleteFileA GetWindowsDirectoryA USER32.dll (imports: 62) EndDialog ScreenToClient GetWindowRect EnableMenuItem GetSystemMenu SetClassLongA IsWindowEnabled SetWindowPos GetSysColor GetWindowLongA SetCursor LoadCursorA CheckDlgButton GetMessagePos LoadBitmapA CallWindowProcA IsWindowVisible CloseClipboard SetClipboardData EmptyClipboard RegisterClassA TrackPopupMenu AppendMenuA CreatePopupMenu GetSystemMetrics SetDlgItemTextA GetDlgItemTextA MessageBoxIndirectA CharPrevA DispatchMessageA PeekMessageA DestroyWindow CreateDialogParamA SetTimer SetWindowTextA PostQuitMessage SetForegroundWindow wsprintfA SendMessageTimeoutA FindWindowExA SystemParametersInfoA CreateWindowExA GetClassInfoA DialogBoxParamA CharNextA OpenClipboard ExitWindowsEx IsWindow GetDlgItem SetWindowLongA LoadImageA GetDC EnableWindow InvalidateRect SendMessageA DefWindowProcA BeginPaint GetClientRect FillRect DrawTextA EndPaint ShowWindow GDI32.dll (imports: 8) SetBkColor GetDeviceCaps DeleteObject CreateBrushIndirect CreateFontIndirectA SetBkMode SetTextColor SelectObject SHELL32.dll (imports: 6) SHGetPathFromIDListA SHBrowseForFolderA SHGetFileInfoA ShellExecuteA SHFileOperationA SHGetSpecialFolderLocation ADVAPI32.dll (imports: 9) RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA COMCTL32.dll (imports: 4) ImageList_AddMasked ImageList_Destroy #17 ImageList_Create ole32.dll (imports: 4) CoTaskMemFree OleInitialize OleUninitialize CoCreateInstance VERSION.dll (imports: 3) GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA File Activities: Filename C:\file.exe Filesize 238636 bytes MD5 eb3a53222f593580a9edd5d3656ea3aa File System Activities: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsv2.tmp Get File Attributes: C:\file.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\file.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsv4.tmp Find File: C:\Program Files\VideoKey\Uninstall.exe Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\dcryptdll.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\dcryptdll.dll Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\dcryptdll.dll Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe () Find File: notepad.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\nsExec.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\nsExec.dll Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\nsExec.dll to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp () Find File: ns12.tmp Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\lzma.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Find File: C:\DOCUME~1\Sandbox\LOCALS~1 Find File: C:\DOCUME~1\Sandbox Find File: C:\DOCUME~1 Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\modern-header.bmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\modern-header.bmp Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\modern-header.bmp Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentVersion" Process Management: Creates Process - Filename () CommandLine: (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe) As User: () Creation Flags: () Creates Process - Filename () CommandLine: ("C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp" C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe) As User: () Creation Flags: (CREATE_NEW_CONSOLE) Kill Process - Filename () CommandLine: () Target PID: (564) As User: () Creation Flags: () System Info: Get System Directory Window: Find Window - Class Name (#32770) Window Name () Enum Windows: Destroy Window - Class Name () Window Name () Process Stsrted: Process ID 540 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Filesize 31232 bytes MD5 0d2f140a7e2bd5825d14ee045e08f13e Start Reason CreateProcess Registry Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C51A8B3-4A78-4F92-B263-F3EBD00BC468} "NameServer" = 85.255.113.202,85.255.112.223 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C51A8B3-4A78-4F92-B263-F3EBD00BC468} "DhcpNameServer" = 85.255.113.202,85.255.112.223 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "DhcpNameServer" = 85.255.113.202 85.255.112.223 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters "NameServer" = 85.255.113.202 85.255.112.223 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3FF1D8B-F0BC-4E34-899F-222974ED04EB} "NameServer" = 85.255.113.202,85.255.112.223 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3FF1D8B-F0BC-4E34-899F-222974ED04EB} "DhcpNameServer" = 85.255.113.202,85.255.112.223 Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp "IpConfig" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C51A8B3-4A78-4F92-B263-F3EBD00BC468} "NameServer" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\{B3FF1D8B-F0BC-4E34-899F-222974ED04EB} "IpConfig" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3FF1D8B-F0BC-4E34-899F-222974ED04EB} "NameServer" Registry Enums: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters Process Management: Kill Process - Filename () CommandLine: () Target PID: (540) As User: () Creation Flags: () Process Stsrted: Process ID 564 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsvA.tmp\ns12.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Filesize 6144 bytes MD5 886cbcd0829ffb358168911f9cb1b149 Start Reason CreateProcess File System Activities: Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe () Find File: calc.exe Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe) As User: () Creation Flags: () Process Started: Process ID 600 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Filesize 65024 bytes MD5 7e17cdb4df31e42055faecdb4f0524cd Start Reason CreateProcess File System Activities: Create/Open File: C:\WINDOWS\system32\kernel32.dll (OPEN_ALWAYS) Get File Attributes: C:\WINDOWS\system32\kdqtn.exe Flags: (SECURITY_ANONYMOUS) Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe to C:\WINDOWS\system32\kdqtn.exe Open File: C:\WINDOWS\explorer.exe (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kdqtn.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\kdqtn.exe Registry Changes: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "System" = kdqtn.exe Process Management: Enum Processes Enum Modules - Target PID: (4) Enum Modules - Target PID: (572) Enum Modules - Target PID: (620) Enum Modules - Target PID: (648) Enum Modules - Target PID: (728) Enum Modules - Target PID: (756) Enum Modules - Target PID: (764) Enum Modules - Target PID: (952) Enum Modules - Target PID: (1024) Enum Modules - Target PID: (1208) Enum Modules - Target PID: (1324) Enum Modules - Target PID: (1468) Enum Modules - Target PID: (1508) Open Process - Filename () Target PID: (4) Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (572) Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (620) Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (648) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (728) Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (756) Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (764) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (952) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1024) Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1208) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1324) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1468) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1508) System Info: Get System Directory Get Windows Directory Enum Handles: Threads Create Remote Thread - Target PID (620) Thread ID (1768) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Process Stsrted: Process ID 620 Filename C:\WINDOWS\system32\csrss.exe Filesize -1 bytes Start Reason InjectedCode Process Management: Enum Processes Enum Modules - Target PID: (4) Enum Modules - Target PID: (572) Enum Modules - Target PID: (620) Enum Modules - Target PID: (648) Enum Modules - Target PID: (728) Enum Modules - Target PID: (756) Enum Modules - Target PID: (764) Enum Modules - Target PID: (952) Enum Modules - Target PID: (1024) Enum Modules - Target PID: (1208) Enum Modules - Target PID: (1324) Enum Modules - Target PID: (1468) Enum Modules - Target PID: (1508) Enum Modules - Target PID: (600) Enum Modules - Target PID: (904) Enum Modules - Target PID: (1552) Enum Modules - Target PID: (1664) Enum Modules - Target PID: (468) Enum Modules - Target PID: (448) Enum Modules - Target PID: (1820) Enum Modules - Target PID: (608) Enum Modules - Target PID: (2044) Enum Modules - Target PID: (984) Enum Modules - Target PID: (392) Enum Modules - Target PID: (1196) Enum Modules - Target PID: (1268) Enum Modules - Target PID: (372) Open Process - Filename () Target PID: (4) Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (572) Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (648) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (728) Open Process - Filename (C:\WINDOWS\system32\savedump.exe) Target PID: (756) Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (764) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (952) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1024) Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1208) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1324) Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1468) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1508) Threads: Create Remote Thread - Target PID (648) Thread ID (1084) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (728) Thread ID (1428) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (756) Thread ID (1576) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (764) Thread ID (816) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (904) Thread ID (1104) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (952) Thread ID (1992) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1024) Thread ID (1924) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1208) Thread ID (1976) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1324) Thread ID (2060) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1468) Thread ID (2080) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1508) Thread ID (2100) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1552) Thread ID (2124) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1552) Thread ID (2140) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1664) Thread ID (2156) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (448) Thread ID (2176) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (448) Thread ID (2180) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1820) Thread ID (2184) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1820) Thread ID (2188) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (608) Thread ID (2192) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (608) Thread ID (2196) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (984) Thread ID (2200) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (984) Thread ID (2204) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (392) Thread ID (2208) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (392) Thread ID (2212) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1196) Thread ID (2216) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1196) Thread ID (2220) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1268) Thread ID (2224) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (1268) Thread ID (2228) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (372) Thread ID (2232) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (372) Thread ID (2236) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (572) Thread ID (2240) Thread ID ($7C910331) Parameter Address ($00000000) Creation Flags (CREATE_SUSPENDED) Create Remote Thread - Target PID (572) Thread ID (2244) Thread ID ($00000000) Parameter Address ($00000001) Creation Flags (CREATE_SUSPENDED) Process Stsrted: Process ID 648 Filename C:\WINDOWS\system32\winlogon.exe Filesize -1 bytes Start Reason InjectedCode Process Stsrted: Process ID 728 Filename C:\WINDOWS\system32\services.exe Filesize 108032 bytes MD5 c6ce6eec82f187615d1002bb3bb50ed4 Start Reason InjectedCode Process Management: Create Process As User - Filename () CommandLine: (C:\WINDOWS\system32\svchost -k rpcss) Target PID: (2324) As User: (NETWORK SERVICE) Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS) Create Process As User - Filename () CommandLine: (C:\WINDOWS\system32\svchost -k rpcss) Target PID: (2332) As User: (NETWORK SERVICE) Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS) Create Process As User - Filename () CommandLine: (C:\WINDOWS\system32\svchost -k rpcss) Target PID: (2352) As User: (NETWORK SERVICE) Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS) Process Started: Process ID 756 Filename C:\WINDOWS\system32\savedump.exe Filesize 13312 bytes MD5 910362f6bfc1f0832691ed3bad8ecdd5 Start Reason InjectedCode Process Started: Process ID 764 Filename C:\WINDOWS\system32\lsass.exe Filesize 13312 bytes MD5 84885f9b82f4d55c6146ebf6065d75d2 Start Reason InjectedCode Process Started: Process ID 904 Filename C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe Filesize 741248 bytes MD5 d5b7d1f68eaf46d0443d4db41398f161 Start Reason InjectedCode Process Started: Process ID 952 Filename C:\WINDOWS\system32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason InjectedCode Process Started: Process ID 1024 Filename C:\WINDOWS\system32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason InjectedCode Process Started: Process ID 1208 Filename C:\WINDOWS\System32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason InjectedCode Process Started: Process ID 1324 Filename C:\WINDOWS\system32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason InjectedCode Process Started: Process ID 1468 Filename C:\WINDOWS\system32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason InjectedCode Process Staretd: Process ID 1508 Filename C:\WINDOWS\system32\userinit.exe Filesize 24576 bytes MD5 52f083e459320abdf2e91eb8791fa1c2 Start Reason InjectedCode Process Started: Process ID 1552 Filename C:\WINDOWS\Explorer.exe Filesize 1032192 bytes MD5 a0732187050030ae399b241436565e64 Start Reason InjectedCode Process Started: Process ID 1552 Filename C:\WINDOWS\Explorer.exe Filesize 1032192 bytes MD5 a0732187050030ae399b241436565e64 Start Reason InjectedCode Process Started: Process ID 1664 Filename C:\WINDOWS\system32\spoolsv.exe Filesize 57856 bytes MD5 ad3d9d191aea7b5445fe1d82ffbb4788 Start Reason InjectedCode