Appendix 4:
Sandbox Results From Running Conficker C
PEER TO PEER: We see what
appears to be peer to peer activity, shortly after
the binary is run, within the first
3-5 minutes. Its not clear how these addresses
are generated. Thousands of IP addresses are being contacted on
high-order
UDP and TCP ports. The UDP Payload length ranges from 20 to 432
bytes.
192.168.1.165:20280 - PRIVATE IP ADDRESS LAN - --
192.168.1.186:64833 - PRIVATE IP ADDRESS LAN - --
126.99.67.127:58217 - JAPAN NATION-WIDE NETWORK OF SOFTBANK B
BBTEC.NET -JAPAN
192.168.1.4:33119 - PRIVATE IP ADDRESS LAN - --
91.214.141.6752132 - EU-ZZ APEXCOVANTAGE.COM -UNITED KINGDOM
19.223.225.182:61075 - FORD MOTOR COMPANY STERLINGSTUDENTS.NE -UNITED
STATES
47.186.97.39:48582 - BELL-NORTHERN
RESEARCHNORTELNETWORKS.COM ONTARIOCANADA
75.44.27.39:22837 - RAMIREZ SONIA MD AMERITECH.NET
TEXASUNITED STATES
99.29.135.165:22837 - AT&T INTERNET SERVICES PACBELL.NET
-UNITED STATES
192.168.1.241:24757 - PRIVATE IP ADDRESS LAN - --
192.168.1.4:16467 - PRIVATE IP ADDRESS LAN - --
209.107.226.245:41423 - CONSOLIDATED COMMUNICATIONS
INCCONSOLIDATED.NETILLINOISUNITED STATES
77.137.40.243:46539 - FREENET CITYLINE GMBH PPPOOL.DEBERLINGERMANY
67.11.41.16:58110 - ROAD RUNNER HOLDCO LLCRR.COM
TEXASUNITED STATES
21.106.94.7:7072 - DOD NETWORK INFORMATION
CENTERNAVY.MIL -UNITED STATES
207.179.149.169:38324 - BELL ALIANTALIANT.NET -UNITED STATES
221.229.6.43:21438 - CHINANET JIANGSU PROVINCE
NETWORK163DATA.COM.CN BEIJINGCHINA
43.38.46.4:39416 - APNIC-AP-ERXDAVITA.COM -JAPAN
205.46.36.224:59254 - DOD NETWORK INFORMATION CENTERNAVY.MIL
-UNITED STATES
192.168.1.4:14057 - PRIVATE IP ADDRESS LAN - --
40.78.178.59:23443 - ELI LILLY AND COMPANY LILLY.COM
INDIANAUNITED STATES
84.128.199.126:47142 - DEUTSCHE TELEKOM AGT-IPCONNECT.DE -GERMANY
98.6.66.203:54021 - ROAD RUNNER HOLDCO LLCRR.COMNEW
YORKUNITED STATES
194.73.252.9:9540 - FTIP003086131 DIAL INTERNET
LTDDIALIN.CO.UK ENGLANDUNITED KINGDOM
192.168.1.86:7618 - PRIVATE IP ADDRESS LAN - --
128.68.145.164:14741 - VARIOUS REGISTRIESRREINC.NET -UNITED KINGDOM
26.238.34.154:56953 - DOD NETWORK INFORMATION
CENTERNAVY.MILOHIOUNITED STATES
59.37.31.142:58161 - ZHONGGUODIANXINRTFUND.COM -CHINA
192.168.1.4:55520 - PRIVATE IP ADDRESS LAN - --
35.168.66.241:45506 - MERIT NETWORK INCMICH.NETMICHIGANUNITED
STATES
EXAMPLE Conficker.C Port 80
HTTP Communications:
------------------------------------------------------
contents.192.168.1.40.1143 -
195.81.196.224.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-ms-xbap, */*
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
Host: tuenti.com
Connection: Keep-Alive
------------------------------------------------------
contents.192.168.1.40.1153 -
124.225.65.154.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/xaml+xml, */*
Accept-Language: en-GB
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30)
Host: tianya.cn
Connection: Keep-Alive
------------------------------------------------------
contents.192.168.1.40.1157 -
77.73.32.121.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-ms-application, application/vnd.ms-xpsdocument,
application/x-ms-xbap, */*
Accept-Language: en-US,de-DE;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.30)
Host: miniclip.com
Connection: Keep-Alive
Possible Kernel Rootkit Logic:
There
may be rootkit activity in this binary.
eip=009a3939 caller=7c80b508
eip=009a660e caller=7c8021f6
eip=009aae64 caller=71ab2d07
eip=009aca48 caller=7c80b508
eip=009acee8 caller=7c80b508
eip=009adac4 caller=7c80b508
eip=009b1a08 caller=7c80b508
eip=009b1f68 caller=7c80b508
eip=009b2e04 caller=7c80b508
eip=009b4950 caller=7c80b508
FORENSICS:
Files Read:
C:\ntsvcs, Flags: Named pipe
Files Modified:
C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe
C:\WINDOWS\system32\config\SysEvent.Evt
C:\ntsvcs, Flags: Named pipe
Services Started:
RASMAN
Listening Ports:
45436tcp
11930tcp
TCP Connection Attempts:
41.63.35.12:63641
35.148.95.99:20062
205.113.84.253:49193
34.72.22.206:37003
199.188.170.143:51365
220.12.165.219:24306
81.128.230.194:25523
128.30.115.135:26832
TCP Connections Received
81.128.230.194:25523 to port 1044
128.30.115.135:26832 to port 1045
220.12.165.219:24306 to port 1042
35.148.95.99:20062 to port 1036
Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003
CTF.Compart.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003
CTF.LBES.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003
CTF.Layouts.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003
CTF.TMD.MutexDefaultS-1-5-21-1229272821-1004336348-527237240-1003
CTF.TimListCache.FMPDefaultS-1-5-21-1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21-1229272821-1004336348-527237240-1003
RasPbFile
Deleted Files:
C:\DOCUME~1\user\LOCALS~1\Temp\tmp1.tmp
Created Files:
C:\DOCUME~1\user\LOCALS~1\Temp\tmp1.tmp
C:\DOCUME~1\user\LOCALS~1\Temp\{E2265BCE-F2F0-4B37-97FC-5206D930088E}
Read Files:
C:\WINDOWS\Registration\R00000000000f.clb
C:\WINDOWS\system32\rsaenh.dll
PIPE\ROUTER
PIPE\lsarpc
c:\autoexec.bat
Modified Files:
Ip
PIPE\ROUTER
PIPE\lsarpc
\Device\Afd\AsyncConnectHlp
\Device\Afd\Endpoint
\Device\Ip
\Device\Tcp
Created Directories:
C:\DOCUME~1\user\LOCALS~1\Temp\{E2265BCE-F2F0-4B37-97FC-5206D930088E}
File System Control Communication:
PIPE\lsarpc, Control Code: 0x0011C017, 31 times
PIPE\ROUTER, Control Code: 0x0011C017, 3 times
RegKeys Creates:
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840}
RegKeys Modified:
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE
PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet
Settings,
Value Name: ProxyEnable, New Value: 0
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List,
Value Name: 11930:TCP, New Value:
11930:TCP:*:Enabled:PackagesOffice MSDownloaded
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List,
Value Name: 45436:TCP, New Value:
45436:TCP:*:Enabled:PackagesOffice SpeechGames
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List,
Value Name: 48481:UDP, New Value:
48481:UDP:*:Enabled:PackagesOffice PagesPages
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List,
Value Name: 57338:UDP, New Value:
57338:UDP:*:Enabled:PackagesOffice MediaDistribution
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders,
Value Name: Common AppData, New Value:
C:\Documents and Settings\All Users\Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: MobilePolicy, New Value:
0xa95573eeeb6afa6da9e5c7821acab75688f69e571b1d655b891b6bad9ac7
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: SpeechLogs, New Value: 0x5c5bdf50
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: VideoRegistered, New Value:
0xebd815044ef7158cc16afccf1bf258a292adbccead310702
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders,
Value Name: AppData, New Value: C:\Documents
and Settings\user\Application Data
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders,
Value Name: Cache, New Value: C:\Documents and
Settings\user\Local Settings\Temporary Internet Files
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders,
Value Name: Cookies, New Value: C:\Documents
and Settings\user\Cookies
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders,
Value Name: History, New Value: C:\Documents
and Settings\user\Local Settings\History
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: MobilePolicy, New Value:
0xa95573eeeb6afa6da9e5c7821acab75688f69e571b1d655b891b6bad9ac7
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: SpeechLogs, New Value: 0x5c5bdf50
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\{D500A7C0-F861-CA33-C05E-C39943F42840},
Value Name: VideoRegistered, New Value:
0xebd815044ef7158cc16afccf1bf258a292adbccead310702
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet
Settings,
Value Name: MigrateProxy, New Value: 1
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet
Settings,
Value Name: ProxyEnable, New Value: 0
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet
Settings\Connections,
Value Name: SavedLegacySettings, New Value:
0x460000006800000001000000000000000000000000000000040000000000
RegKeys Read:
HKLM\SOFTWARE\CLASSES\CLSID\{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}\INPROCSERVER32,
HKLM\SOFTWARE\CLASSES\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\INPROCSERVER32,
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\,
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft
Base Cryptographic Provider v1.0,
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings,
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List,
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters,
HKLM\Software\Microsoft\COM3,
HKLM\Software\Microsoft\Cryptography,
HKLM\Software\Microsoft\Rpc\SecurityService,
HKLM\Software\Microsoft\Tracing,
HKLM\Software\Microsoft\Tracing\RASAPI32,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList,
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1004336348-527237240-1003,
HKLM\Software\Microsoft\Windows\CurrentVersion,
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders,
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content,
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies,
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History,
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName,
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll,
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll,
HKLM\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll,
HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm,
HKLM\System\CurrentControlSet\Control\ProductOptions,
HKLM\System\CurrentControlSet\Control\SecurityProviders,
HKLM\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles,
HKLM\System\CurrentControlSet\Control\Session
Manager\Environment,
HKLM\System\CurrentControlSet\Services\LDAP,
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010,
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011,
HKLM\System\Setup,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Environment,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET
SETTINGS,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\MSHist012008051620080517,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\UserData,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Extensible Cache\feedplat,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet
Settings,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet
Settings\Connections,
HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Volatile
Environment,
Loaded DLLS:
C:\WINDOWS\system32\ntdll.dll , 0x7C900000 , Size: 0x000AF000
C:\WINDOWS\system32\kernel32.dll , 0x7C800000 , Size: 0x000F6000
C:\WINDOWS\system32\advapi32.dll , 0x77DD0000 , Size: 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll , 0x77E70000 , Size: 0x00092000
C:\WINDOWS\system32\Secur32.dll , 0x77FE0000 , Size: 0x00011000
C:\WINDOWS\system32\msvcrt.dll , 0x77C10000 , Size: 0x00058000
C:\WINDOWS\system32\oleaut32.dll , 0x77120000 , Size: 0x0008B000
C:\WINDOWS\system32\GDI32.dll , 0x77F10000 , Size: 0x00049000
C:\WINDOWS\system32\USER32.dll , 0x7E410000 , Size: 0x00091000
C:\WINDOWS\system32\ole32.dll , 0x774E0000 , Size: 0x0013D000
C:\WINDOWS\system32\shell32.dll , 0x7C9C0000 , Size: 0x00817000
C:\WINDOWS\system32\SHLWAPI.dll , 0x77F60000 , Size: 0x00076000
C:\WINDOWS\system32\wininet.dll , 0x42C10000 , Size: 0x000CF000
C:\WINDOWS\system32\Normaliz.dll , 0x00400000 , Size: 0x00009000
C:\WINDOWS\system32\iertutil.dll , 0x42990000 , Size: 0x00045000
C:\WINDOWS\system32\ws2_32.dll , 0x71AB0000 , Size: 0x00017000
C:\WINDOWS\system32\WS2HELP.dll , 0x71AA0000 , Size: 0x00008000
C:\WINDOWS\system32\urlmon.dll , 0x42CF0000 , Size: 0x00127000
C:\WINDOWS\system32\IMM32.DLL , 0x76390000 , Size: 0x0001D000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
0x773D0000 , Size: 0x00103000
C:\WINDOWS\system32\comctl32.dll , 0x5D090000 , Size: 0x0009A000
Runtime Dlls:
C:\WINDOWS\system32\NETAPI32.dll, 0x5B860000, Size: [0x00055000
C:\WINDOWS\system32\hnetcfg.dll, 0x662B0000, Size: 0x00058000
C:\WINDOWS\system32\rsaenh.dll, 0x68000000, Size: 0x00036000
C:\WINDOWS\system32\mswsock.dll, 0x71A50000, Size: 0x0003F000
C:\WINDOWS\System32\wshtcpip.dll,0x71A90000, Size: 0x00008000
C:\WINDOWS\system32\SAMLIB.dll, 0x71BF0000, Size: 0x00013000
C:\WINDOWS\system32\sensapi.dll, 0x722B0000, Size: 0x00005000
C:\WINDOWS\system32\MSCTF.dll, 0x74720000, Size: 0x0004C000
C:\WINDOWS\system32\USERENV.dll, 0x769C0000, Size: 0x000B4000
C:\WINDOWS\system32\WINMM.dll, 0x76B40000, Size: 0x0002D000
C:\WINDOWS\system32\iphlpapi.dll, 0x76D60000, Size: 0x00019000
C:\WINDOWS\system32\rtutils.dll, 0x76E80000, Size: 0x0000E000
C:\WINDOWS\system32\rasman.dll, 0x76E90000, Size: 0x00012000
C:\WINDOWS\system32\TAPI32.dll, 0x76EB0000, Size: 0x0002F000
C:\WINDOWS\system32\RASAPI32.dll, 0x76EE0000, Size: 0x0003C000
C:\WINDOWS\system32\WLDAP32.dll, 0x76F60000, Size: 0x0002C000
C:\WINDOWS\system32\CLBCATQ.DLL, 0x76FD0000, Size: 0x0007F000
C:\WINDOWS\system32\COMRes.dll, 0x77050000, Size: 0x000C5000
C:\WINDOWS\system32\NTMARTA.DLL, 0x77690000, Size: 0x00021000
C:\WINDOWS\system32\VERSION.dll, 0x77C00000, Size: 0x00008000
C:\WINDOWS\system32\msv1_0.dll, 0x77C70000, Size: 0x00024000
Memory Mapped Files:
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\NTMARTA.DLL
C:\WINDOWS\system32\RASAPI32.dll
C:\WINDOWS\system32\SAMLIB.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\crypt32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\msv1_0.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll